According to the federal Government Accountability Office (GAO), K-12 schools around the nation have reported considerable educational impact due to cybersecurity occurrences, such as ransomware attacks. Cyberattacks can result in monetary losses for affected schools due to the downtime and resources needed to recover from incidents.
According to a report from the GAO, “officials from state and local entities reported that the loss of learning following a cyberattack ranged from three days to three weeks, and recovery time ranged from two to nine months.” While the precise national significance of cyberattacks on K-12 schools is unknown, research organization Comparitech reported the number of students affected by ransomware attacks between 2018 and 2021, peaked in 2020 with 1,196, 000 affected students.
The GAO report is especially salient in light of the recent Los Angeles Unified School District cyberattack, in which hackers leaked 500 gigabytes of stolen data, which was posted to a dark web leak site and appeared to contain personal identifying information, including passport details, Social Security numbers and tax forms. The published data also contained confidential information including contract and legal documents, financial reports containing bank account details, health information including COVID-19 test data, previous conviction reports and psychological assessments of students.
The GAO report reflects on the escalating nature of K-12 cyberattacks and criticizes the federal response, citing the need for better coordination between the federal-level and K-12 districts. Unfortunately, there are no federal guidelines to assist LEAs with these types of attacks. The GAO formally recommended that the U.S. Department of Education create a collaborative council or find another way to ensure school safety. In response, the Education Department told the GAO it had begun informal coordination with other agencies and promised to explore what kinds of metrics would be best for assessing the effectiveness of its cybersecurity resources.
At the state level, the California Cyber Security Integration Center (Cal-CSIC) has issued a quick reference guide for additional cybersecurity protocols, such as providing management for computer protection, scammers, anti-malware and productivity tools. These tools could help alleviate the stress of disaster recovery and help assist with the target of protecting student and staff information within school districts. For a summary of these steps and more resources and links, visit www.CalOES.ca.gov/cyber.
CSBA recognizes the threat to operations, privacy and disruptions to student learning that these cyberattacks pose. Therefore, one of the association’s budget advocacy priorities for 2023 is funding dedicated to cybersecurity for TK-12 schools.
To reflect recent legislation on cybersecurity, CSBA updated sample Board Policy/Administrative Regulation 0450: Comprehensive Safety Plan and BP/AR 3515: Campus Security, which is available in the December 2022 Policy Update Packet.
Additionally, CSBA has several sample policies that address student and staff privacy, including:
- BP 1112 – Media Relations, BP 1113 – District and School Web Sites
- BP 1114 – District-Sponsored Social Media
- AR 1340 – Access to District Records
- BP 1400 – Relations Between Other Governmental Agencies and The Schools
- BP/AR 3580 – District Records
- BP 4040 – Employee Use Of Technology
- BP/AR 5022 – Student and Family Privacy Rights
- AR 5125 – Student Records
- AR 5125.1 – Release of Directory Information
These policies provide a good starting place when considering cybersecurity and can serve as part of a long-term strategy to make up for learning loss as a result of a cyberattack.