K-12 vendors are key components in all aspects of K-12 education. From operational needs such as attendance and payroll to learning applications for reading, science, and mathematics, vendors ensure school districts operate as efficiently and effectively as possible.
But K-12 vendors are also one of the greatest single sources of cybersecurity vulnerability for schools and districts. The U.S. Government Accountability Office asserted that “cyberattacks carried out directly against edtech vendors […] tend to have an especially severe impact on K-12 because they affect a large swath of students across multiple school districts at the same time.”
In fact, K12 SIX’s annual report asserted that 55 percent of reported school data breaches in 2021 were connected to incidents originating from district vendors.
How can you stay safe? Here are three ways you can better ensure your K-12 vendor selection leads to increased results rather than decreased cybersecurity.
1. Show Me Your Bona Fides
Is your vendor FERPA certified? The Family Educational Rights and Privacy Act is a federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.
What about COPPA certification? The Children’s Online Privacy Protection Act places requirements on operators of websites or online services directed to children under 13 years of age, as well as requirements on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age.
These two certifications prove that your vendor places high importance on keeping your student data safe. Additionally, requiring recommendations from customers with similar needs is always an excellent idea.
2. Sweat the Details
- Spell out the type of Personally Identifiable Information (PII) collected and what they do with it
- Delete all student data collected ANY TIME you wish
- Detail who at the organization can access student data and what that means
- Offer audit logs for when company staff members access school accounts and/or student data
- Commit to never share student information with third parties except as required to provide their service (including with advertisers)
- Show their plan in the case of a breach
- Display the granularity of its data encryption
- Provide the location(s) of where on earth the district’s data is stored
- Guarantee that the ownership of PII remains solely with the school district
3. Hope for Security, Plan for a Data Breach
While no K-12 school district expects to be hacked or incur a data breach, the odds of one occurring grow daily. No vendor can guarantee 100% security, but what they can do is detail what they do to actively test their defenses and respond in the event of a cybersecurity breach. A few actions to take:
- Examine the vendor’s incident response plan and ensure it is documented along with a discussion of key steps and with what cadence they are executed
- Require the vendor conduct a yearly pen test by a third party (“by a qualified third-party vendor” is common language)
- If the district cares, does data leave the State or the U.S.
- In 2024, education will move to adopt AI—but slowly - December 8, 2023
- Mitigating data breaches with live patch management - December 8, 2023
- How video coaching helps us support teacher growth and retention - December 7, 2023