Stranger Danger!: How Hackers Break into School Databases to Steal Student Data, and What Legislatures Should Do about It

Abstract

Inadequate data security practices in K-12 public schools leave students’ personal information vulnerable to exposure, theft, and marketing on the dark web. In 2017, schools across the country reported 122 cybersecurity incidents, and those were only the events school officials detected and disclosed; the real number is likely much higher. These security breaches are costly for student victims and their families, often costing them hundreds or thousands of dollars in credit repair and identity recovery services. Though this problem affects every school in the United States, there is no federal law that establishes a standard for a school’s duty to its students in dealing with their personal information. Furthermore, though every state in the country has passed some form of school cybersecurity legislation, no state has gone beyond requiring that schools have a cybersecurity policy to articulate exactly how schools should protect this valuable student information. Worse, neither the federal nor state governments have provided any financial remedy for student victims of data theft or exposure. This Article presents one unprecedented legislative solution to remedy this growing national problem: Congress should pass legislation that establishes uniform standards for how schools should collect and protect student data, and how they should respond when cybersecurity breaches occur. It should also provide financial recompense for victims of the breaches so that they might move forward with little financial burden in the wake of such an event.