The software that many school districts use to track students’ progress can record extremely confidential information on children: “Intellectual disability.” “Emotional Disturbance.” “Homeless.” “Disruptive.” “Defiance.” “Perpetrator.” “Excessive Talking.” “Should attend tutoring.”
Now these systems are coming under heightened scrutiny after a recent cyberattack on Illuminate Education, a leading provider of student-tracking software, which affected the personal information of more than a million current and former students across dozens of districts — including in New York City and Los Angeles, the nation’s largest public school systems.
Officials said in some districts the data included the names, dates of birth, races or ethnicities and test scores of students. At least one district said the data included more intimate information like student tardiness rates, migrant status, behavior incidents and descriptions of disabilities.
Chicago Public Schools, the nation’s third-largest district.
Now some cybersecurity and privacy experts say that the cyberattack on Illuminate Education amounts to a warning for industry and government regulators. Although it was not the largest hack on an ed tech company, these experts say they are troubled by the nature and scope of the data breach — which, in some cases, involved delicate personal details about students or student data dating back more than a decade. At a moment when some education technology companies have amassed sensitive information on millions of school children, they say, safeguards for student data seem wholly inadequate.
“There has really been an epic failure,” said Hector Balderas, the attorney general of New Mexico, whose office has sued tech companies for violating the privacy of children and students.
In a recent interview, Mr. Balderas said that Congress had failed to enact modern, meaningful data protections for students while regulators had failed to hold ed tech firms accountable for flouting student data privacy and security.
outpacing protections for students’ personal information. Lawmakers rushed to respond.
Since 2014, California, Colorado and dozens of other states have passed student data privacy and security laws. In 2014, dozens of K-12 ed tech providers signed on to a national Student Privacy Pledge, promising to maintain a “comprehensive security program.”
Supporters of the pledge said the Federal Trade Commission, which polices deceptive privacy practices, would be able to hold companies to their commitments. President Obama endorsed the pledge, praising participating companies in a major privacy speech at the F.T.C. in 2015.
The F.T.C. has a long history of fining companies for violating children’s privacy on consumer services like YouTube and TikTok. Despite numerous reports of ed tech companies with problematic privacy and security practices, however, the agency has yet to enforce the industry’s student privacy pledge.
In May, the F.T.C. announced that regulators intended to crack down on ed tech companies that violate a federal law — the Children’s Online Privacy Protection Act — which requires online services aimed at children under 13 to safeguard their personal data. The agency is pursuing a number of nonpublic investigations into ed tech companies, said Juliana Gruenwald Henderson, an F.T.C. spokeswoman.