States began adopting data breach laws, such as California’s CA SP-1386 in 2003. Now, there are laws in all 50 states, as well as the District of Columbia, Guam, Puerto Rico, and the Virgin Islands. These data breach notification laws require private organizations or government entities (including K–12 public school systems) to notify individuals of a security breach involving their personally identifiable information (PII).
The laws in each state vary in how they define PII, what constitutes a breach, and how and when school districts must communicate breaches to affected parties. Although all the laws are different, they all impose increasing costs. As a result, more and more districts are taking a closer look at purchasing cybersecurity insurance to offset costs or at renewing policies already in place.
School districts must respond to potentially devastating breaches, but breach response is expensive.
Districts may have good reasons to act now. The federal and state governments are becoming more involved with cybersecurity laws and mandates. On October 8, 2021, President Biden signed the bipartisan K–12 Cybersecurity Act into law. Although the act offers little actual reform, it does show Washington’s increasing interest in studying and regulating the space. Added regulation will increase prevention costs for school districts and response costs for insurers, driving higher premiums.
States are jumping in too, particularly in the area of regulating ransomware payments. If districts cannot pay ransoms to quickly retrieve data, they may face longer downtimes and greater response costs. These laws may then affect cyber insurance costs, requirements, and pay-outs. Ultimately, the district must consider the cost of the insurance versus the amount and likelihood of a payout before making a final decision.
What You Need to Do
To take advantage of cybersecurity insurance, a district must meet all the insurer’s specified conditions to receive a payout. Because of the high number of cyberattacks in recent years, insurers are evaluating their vulnerability. Rates are rising, and tighter controls are being put into place. Districts that do not provide sufficient documentation or that apply without the required controls might not receive coverage, may be required to pay higher premiums, or may risk having lower coverage limits for the account.
The Consortium for School Networking (CoSN) reports that most insurers require that districts have, at a minimum, tools and protocols in place for identification, authentication, authorization, and accountability, as well as a reasonable amount of network security, including at least intrusion, firewall, and demilitarized zone traffic inspection.
A review of several cybersecurity insurance checklists suggests that districts have the following controls in place if they are preparing to qualify for or request a quote for cyber insurance:
• Remove or reduce administrative rights to reduce the attack surface. Practice least privilege enforcement.
• Manage all privileged remote sessions from vendors and employees.
• Eliminate unsupported operating systems and platforms.
• Review the environment for indicators of compromise to confirm that none are found. If found, remediate.
• Document the steps taken to detect and prevent ransomware attacks.
• Assign someone to handle all data security.
• Conduct regular security awareness training for all employees.
• Put in place written information security and privacy policies.
• Have a tested business continuity and disaster recovery plan.
• Install antivirus and firewall systems and update them regularly.
• Stay current on updates and patches for all critical information technology systems and applications.
• Back up critical data and systems regularly.
• Require employees and applicable age-appropriate students to use multifactor authentication.
• Require the use of strong passwords and force password changes for employees and age-appropriate students.
Remember, all insurers are different, and some may require additional measures. Further, this list is intended to reflect basic measures that insurers may need and is not intended to be a cybersecurity plan.
Get Informed and Get Help
Data security in schools is a complex problem beyond the narrow scope of this article. To learn more, visit CoSN’s website (www.cosn.org). There, you’ll find a variety of educational technology tools and resources. Also read Eileen Belastock’s 2022 article “Our Biggest Nightmare Is Here” in Education Next.
Keep in mind that a policy that may work for one district may not work for another. Law firms, companies, and organizations offer example policies online that try to “break down” the evolving state laws. But the internet cannot substitute for personalized counsel. The law is constantly evolving and varies widely across states.
A school district attorney, the district’s chief financial officer, and technical and security experts should review any proposed policy to ensure that it meets the district’s needs. It is equally important that those same entities review any renewals for those districts that currently have cyber insurance.