Recently, a principal in the Chicago Public Schools made a mistake that would alter his career trajectory. They revealed confidential learner info and personnel data to comply with a Freedom of Info Act request. He shared the Google Drive folder containing learner names, races, grades, special education eligibility, and email addresses. It also included educator evaluations.

When the district discovered what had happened, they recommended this principal’s immediate termination.  A little transparency goes a long way. Too much openness can get you fired.

Administrators who willingly share personal info violate state and federal laws regarding data privacy. More than likely, they also disregard local district policy. The repercussions can be huge.

Steps to Avoid the Data Breach

Schools are not immune to the threat of data breaches. They are often targets. There are steps every principal should take to protect personal and confidential data at the campus.

·      Strengthen password requirements. By now, no one should be using “password” as their password. Instead, most sites require combinations of upper and lower case letters, numbers, and symbols.

·      Encrypt your data. Encryption protects confidential data, making it far more difficult to find and extract sensitive info.

·      Train your employees. Don’t expect your educators to know how to treat private data or respond to potential breaches. Teach them what they need to know and be able to do.

·      Retrain your employees. Showing all your employees how to protect data is not enough. Review protocols at every faculty meeting.

·      Use a virtual private network (VPN). Educators who travel or work offsite access confidential info through cloud-based storage apps. Anyone else can view and collect the data they’re looking at if they’re using a public network. A VPN acts like a security screen. It keeps outsiders from seeing in.

·      Review your district’s insurance plan. Many districts cannot sustain the high losses that go with data breaches. Not only will you need additional human resources to react to the breach, but you could also be facing fines and costly litigation expenses.

Even with the best protocols and practices, a data breach can still occur.

Unless you purposefully and willingly committed a crime, you won’t be held liable for the data breach itself. Where many campus administrators get in trouble, however, is in how they handle the breach after it’s happened.

Did you get the notice?

In Texas, the Texas Association of Schools Boards (TASB) inadvertently posted the confidential and personal info of thousands of schools’ employees online. A Pearson data breach affected 13,000 schools and an untold number of educators and learners. Neither TASB nor Pearson sent out these letters; they can’t tell you exactly who might have been affected.

Anyone affected by a data breach should be informed in writing.

If there has been a data breach at your campus, you must take swift action to notify potential victims. Forty-seven states have adopted breach notification protocols, and many of these states have made changes in how quickly victims must be notified. Failure to comply and take action could have principals in just as much hot water as their former colleague from Chicago.

If a data breach happens at your school, initiate the protocol for notification immediately. Failure to do so could jeopardize your career and the futures of your learners.