The capabilities and efficiencies brought on by the digital revolution of the last quarter century have dramatically changed how districts provide access to instructional materials, submit homework, take assessments, hire teachers, construct budgets, provide health services, and communicate. The maturation of processing power combined with the expansive connectedness of the internet–something that was only possible in science fiction forty years ago–have created an infrastructure that is the foundation for school operations. 

This transformation has not only impacted how we interact in school today, it is changing the way that we keep records–a foundational part of district functions. In most instances, paper records, once a mainstay of school operations–have become increasingly scarce. And, districts are digitizing paper records of the past for continued retention. These changes have tremendous benefits including ease of access, cost savings, search and analysis capabilities, and reduced volume of space needed for preservation. Unfortunately, these benefits have greatly increased the risk of having data and records stolen and data privacy and security has become a top priority for schools and districts as they implement new programs and processes. 

District Concerns & Risks

Every day, districts add or change interconnected systems and capabilities such as online applications, digital assets, and data systems to increase the functionalities supporting teaching and improving operations. Each of these connections adds risk. These include data theft, system hijacking, and ransomware attacks. A 2024 survey of K-12 district administrators reported that 73% anticipated, already had, or were in the process of, securing cyber incident insurance. This cost reduces the operating funds available for teacher pay, student interventions, or new instructional initiatives. These expenses are not trivial: the Davis School District in Oklahoma, with just under a 1,000 students, experienced over a 300% increase from 2020 to 2022 with costs rising to $290 per student. This is on top of information technology expenditures to prevent cyber attacks. The cost of recovery is much higher and rising almost as steeply, more than doubling in 2024 from 2023 to an average of $3.76 million.

Data Security Breaches in the Headlines

Unfortunately, these risks are real and based on lived experiences of districts around the country. There have been several major cyber attack incidents in the last few years that have compromised student, parent, and employee data. Raptor Technologies, a national provider of school safety and visitor management software, experienced a breach in December 2023, exposing over four million records including personal identity, medical and court records, and information on school safety plans. In 2024, PowerSchool reported a breach that exposed millions of student records from across the country that included social security numbers, date of birth, and additional personally identifiable information. Also in 2024, the Los Angeles Public School system reported that one of its vendors had information stolen through its cloud storage with the reported intent to sell student and employee data. And this was followed just a month later with LAUSD shutting down its AI chatbot for the community, known as ED, due to serious security concerns with its vendor partner who subsequently shuttered its operations. The lessons learned from these, and the thousands of other breaches that have occurred, is that districts must closely examine the cybersecurity posture of its partners beyond training its community on digital safety behaviors.

Questions to Consider in Choosing a CCR Platform

Examining the cybersecurity practices of college and career readiness (CCR) platform providers can be challenging for even technical experts, and it is often overwhelming for the administrative and counseling staff who evaluate systems based on how best to support students in their postsecondary preparations and transitions. Working closely with the district’s information technology and procurement teams, CCR practitioners should be aware of the district’s specific requirements and expect that CCR platform providers meet these minimums and transparently share how they address national best practices. Below there are a number of best practices that CCR practitioners can include during the procurement process or ask existing partners as they bring these critical CCR resources to their students. 

• How do they ensure compliance with data privacy laws including FERPA, HIPPA, COPPA, and parental control legislation? 
• What, if any, data usage beyond the providing of services to the district does the vendor engage with internally and with 3rd party partners? This information is often in the vendor's privacy and data sharing policies.
• What forms of data protection and encryption does the vendor use for data storage, processing, and transmission?
• What forms of penetration and vulnerability testing does the vendor use? How often are these tests conducted? Do they engage an independent third party auditor for reviewing their cybersecurity practices?
• Do they practice data minimization of only gathering necessary information and how do they define necessary? What is their data retention policy for student data no longer enrolled in the district?
• What cloud services and security measures do they utilize? Where are the data servers which store your district’s data (i.e., is it local to the district, in the same state, in the United States, or stored out of the country)?
• What user credentials and authentication processes does the vendor use? Do they enable multi-factor authentication for users?

Educating the Community on Data Security

In addition to selecting a CCR platform, or other digital provider, that meets cybersecurity best practices, it is important for districts to educate all community members on what they can do to reduce the risk of a cybersecurity incident.  Fortunately, there are resources available for districts to reference.

• The US Government’s Cybersecurity & Infrastructure Security Agency provides resources and an on-line toolkit for K-12 institutions.  
• The US Department of Education maintains a site with recommendations, resources, and ways to report cybersecurity incidents.
• SchoolSafety.gov provides best practices, including trainings for students and teachers, in cybersecurity.
• The national organization CoSN provides resources on cybersecurity for K-12 systems.

Being Proactive is the Best Approach

Robust CCR platforms are designed to empower students to make well-informed decisions on their postsecondary transition and to help them access financial and support resources that can support their choices.  Because of this, they have the power to transform what is possible for countless students. But in order to realize these benefits, these platforms must gather, store, and process data that demands utmost security from the platform provider. 

In many ways, cybersecurity risk considerations for a 21st Century CCR platform follows Ben Franklin’s sage advice from almost 300 years ago that “an ounce of prevention is worth a pound of cure.” Taking the time to know what questions to ask, features to expect, and relationship to establish regarding cybersecurity between the district and provider will help protect the student data, the district’s reputation, and reduce the premiums on cyber incident insurance. 

‍