Here are three ways you can better ensure your K-12 vendor selection leads to increased results rather than decreased cybersecurity

K-12 cybersecurity vendors: Is the threat already in your house?

Here are three ways you can better ensure your K-12 vendor selection leads to increased results rather than decreased cybersecurity

Click Here to Learn How to Lower Cybersecurity Threats to Your School

K-12 vendors are key components in all aspects of K-12 education. From operational needs such as attendance and payroll to learning applications for reading, science, and mathematics, vendors ensure school districts operate as efficiently and effectively as possible.

But K-12 vendors are also one of the greatest single sources of cybersecurity vulnerability for schools and districts. The U.S. Government Accountability Office asserted that “cyberattacks carried out directly against edtech vendors […] tend to have an especially severe impact on K-12 because they affect a large swath of students across multiple school districts at the same time.”

In fact, K12 SIX’s annual report asserted that 55 percent of reported school data breaches in 2021 were connected to incidents originating from district vendors.

How can you stay safe? Here are three ways you can better ensure your K-12 vendor selection leads to increased results rather than decreased cybersecurity.

1. Show Me Your Bona Fides

Is your vendor FERPA certified? The Family Educational Rights and Privacy Act is a federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.

What about COPPA certification? The Children’s Online Privacy Protection Act places requirements on operators of websites or online services directed to children under 13 years of age, as well as requirements on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age.

4 ways to avoid cybersecurity snake oil
How digital equity enhances cybersecurity in schools

These two certifications prove that your vendor places high importance on keeping your student data safe. Additionally, requiring recommendations from customers with similar needs is always an excellent idea.

2. Sweat the Details

We see them every day: Privacy Policies and Terms of Service. And while downloading that new photo editing app for your smartphone often involves a skimming, if even that, of the Privacy and Terms of Service policies, these two documents are wildly critical for K-12 cybersecurity. Here is a non-comprehensive list of specifications to look for from the Privacy Policy and Terms of Service.

  • Spell out the type of Personally Identifiable Information (PII) collected and what they do with it
  • Delete all student data collected ANY TIME you wish
  • Detail who at the organization can access student data and what that means
  • Offer audit logs for when company staff members access school accounts and/or student data
  • Commit to never share student information with third parties except as required to provide their service (including with advertisers)
  • Show their plan in the case of a breach
  • Display the granularity of its data encryption
  • Provide the location(s) of where on earth the district’s data is stored
  • Guarantee that the ownership of PII remains solely with the school district

3. Hope for Security, Plan for a Data Breach

While no K-12 school district expects to be hacked or incur a data breach, the odds of one occurring grow daily. No vendor can guarantee 100% security, but what they can do is detail what they do to actively test their defenses and respond in the event of a cybersecurity breach. A few actions to take:

  • Examine the vendor’s incident response plan and ensure it is documented along with a discussion of key steps and with what cadence they are executed
  • Require the vendor conduct a yearly pen test by a third party (“by a qualified third-party vendor” is common language)
  • If the district cares, does data leave the State or the U.S.

Sign up for our K-12 newsletter

Newsletter: Innovations in K12 Education
By submitting your information, you agree to our Terms & Conditions and Privacy Policy.

Want to share a great resource? Let us know at

eSchool News uses cookies to improve your experience. Visit our Privacy Policy for more information.