COVID-19 privacy, hacking threats
The director of the Student Privacy Policy Office at the U.S. Department of Education recently published a blog response to four of the most common questions about federal education privacy laws as they relate to disclosure of information about COVID-19 cases.
- May a school disclose the number of students who have COVID-19 to parents and students in the school community without prior written consent?
- May a school identify a particular student who has COVID-19 to parents and students in the school community without prior written consent?
- May a school disclose the number of students who have COVID-19 in order to provide general health data to the public (including the media) without prior written consent?
- May a school identify a particular teacher or other school official as having COVID-19?
- Answers to these questions as well as a link to guidance about similar topics published in March 2020 can be found at https://blog.ed.gov/2020/09/may-schools-disclose-information-cases-covid-19/.
As if COVID-19 were not enough, schools also face threats of hackers. Business Insider and the Associated Press reported that Las Vegas’ largest public school district faced a ransomware attack this fall. Ransomware attack is when a hacker gains accesses to and encrypts data, making it inaccessible to the victim. Then, the hacker demands the victim pay money to regain access. When the district refused to pay the ransom, the hackers posted the personal information of students and staff on the internet. This information included student grades, names, social security numbers, and addresses. The full article can be found at https://www.businessinsider.com/hacker-publishes-students-grades-private-info-after-demanding-ransom-2020-9