public school governance and cyber security v 2

1

Public School Governance and Cyber Security: School Districts Provide Easy Targets for Cyber Thieves

Michael A. AlaoSalmon P. Chase College of LawNorthern Kentucky University

2

Agenda

1. Who cares?

2. The law, school districts, and [lack of?] cyber security

3. How can states improve things?

3

Who cares?

4

Who cares?

Taxpayers

• $500 billion per year on K-12 public schools• FY 2012 -Ohio School Districts spent $18 billion• FY 2010 – Kentucky: $6.1 billion• Local Funding (e.g., property taxes)

5

Who cares?

Taxpayers

Source: National Center for Education Statistics

6

Who cares?

Criminals prefer vulnerable targets:

• Small businesses• Local governments• Public school districts

7

Current Laws

• What makes school districts vulnerable?

1. Regulations do not focus on cyber security

A. Responsibility for SD cyber securityB. Data breach notification lawsC. Liability for bank fraudD. Government auditing standards

8

Current Laws

• Who has responsibility for SD cyber security?

OH SDs must “take reasonable precautions to protect personal information . . . from unauthorized. . . use or disclosure.”

OHIO REV. CODE ANN. § 1347.05(G).

9

Current Laws• Who has responsibility for SD cyber security?

1. SD must “appoint one individual to be directly responsible for the system . . .”

2. SD must develop procedures to monitor system for accuracy, relevance, timeliness, and completeness.

OHIO REV. CODE ANN. § 1347.05(A), (F).

10

Current Laws


1. SD must “appoint one individual to be directly responsible for the system . . .”

2. SD must develop procedures to monitor system for accuracy, relevance, timeliness, and completeness.

Ohio has 600+ school districts!

11

Current Laws


Board of Education

Superintendent Treasurer

12

Current Laws




13

Current Laws

• Data breach notification laws

14

Current Laws


– 695 breaches at educational institutions (FY’s 2005-13)• 11 million records of personal information

– 34 breach incidents at OH colleges and universities

– 6 breach incidents at OH SDs

15

Current Laws


– OH school districts must report breach incidents(unless exempted) within 45 days of discovery

– Some states exempt state agencies from breach notification laws

– KY does not have a breach notification law (as of July 1, 2013)

16

Current Laws


– OH school districts must report breach incidents(unless exempted) within 45 days of discovery

• Federal law may preempt state law (e.g., HIPAA)

Law of unintended consequences?

17

Current Laws


– Do not increase cyber security

– Increase public awareness

– Public can pressure School Boards

18

Current Laws




19

Current Laws

• Liability for Bank Fraud

– EFTA protects individuals only

– Congressional bill to amend EFTA• Senator Charles Schumer (D-NY)• September 29, 2010

20

Current Laws




21

Current Laws

• Government Auditing Standards

– Sarbanes-Oxley Act – not applicable

– Testing of IT General Controls – not required

22

What can states do?

• Don’t wait for Feds to fix things

1. Add testing of IT controls to annual audits

2. Use financial leverage to

(a) shift liability to banks, or

(b) make banks provide better security and training.

public school governance and cyber security v 2

Documents

cyber security responsibility

cyber bullying

cyber attacks

ohio school districts

school districts vulnerable

cyber thieves michael

school districtsd

breach incidents