Navigation Bar About the Project

Understanding the Issues

Cyber Security Leadership Responsibilities

The primary responsibility of a school district is the education of its students. But in order for the educational process to succeed, district leaders – Principals, Superintendents, School Boards or Committees – also have to deal with many other issues, including protecting personal safety and facility security.

From the time students get on to a school bus or walk onto school grounds to the moment they leave school property, district leaders know they are legally, morally, professionally, and politically responsible for those children’s safety. Baring some totally unforeseeable act of nature there are simply no excuses for not implementing reasonable levels of preventative planning and action.

Similarly, district leaders know they are responsible for the security of their physical plant – both in order to protect the buildings and equipment the district uses and because an insecure facility opens the door for attacks on student safety. There is no question that school property must be protected from unauthorized use.

Cyberspace may be an invisible, virtual world. But like the school library, it is a place through which students pass and in which they do various kinds of work. Protecting individual safety and facility security is just as important in cyberspace as it is in the physical space of the school building. The same level of leadership concern, attention, and supervision is required to ensure safety and security in both physical and electronic locations.

Schools contain increasing amounts of sensitive data such as social security numbers, birth dates, home and email addresses, health records, grades, immigration status and passport numbers, and more. Increasingly, government reporting requirements and the need for more evidence-based decision-making are forcing schools to centralize this data in electronic formats. This makes the data more useful. It also makes the data more accessible, not always by the intended people for the intended reasons.

In one respect, cyberspace presents an even more serious level of potential legal liability than most school buildings. Unless a district takes adequate steps to enhance security, it is possible – and not uncommon – for criminal or anti-social groups to secretly take control of key components of a school’s technology infrastructure and use these facilities to launch disruptive and illegal attacks on others. It is as if a violent gang had set up headquarters in the school’s teacher lounge and was terrorizing the neighborhood.

Failure to protect a system’s cyber security can result in disruption of classroom and administrative functions, severe damage to individuals, loss of public support, and serious legal violations. Simply saying “we didn’t know” is not a good defense. Simply telling someone else to “take care of the situation” is not enough. It is the responsibility of leadership to know – and to act. Leaders need to become informed, mobilize the needed teams, push for appropriate testing and planning, secure the resources and supervise the implementation, and follow up to ensure that risk reduction efforts had the desired results.

An overview of leadership’s Legal Responsibilities

Cyber Security is an extremely new and rapidly evolving field of law, regulation, and court decisions. Very little has been written from a strictly K-12 perspective. However, the higher education community has developed resources that are of potential use for K-12 leaders. Unfortunately, in addition to being oriented to higher education, these documents almost always take a national perspective and there are many significant variations in state – and even local – laws, regulations, and court decisions.

If your state Principals’, Superintendents’, or School Board Association has not yet done so, it would be wise to ask them to commission a legal analysis of the K-12 relevant aspects of state law concerning cyber security and cyber safety issues. In the meantime, the following links can provide a starting point.

EDUCAUSE is a higher education resource and support organization. They have prepared a whitepaper on "IT Security for Higher Education: A Legal Perspective"
http://www.educause.edu/ir/library/pdf/CSD2746.pdf

EDUCAUSE also published a book "Liability for Negligent Security: Implications for Policy and Practice" which contains a chapter on cyber security issues:
http://www.educause.edu/ir/library/pdf/ERM0354.pdf

EDUCAUSE has also developed short resource pages on the following topics:

Identity Theft
http://www.educause.edu/issues/issue.asp?issue=idtheft

SPAM and the Regulation of Commercial Email
http://www.educause.edu/issues/issue.asp?issue=spam

Planning for the Elimination of Social Security Numbers as Primary Identifiers
http://www.educause.edu/issues/issue.asp?issue=ssn

Gramm-Leach-Bliley Act of 1999
http://www.educause.edu/issues/issue.asp?issue=glb

Health Insurance Portability and Accountability Act of 1996
http://www.educause.edu/issues/issue.asp?issue=hipaa

Privacy in a Networked Environment
http://www.educause.edu/issues/issue.asp?issue=privacy

 

  
A Leadership Initiative of CoSN
Home Project Overview About the Project Executive Summary Conference Handouts & Slides Press Releases For Superintendents & Policy Makers For Technology Leaders Share Your Story Free Newsletter Contact Us Join CoSN