Youth data privacy: Compliance is not enough
This article on youth data privacy and security is the result of Pure & Applied partnering up with Faud Khan to talk about an issue near and dear to his heart – children and their safety and security. Faud is the President and CEO of Twelvedot, a cyber security consultancy that counsels clients in government, education, healthcare, and equipment providers.
Through this article we hope to clarify the level of risk that still exists and the need for a security mindset and systematic development approach on the part of EdTech – a solution Faud Khan and his company TwelveDot have devised.
At Pure & Applied, one core focus is to understand schools, education organizations, schools and society in order to make systemic improvements. We believe that companies are ‘corporate citizens’ and are responsible for the impact they have on their stakeholders, their users, and the environment. We believe that education companies care about the youth they serve and that security breaches of student data have a lot more to do with human error and a lack of information, than they do with intentional malice. We also know that there is a growing bank of educational resources and regulations that standardize data practices to help schools, parents, and education companies protect youth. Our aim here is to increase awareness of these efforts and add to them.
Data privacy may be topical today but the need to protect the rights of families and parents while children are at school dates back to 1974 with the passing of the Family and Education Rights Privacy Act (FERPA). While the aim of FERPA remains the same today, how youth are at risk and what it takes to protect them has changed dramatically since the days of written consent forms where youth themselves were the primary abusers.
As the EdTech industry, for example, innovates to provide better personalized learning solutions for students, the need to collect and produce student data grows, according to the Data Quality Campaign. In order for EdTech to create innovative solutions to support individual student success on a massive scale, student data is needed especially in personalizing learning.
The FBI published this Public Service Announcement (PSA) describing the types of data that may be collected:
“As a result, the types of data that are collected can include, but are not limited to:
Personally Identifiable Information (PII);
Biometric data;
Academic progress;
Behavioral, disciplinary, and medical information;
Web browsing history;
Students’ geolocation;
IP addresses used by students; and
Classroom activities”
This student data allows analyses related to student standing, student progress and specific student needs in relation to standards, competencies or goals to take place. The PSA goes on to describe what can happen if this data falls into the wrong hands, “Malicious use of this sensitive data could result in social engineering, bullying, tracking, identity theft, or other means for targeting children.” This K–12 Cyber Incident Map informs us that since January 2016 U.S. K–12 public schools have reported 442 cyber security-related incidents including disclosure of personal information, loss of money or time, and in some cases identity theft and criminal charges.
This PSA focuses on informing parents and schools of the risks and encourages them to become informed. Today, “many student data disclosures are caused by human error, like clicking a false attachment in an email or using a weak password. These errors often happen at the local level; however, few districts have the funding or resources to train staff to protect student data.” Cybersecurity policy makers and subject matter experts like Faud Khan agree that parents and schools can only do so much, “the burden of data security really belongs to industry and EdTech companies to ensure that it’s solutions and practices protect students first and foremost.”
To this end, FERPA and COPPA (federal legislation) and SHERPA (state legislation) have established compliance regulations that EdTech companies must adhere to to ensure that student data stays safe. Taking the initiative and showing their commitment to security, many companies and organizations have signed the Student Privacy Pledge (SPP). However the SPP may have its limitations, as Shawn Young – signatory and CEO of Classcraft – shared in a recent interview. The pledge may not be reviewed or updated as frequently as is needed to keep up with requirements for data security. For Faud, the data privacy pledge is all good and well but if companies don’t have a systematic approach then a signature represents nothing more than an empty promise.
That being said, Faud wants to clarify, “this is not about raising the bar, this is about doing what we say we are doing and will do going forward.”
Instead of focusing on supporting schools’ ability to screen for non-compliant EdTech products or focusing on the intentions of EdTech companies, Faud is looking to operationalize security by developing an approach and a process. First, he believes that EdTech companies must build a culture of security because, “schools and government will never be agile enough or have the resources to stay on top of it. It is the responsibility of the EdTech companies to ensure data security and they must take this responsibility seriously.”
Another important point Faud wants to get across is that compliance does not equal security. Compliance does not mean there is no risk. In fact, compliance is the minimum companies can do in the name of student data security.
Companies and schools all have different risk profiles. But we don’t need different frameworks to evaluate them.
According to Faud, another way of committing to student data privacy is to adopt a specific mindset about product development and by creating a culture of security within an EdTech organization. Mindsets are the vehicles for sustainable and evolving change – exactly what an ongoing challenge like data security needs.
The first element of this mindset is about owning and taking responsibility for data security within your own organization. Security, Faud believes, should never be handed-off to a third party. Organizations need to get better with quantifying their cyber risk prior to using any service provider. For example, when EdTech companies say their data is secure because it’s hosted by Amazon or Azure due to a ISO 27001 Certification. For Faud, this is the first sign of trouble as this isn’t a sufficient answer to the question of how secure your data is. Faud believes that this actually only points to a problem with the company’s mindset about data security risk which does not work.
To go beyond thought-leadership and into action, Faud is spearheading a national strategy for cybersecurity by creating a model for assessing companies and products across all sectors.
Faud has worked with standards development organization Canadian Standards Association (CSA) to draft a bi-national standard in Canada and the US including a methodology to assess organizations and the products/services being developed. Currently, there is no other existing framework for this. The proposed framework addresses areas such as how companies develop, how they deal with source code, and how they deal with updates, for example. When it becomes to a bi-national standard - companies will be able to obtain a security label of approval. Faud and his team at have tested their methodology with 10 companies as a part of a pilot. Their goal is to increase security and help companies go to market more quickly through his program. It will also help them build higher quality products. At the end of the day, Faud indicates that, “security is a function of quality”.
