Students are back in the classroom, but elevated privacy and data breach risks remain. How many programs or digital procedures adopted during the pandemic are now part of your ‘new normal’?

Even though students and teachers are back in the classroom, changes to processes and new programs adopted during the pandemic continue to be used commonly across schools.

There has been a significant increase in schools experiencing privacy and data breaches during and following the COVID-19 pandemic. In 2020, 84 data breaches were reported to the Office of the Australian Information Commissioner (OAIC) in the education sector alone. It stands to reason that many more occurred, and did not require reporting (or were not otherwise reported).

Adopting remote learning platforms and administrative tools means the information collected by schools about students, parents, guardians and staff is increasingly digital. With large amounts of valuable information assets, schools face an increasing risk of inadvertent breaches or sophisticated ransomware and hacking attacks.

Privacy and data breaches have many risks and consequences for schools.

  • Repeated privacy or data breaches, or a poorly handled breach, may cause parents or students to lose faith in the school when enrolments are already tenuous due to economic conditions caused by the pandemic.
  • Schools may also face negative publicity and embarrassment
  • Further consequences involve insurance claims, increased insurance premiums and investigations by the regulator.

Human error caused public access to a school roll

Human error was the leading source of data breaches in the education sector in July to December 2020, causing 25 of the 40 eligible data breaches (or 62.5%) notified to the OAIC under its data breach reporting scheme. The most common human error data breach was caused by personal information being sent to a wrong email recipient: 14 out of 25.

Moores recently assisted a school respond to a privacy breach. The school had introduced a new digital roll system, which was inadvertently made public when the old system was deactivated. The cause was human error in the security settings. Publically accessible personal information about students and parents included names, postal addresses, phone numbers and, in some cases, Medicare numbers.

Moores helped the school investigate and respond to the breach. The privacy breach was an eligible privacy breach so the school was required to report the breach to the OAIC. Moores helped the school submit the required notification to the OAIC and advised on damage mitigation and system improvement. Fortunately, considering the mitigation steps and procedures Moores helped the school implement, the OAIC did not take further enforcement action.

Malicious breaches like ransomware attacks are cyber-crimes

The volume and value of information collected digitally by schools significantly increased due to the pandemic. This puts schools are a greater risk of malicious breaches like ransomware attacks. Moores recently helped a school respond to a ransomware attack by offering initial guidance as to immediate steps, including reporting the ransomware attack to Victoria Police as a cyber-crime. The school also sought assistance from a forensic IT company.

Did you know? Ransomware attacks or hacking are still considered the school’s fault and are treated in the same way as breaches caused by the school. This means you have the same privacy obligations for inadvertent breaches, like the digital roll example, or malicious breaches, like ransomware attacks.

Moores observed an increase in ransomware attacks throughout the pandemic. COVID-19 creates a perfect storm of conditions: depressed economic circumstances, criminal groups using COVID-19 themes for phishing attacks, disruption or delay in usual processes for IT security due and working from home arrangements.

Other common methods of malicious privacy or data breaches in the education sector in 2020 were hacking, phishing and brute-force attacks with compromised credentials. The OAIC was notified of 9 of these cyber incident breaches in July to December 2020.

Responding to breaches when they do arise

When your school becomes aware of a privacy or data breach, you may respond by taking the following steps:

  1. Contain the breach and conduct a preliminary assessment
  2. Evaluate the risks associated with the breach. What information was disclosed or accessed? Who has been affected?
  3. Notification: You may notify the OAIC and affected individuals of an eligible data breach. Even where it is not an eligible data breach (requiring OAIC notification), you may still decide to notify affected individuals so they can take steps to protect themselves for potential consequences of the breach.
  4. Review and prevent future breaches.

Moores has published more advice about how to run an internal privacy investigation.

A data breach response plan will help you navigate these steps. Having a concrete data breach response plan equips schools to confidently respond to, investigate, contain and prevent breaches. Is your data breach response plan up-to-date? If not, Moores is able to assist you with preparing or amending this crucial document.

Managing the increased risk of privacy and data breaches

More digital content in schools, in the classroom and for administration, means an increased risk of privacy and data breaches. This risk is from both inadvertent human error and malicious activity or attacks.

Schools have an obligation to take reasonable steps to protect the personal information they hold from unauthorised access or disclosure. With increased adoption and use of technology in education, the digital information assets of schools are growing exponentially. With this, the risk of privacy and data breaches is significantly greater explaining the spike in breaches following COVID-19.

The role of Privacy Impact Assessments

Schools should reflect on programs, technologies and procedures adopted during the pandemic. While it may feel like 2020 was long ago, it is important to now take a step back and consider the emergency steps taken to manage education in the pandemic, and future proof those solutions from the increasing risk of privacy and data breaches. This reflection should consider privacy and information security implications and protections. It may be useful to conduct Privacy Impact Assessments, or a review of the information lifecycle throughout the school. To implement reasonable protections against breaches – both inadvertent and malicious – schools first need to understand where data is stored and how it is used from collection through to destruction. This is the information lifecycle.

Moores has free step by step instructions for a 5 Minute Privacy Impact Assessment for Remote Learning to help schools reflect on their remote learning set up and its privacy implications. The OAIC says it is never too late to conduct a PIA.

Training is critical

Training and information are important steps to protect a school against privacy and data breaches – partly because the most common breach is caused by sending an email to the wrong email address.

Schools should offer up to date privacy training to staff which reflects the new technologies now adopted in the classroom and across schools post-pandemic. For example, staff training might explain the importance of using prescribed programs, technologies and devices to avoid inadvertent breaches or hacking of school information. Ransomware attacks are significantly more successful on home IT systems due to weaker controls and a higher likelihood of users clicking on ransomware lures outside of a professional environment on a personal device.