Public School Governance and Cyber Security: School Districts Provide Easy Targets for Cyber Thieves Michael A. Alao Salmon P. Chase College of Law Northern Kentucky University 1
Jan 16, 2016
1
Public School Governance and Cyber Security: School Districts Provide Easy Targets for Cyber Thieves
Michael A. AlaoSalmon P. Chase College of LawNorthern Kentucky University
2
Agenda
1. Who cares?
2. The law, school districts, and [lack of?] cyber security
3. How can states improve things?
3
Who cares?
4
Who cares?
Taxpayers
• $500 billion per year on K-12 public schools• FY 2012 -Ohio School Districts spent $18 billion• FY 2010 – Kentucky: $6.1 billion• Local Funding (e.g., property taxes)
5
Who cares?
Taxpayers
Source: National Center for Education Statistics
6
Who cares?
Criminals prefer vulnerable targets:
• Small businesses• Local governments• Public school districts
7
Current Laws
• What makes school districts vulnerable?
1. Regulations do not focus on cyber security
A. Responsibility for SD cyber securityB. Data breach notification lawsC. Liability for bank fraudD. Government auditing standards
8
Current Laws
• Who has responsibility for SD cyber security?
OH SDs must “take reasonable precautions to protect personal information . . . from unauthorized. . . use or disclosure.”
OHIO REV. CODE ANN. § 1347.05(G).
9
Current Laws• Who has responsibility for SD cyber security?
1. SD must “appoint one individual to be directly responsible for the system . . .”
2. SD must develop procedures to monitor system for accuracy, relevance, timeliness, and completeness.
OHIO REV. CODE ANN. § 1347.05(A), (F).
10
Current Laws
• Who has responsibility for SD cyber security?
1. SD must “appoint one individual to be directly responsible for the system . . .”
2. SD must develop procedures to monitor system for accuracy, relevance, timeliness, and completeness.
Ohio has 600+ school districts!
11
Current Laws
• Who has responsibility for SD cyber security?
Board of Education
Superintendent Treasurer
12
Current Laws
• What makes school districts vulnerable?
1. Regulations do not focus on cyber security
A. Responsibility for SD cyber securityB. Data breach notification lawsC. Liability for bank fraudD. Government auditing standards
13
Current Laws
• Data breach notification laws
14
Current Laws
• Data breach notification laws
– 695 breaches at educational institutions (FY’s 2005-13)• 11 million records of personal information
– 34 breach incidents at OH colleges and universities
– 6 breach incidents at OH SDs
15
Current Laws
• Data breach notification laws
– OH school districts must report breach incidents(unless exempted) within 45 days of discovery
– Some states exempt state agencies from breach notification laws
– KY does not have a breach notification law (as of July 1, 2013)
16
Current Laws
• Data breach notification laws
– OH school districts must report breach incidents(unless exempted) within 45 days of discovery
• Federal law may preempt state law (e.g., HIPAA)
Law of unintended consequences?
17
Current Laws
• Data breach notification laws
– Do not increase cyber security
– Increase public awareness
– Public can pressure School Boards
18
Current Laws
• What makes school districts vulnerable?
1. Regulations do not focus on cyber security
A. Responsibility for SD cyber securityB. Data breach notification lawsC. Liability for bank fraudD. Government auditing standards
19
Current Laws
• Liability for Bank Fraud
– EFTA protects individuals only
– Congressional bill to amend EFTA• Senator Charles Schumer (D-NY)• September 29, 2010
20
Current Laws
• What makes school districts vulnerable?
1. Regulations do not focus on cyber security
A. Responsibility for SD cyber securityB. Data breach notification lawsC. Liability for bank fraudD. Government auditing standards
21
Current Laws
• Government Auditing Standards
– Sarbanes-Oxley Act – not applicable
– Testing of IT General Controls – not required
22
What can states do?
• Don’t wait for Feds to fix things
1. Add testing of IT controls to annual audits
2. Use financial leverage to
(a) shift liability to banks, or
(b) make banks provide better security and training.