Every school is facing an invasion. Thieves are coming to take all of your personal data, as well as that of your students, and they will leave your reputation ruined in the aftermath.

Education ranks third in experiencing security breaches, just after the healthcare and retail industries. Across a recent span of seven years, more than 500 universities suffered data breaches of some kind. The information hackers obtained consisted of social security numbers and credit card information, but they can also attempt to exploit data and extract ransoms.

School districts also have suffered data breaches, and hackers routinely access the highly confidential information of thousands of students. Nearly every week a new story surfaces about the theft of personal student information, but many incidents are never reported.

Do you know what to look for in a security breach?

Some school officials think about a data breach as something that happens when hackers lift millions of data bytes. Cyber attacks are only one type of data breach. Other breaches of personal data occur in ways you might not think about, like these examples:

• The coach uses his smartphone to store information about his players. The data includes player names, physical addresses, contact information, health insurance ID numbers, and notations about performance. When his team won the game, the coach didn’t notice that his phone fell out of his pocket. A search of the area never turned up the phone.
• Not wanting to stay in the building late at night to analyze data, a teacher downloaded student performance data on her USB and dropped the device in her purse. She stopped by the store on the way home, and a thief grabbed her purse from the basket.

How to respond to a data breach

The first step in reacting to a security breach is to develop a plan for responding to any loss of data – before it happens.

• Plan for heightened security: Hackers find student data most attractive because its use for nefarious purposes may not be detected for years, such as when students apply for a credit card or a loan. To protect student data, schools must make it clear to teachers that the use “free” apps could weaken the district’s firewall and allow for breaches.
• Develop transparent policies for vetting edtech resources. Any selected resources must meet standards for confidentiality and security.
• Train staff how to recognize phishing attempts. Hackers know that teachers are busy people who often multitask. Seemingly authentic emails about W2 forms with social security numbers or bank routing numbers can trick even the most conscientious teacher who is in a hurry to respond to a request.
• If you have a breach, notify the school superintendent, who may need to make phone calls to your insurance company and state attorney general. The superintendent will also contact the district attorney for legal guidance.
• What and how will you tell parents about the breach? Transparency is often the best policy, and parents have the right to know what has happened to their children’s personal
• Revise the plan after each breach.

Every school and university must have a plan in place for security breaches. The question to ask yourself is not when will it happen, but how will you respond to it?