Cyber Liability – Risk Management Best Practices for Montana Public Schools
By Shawn Bubb, Director of Insurance Services
This fiscal year has seen a new focus on the importance of understanding the critical aspects of cyber liability and risks presented to K-12 public schools in Montana. Most schools have spent considerable effort analyzing the sensitive data that they have in their school systems and determining the best methods to protect that information from unauthorized disclosure. At the December 2017 School Law and Technology Conference, MSGIA sponsored the keynote speakers on cyber liability defensive strategies. Against this backdrop, I have outlined below relevant concepts and considerations that school districts can employ to help them better evaluate data-gathering strategies and to aid them in determining if that data is, in fact, safely stored in the system.
- Know where you keep PII (Personally Identifiable Information) and PHI (Private Health Information) on your computers and network servers. MCA 30-14-1704
- Only keep data that is required in these two areas, and be certain to delete the rest, as it quickly can become a liability for your district if there is a loss of that data through unauthorized access in a data breach.
- Segment your computer network if possible to keep IEP, health, and PII records in a part of the network not connected to the internet.
- Apply all software patches when they come out. Patches come out to fix problems in software that can be exploited by bad actors. Having an automated distribution system for patches can help increase the speed and compliance with this recommendation.
- Require strong passwords that can be changed on a periodic basis – remember, longer passwords are stronger passwords.
- Have your internal IT director or contract vendor maintain good network logs; and, as part of this effort, instruct them to be vigilant about watching for unusual activity on your network, such as login attempts at unusual times of day or days of the week. The District’s surveillance system should identify multiple unsuccessful login attempts resulting in access being denied when a certain number has occurred.
- Staff will need to be trained on phishing scams followed by a live test to gauge understanding and compliance. The goal is for staff to resist that urge to “click” on that shiny penny link in an email.
- Conduct periodic penetration testing for your district’s computer network. Hiring a “white hacker” group to test your system for vulnerabilities can cost a couple of thousand dollars, but it can also provide very valuable information and thus help your team address improvements in your district’s digital security platform.
- If your District utilizes cloud-based services that track student information and/or the school finance systems, then consider contract language that does the following:
- Asks for indemnification from the cloud provider if the cloud suffers a data breach resulting in litigation due to an individual’s loss of information;
- Includes additional language stipulating that the cloud service provider’s cybersecurity policy covers those actions; and,
- Additionally, though the service provider may not agree to such clauses, remember that negotiating these important points in a contract is in the District’s best interest.
- Because network backups need to be maintained and tested regularly, you should determine the benefits of having a backup system not permanently connected to the network. Having built-in breakpoints allows the district to restore backups if data or devices are corrupted from unauthorized access.
- Block known malicious IP addresses/countries unless whitelisted for specific school district needs.
- To assist in preparing for and responding to events that can occur in this critical area, be sure to review your cyber liability coverage with your insurance provider and utilize the resources available.
The ideas presented above are meant to create a base program to address many of the key areas for school cyber risks, as you develop other new aspects of your risk management plan reach out to the MSGIA so we can share your good ideas with all MSGIA members. Because the cyber liability risks for schools are continually changing, schools need to continue to keep this area of risk a constant point of focus. The MSGIA will be here to assist our members with this risk and all of the risks of your school operations.
Be Well and Be Safe! Return to newsletter