While this year has been an unpredictable year for all data collectors, it has been especially harsh for public and private schools. In addition to various obligations on all data collectors, schools hold sensitive information belonging to children that require more obligations.  Schools must balance these obligations as they lead their students and employees through online learning during 2020. That is, to continue teaching children, most schools have had no choice but to rely on third-party applications that require entrusting this sensitive data to outside vendors. Further, many schools are facing new state laws requiring schools more steps be taken to protect student data. The last thing schools need right now is an increase in ransomware attacks.

Of course, while many people have concerns and are grateful for schools during this time, hackers see opportunity. Namely, there are a number of new reports that schools are facing a substantial increase in ransomware targeting schools specifically. For example, on November 13, 2020, the Wall Street Journal addressed the uphill battle facing schools in an article titled, “Schools Struggling to Stay Open Get Hit by Ransomware Attacks.” This article examines a recent incident for a school district in Athens, Texas. As seen with many ransomware incidents, the technology chief for Athens schools, Tony Brooks, recalls one fateful day where he was contacted by school district employees reporting they could not log onto their computers. Of course, when he tried to log onto his computer, Mr. Brooks found a message stating: “All your important files are encrypted.”

Mr. Brooks immediately began negotiating with the hackers and, as commonly seen, he learned his school district’s hackers wanted to be paid in bitcoin. Ultimately, Mr. Brooks was able to cut off negotiations with the hackers before any payment was made when the school district come across a backup server holding the same information as the server compromised by the ransomware attack.

While the ransomware attack profiled in the Wall Street Journal merely costs Mr. Brooks’ school district substantial time in negotiating with the hackers and finding a fix short of paying the ransom, this situation makes it clear that school districts should not rely on luck to protect student data.

Another recent article, published on November 14, 2020, in the Las Cruces Sun-News entitled, “One Year Later: What the Ransomware Attack Taught Us About A Crisis” provides a first-hand account of the devastating effect a ransomware attack can leave on a school district. The author, Karen Trujillo, the Las Cruces School District superintendent, recalled a ransomware attack that hit her school district a year ago:  

There is a day in our district’s history that will be etched in the minds of Las Cruces Public Schools for quite some time. It was Oct. 29, 2019. I had been on the job as the interim superintendent for about two months when, in a matter of hours, our entire digital infrastructure at LCPS was swept away.

Our IT director, Matt Dawkins, got a call around 7 a.m. that one of our employees was having trouble gaining access to the server. “It’s ransomware,” Matt said. By 7:30 a.m, it was confirmed that 90 percent of our server systems were crippled. Our financial systems, student information, printers — all data storage was out of reach.

In addition to teachers losing all access to the technological tools they had grown accustomed to using to teach, Ms. Trujillo faced a number of significant burdens, including:  “Matt’s team of 21 people worked 18-hour days through Thanksgiving, Christmas and beyond, scrubbing more than 30,000 devices that needed to be rebuilt.” And, despite having to go through a terrible experience, Ms. Trujillo sees a silver lining in suffering a ransomware attack:

We thought the ransomware attack was our disaster for the year, but just when we started to rise from the ashes, the global pandemic thrust us into another crisis. It was as if the ransomware was a trial run for the situation we are in now. We were able to flip the switch from children in classrooms to remote learning in a weekend, rather than months. We went from no technology for learning to only technology for learning. The new devices we ordered during ransomware arrived just in time to get them in the hands of students who needed them. A year later, we understand the reality of cyberattacks, and — as a global pandemic — we know that no one is immune. Since then, we have installed firewalls, updated our systems, invested in our teachers and improved our infrastructure so we can protect ourselves. As we navigate through this pandemic, we use what we learned during the ransomware attack to handle the current crisis.

Interestingly, the WSJ article found the “[a]verage ransom payments across all industries have climbed in recent years, to $233,817 in the third quarter of this year from $41,198 a year earlier.”  And, the amount demanded as a ransom is expected to continue to rise.  It is now clear that school districts must make preparing for ransomware attacks a priority. And, if there was not enough of an incentive already to prepare for a ransomware attack, Illinois schools must be ready to implement additional steps by July 1, 2021, to meet the amended Student Online Personal Protection Act (“SOPPA”) requirements.

In order to effectively protect employee and student data, schools must have answers to at least the following questions:

  • Is the school district prepared for a ransomware attack?
    • Would the school district pay the ransom?
    • How much would the school district be willing to pay for a ransom?
    • Where does the school district get bitcoin to pay a ransom?
    • Can the school district continue to teach while information is encrypted?
    • Does the school district have insurance that covers a ransomware event?
  • What third-party vendors is the school district providing student data to?
  • What third-party vendors are teachers providing student data to?
  • What safeguards do third party vendors have in place to protect student data?
  • Does the school district have insurance for a ransomware event at a vendor?
  • Are there any state laws that give rise to requirements in the school district?
  • Who in the school district will respond to students’ and parents’ questions about an incident?

For more information about this article, contact Todd Rowe, working at home, of course, at