The education sector was forced into a more digitally focused way of operation due to the pandemic – and it’s no secret they’re struggling to adapt to the security risks this move has presented. Now years later, lawmakers are only now starting to wake up.

In mid-October, Jen Easterly, the Director of the Cybersecurity & Infrastructure Security Agency list K-12 Schools as one of three “target rich, resource poor” priority sectors for the agency, which is tasked with toughening the country’s cybersecurity infrastructure.

This realization comes after ransomware gang Vice Society attacked the Los Angeles Unified School District, and exposed 500 GB of data on the Dark Web after they refused to pay ransom for the information.

Schools aren’t the only part of the education sector who are being targeted though. Vendors that work with schools have become easy targets as well. Illuminate Education was hit by an attack earlier in the year that exposed the data of millions of students across the United States.

Security incidents like these cost a great expense and a learning loss. Students also become more stressed out as school have to shut down or learning resources are stopped as investigations take place and fixes are worked on.

So what’s next? Lawmakers have been taking notice, as an increase of data-related bills affecting education has resulted since the start of the pandemic. It’s not clear however how effective any new legislative measure will be in solving these cybersecurity problems.

An annual review by nonprofit advocacy group Data Quality Campaign investigated whether this new legislation would be a move in the right direction. In their discoveries, 131 new bill were introduced, and 42 were actually put into law. These new laws cover different topics from early childhood to workforce issues.

But are the bills actually effective? If Data Quality Campaign had to give a grade, they’d give them a “B”.

“I think generally things are pretty good,” Taryn Hochleitner, Associate Director for Policy and Advocacy at Data Quality Campaign said. “I think the majority of [bills] we see are kind of like they could have a lot of impact or not, depending on how they’re implemented.”

DQC notes that the bills introduced show that there is a desire to know more about learning environments in the K-12 realm, including those outside of academics.

A lot of bills put a greater emphasis on finding out about school climate, attendance and discipline. As an example, New Jersey passed a bill that makes schools report on the number of mental health professionals they have, as well as how many security personnel they employ.

The bills have also reflected another big trend in education: workforce concerns.

More and more students are starting to question the return they’re getting on their education – essentially meaning that students are becoming increasingly skeptical if the cost of a college education will pay off in the workforce. Because of this, legislators are rushing to provide more information on education after high school. Specifically, a bill in Virginia publicizes information including median wages and the cost of schooling for college graduates.

An encouraging trend is being noticed as well – agencies are being required to talk to each other and share data.

With school districts and agencies communicating with each other and sharing information, this increases the likelihood that they’ll be able to stop hacking groups from recycling the same attacks.

Along with agencies and schools communicating with each other, the bills also emphasize bringing the community together on decision-making. “We’re pretty encourages to see that there was pretty clear focus on non-policymaker audience for data,” Hochleitner says.

But policies alone aren’t always enough. More than a third of the bills add additional responsibilities for districts, schools and postsecondary institutions according to DQC. However, it’s extremely rare for those bills to give schools the resources they need to actually implement those policies. “So we just always want legislators to be thinking about providing support for that capacity – because data requires people,” Hochleitner says.

So with all of this new legislation – will it solve the problem?

Policymakers are just beginning to open their eyes to the magnitude of the situation, according to a prominent voice in this area, Doug Levin, National Director of K-12 Security Information Exchange.

According to Hochleitner, there is often a narrow focus on data privacy issues. The bills expand things like requirements for parental consent on data collection. However these policies can interfere with schools trying to provide essential services. So far, none of these “parental consent” bills introduced have become law.

School districts – and teachers – are actually who is using the data according to Cody Venzke, Senior Counsel for the Center for Democracy in Technology Project. That means that any legislation has to walk the line between protecting student privacy and allowing schools to perform necessary services, Cody says.

One solution the DQC is suggesting is new data collection measures by states. The nonprofit says that the latest legislative measures embrace this approach as 120 of the bills either specify new data collections or updates to existing ones.

Researching like Levin worry though that building up such troves of data is part of the problem to begin with. State departments of education are targets that historically haven’t been able to protect data.

“In an increasingly politicized country, creating these, essentially, honey pots of highly sensitive information about school community members – students, teachers, parents, families, educators – it’s almost guaranteed that it will be exploited at some point for either personal or political gain,” Levin said.

Also, there is potential for misuse of the data by officials. Venzke’s organization published a report in August suggesting that districts use data to discipline students more often than to keep them safe.

To Levin, this is a problem that educational agencies – especially K-12 schools – need to take a hold of, despite the fact that their resources are already stretched thin. “This is not something that somebody else is going to protect them from,” he adds. “There is no internet cop out protecting student data systems that is separate from what the schools are doing.”

There are however, lessons from other sectors that can be learned, according to Levin.

Disclosure agreements are a good start, he mentions. California just passed a bill requiring states to report incidents affecting more than 500 students. And ultimately, the data collections at the state and regional level need to adopt a “cybersecurity risk management framework,” which are approaches to handling cybersecurity risk. He notes that there are several nationally recognized ones.

Story via EdSurge