Before the pandemic, school districts with dedicated data privacy professionals on staff was rare. Districts may have shown interest in a role like that being created, however most did not have the resources or desire to create the position.

Fortunately for Baltimore County Public Schools, there was a professional in a data privacy role before the pandemic. According to school leadership in the district, the role was proactively created due to the community’s increasing concern that technology was creating an increased privacy risk.

Despite the district being proactive in their approach to handling cyber risk, they still suffered a ransomware attack in 2020.

Since the attack in 2020, Baltimore schools have increased their IT budget by $12.5 million, and have hired both a chief data officer and a chief privacy officer. The state of Maryland as a whole has passed governance that requires schools to create guidelines on how districts would approach the issue of data privacy.

Maryland – and more specifically Baltimore – learned their lesson. The rest of the nation still needs to catch up as far as taking cybersecurity and data privacy more seriously.

The need for schools to devote resources to data privacy is more apparent than ever. Ransomware attacks are more prevalent and with the increase in devices and tech programs since the pandemic, schools are a much more lucrative target than they already were.

More and more states are, or are considering, mandating data privacy officers as an essential part of student privacy regulation. However in most cases these mandates have not produced an actual change. According to Linnette Attai, a data privacy expert and president at consulting firm PlayWell, LLC, it’s still uncommon for schools districts to have a dedicated person for data privacy.

Even in states like California where having such a professional on staff is required by law, the schools don’t always have a dedicated person on staff. Instead, the jobs are often delegated to several members of the already existing staff as “extra duties”.

“In practice, it tends to fall apart,” Attai says.

Even though there are laws mandating someone on staff, schools are not equipped with the resources or information they need to be able to do accomplish this. Attai continues that “it can amount to states saying ‘do better’ without explaining to districts how or what that would even look like.” Some states don’t even define what the role of a data privacy officer would even do.

As a result, the staff that is asked to fulfill these duties as extra work don’t have the proper training to execute the role. It’s better than nothing, but it could become difficult in situations where staff members need to manage new laws or contracts that arise.

Whether it’s because of budgetary concerns, hesitancy to create the roles, or just the fact that the they don’t know the best way to proceed, schools do need to recognize that data privacy is something that needs to be dealt with, and before it’s too late.

Story via EdSurge