While data breaches at Equifax, Yahoo, Anthem and Target have made the national news, data breaches at school districts are not as widely publicized. Schools are a treasure trove of children’s personally identifiable information (PII) (e.g., name, address, Social Security number) and protected health information (PHI), as well as the PII and PHI of faculty and payment card information (e.g., debit and credit card numbers) of parents. Schools are particularly vulnerable to attack because districts with scarce funds must devote them to education, and cannot always divert precious resources to cybersecurity. However, economizing on cybersecurity can be shortsighted. The Federal Trade Commission (FTC) reported that identity thieves often steal children’s information from schools, noting that a child’s identity is attractive to thieves because it is a “clean slate,” enabling a thief to use a child’s Social Security number to obtain employment, government benefits, or credit without detection until the child is of age to obtain credit. See Prepared Statement before the Subcommittee on Social Security of the House Committee on Ways and Means on Child Identity Theft Field Hearing Plano, Texas Sept. 1, 2011.
Hackers have victimized a number of school districts. In 2013, Newsday reported that personal data of a number of students in the Sachem School District, in Suffolk County, was posted to an online forum, allegedly by a 17-year-old student in the district. Candice Rudd et al., “Holbrook teen pleads not guilty to hacking charge,” Newsday (Nov. 23, 2013). USA Today reported on March 24, 2015, that the Swedesboro-Woolwich School District, in New Jersey, was held ransom by hackers. Although the school did not pay the ransom, it lost the use of its systems and had to delay certain web-based testing until its network was rebuilt. Carly Romalino, “Cyberattack disrupts school testing,” USA Today (March 24, 2015).
