What to do if Your School Suffer a Data Breach
Data Breach:
What to do if your school suffers a data breach:
Our growing reliance on technology has been compounded and increased by the coronavirus
pandemic . From working remotely, to communicating with family, to test and trace apps, to online
shopping, our society has relied on technology to manage the unusual circumstance we now live in.
This has put both our personal and school data at much greater risk than ever before.
With the ever-changing nature of cybercrime, and the constant reliance on technology, schools need
to be particularly vigilant.
Why is a Data Breach Bad?
You hear the words “data breach” and “ cyber security ” rather a lot these days. Data breaches can
occur in a number of ways, be it a business whose client data is exposed, company secrets being
leaked, or a GP who accidentally exposes a patient’s data to another patient. These are just some of
the many examples.
Sadly, schools too are an attractive target for cyber criminals.
The question is, why is it so important for your school to avoid being associated with a data breach of
any sort? There are a number of reasons for this, including:
- Tarnishing your school name
- Can have an emotional toll on those whose data has been breached
- Can lead to lawsuits, causing you to lose a lot of money along the way
- Putting you or parents at risk of financial crime e.g. hacked bank accounts
- Identities may be stolen
A step-by-step guide on what to do if your school experiences a data breach:
With the fallout that a breach of data may have on you, your school, and your parents and students,
it’s clear that they must be dealt with appropriately.
Taking responsibility for what’s happened is extremely important. As Data Protection Officers we know
first-hand the emotional trauma and stress a data breach can have on the victims. In most cases,
people simply want an explanation and an apology, as well as a promise that this won’t happen again.
Then, it’s all about minimising the fallout of the breach. For all you know, the data may not have been
used maliciously yet, so it’s important that you act quickly.
Our recommendations for the future so this doesn’t happen again, are as follows:
1. Clarify whether your school has, indeed, experienced a data breach. This includes the
destruction, loss, or unauthorised exposure of data.
2. Contact your DPO to deal with the issue, and fast.
3. Assess whether this data breach will be a risk to people by finding out what type of data was
stolen.
4. If the data loss is of a very serious nature, notify the Information Commissioner’s Office ( ICO ). 5. Contact a cyber security expert to assess how this breach occurred. They should be able to
stop the data leakage and remove the hacker from the system, patching up how they got in
along the way.
6. Identify a cause for how your systems were infiltrated.
7. Preserve the evidence of the data breach so you have it all in your records.
8. Put measures in place to prevent someone from using the data maliciously. 9. Let your data subjects know there’s been a data breach as soon as you can, either by phone
or email. Be open and honest with them, letting them know how this happened and what
actions are being taken to counteract this issue.
10. Where necessary, urge parents to change any login details, keep their new details safe, and
be vigilant about spotting any further attempts. Some hackers may target people via emails,
tricking them into believing they are from the school.
11. Keep everyone in the know about any updates as and when you know them. This includes all
employees involved, and any parents or students who have been affected.
12. Respond to complaints and questions quickly and efficiently. Being there for them will help to
assure them that you’re doing everything you can, hopefully keeping them loyal to you.
13. Learn from it all by putting measures in place to avoid this happening again (see next
heading).
14. Try to stay one step ahead of the cyber criminals by thinking creatively. Use your hired experts
to help you do this.
Cyber security measures to avoid a data breach:
Many organisations will go in with the dangerous attitude that a breach won’t happen to them. That
said, statistics shows that 60% of UK consumers were affected by a data breach in 2019.
Ultimately, although it’s easier said than done, avoiding a data breach really is your best port of call.
Some of the best ways to protect your school before a breach occurs include:
- Providing training for employees on dealing with school data, updating devices regularly, accessing secure websites, disposing of secure documents, keeping up with GDPR principles etc.
- Hiring a cyber security professional to monitor any suspicious activity across your school network.
- Making sure everyone is working on a secure network, like a VPN, whether they’re in the office or at home.
- Making sure all school devices are set up using secure passwords and multi-authentication logins.
- Making sure all school devices are set up to go to “sleep” automatically after a certain amount of inactive use.
- Installing anti-malware and cyber security software on all PCs.
- Providing school laptops or, if you can’t, make sure all personal laptops have anti-malware software installed and in use.
- Never discuss important information with anyone outside the school or online.
- Making sure you have a data breach response plan in place for next time, although hopefully there won’t be a next time.
Clearly, the best way to deal with the growing number of cyber security threats is to stay one step
ahead, by preparing in advance, and taking the best possible advice.
Although this may seem like a lot of time and money to spend on something that may never happen,
it’s really just a long-term investment into your school’s future.
What Schools Must do to Tackle Ransomware Crisis
What schools must do to tackle ransomware crisis! Cyber criminals are increasingly using ransomware to attack the education sector. The trend is most noticeable in the US, with criminals locking up school’s systems and demanding a payment to release the data, but...
Support for UK Education Sector After Growth in Cyber Attacks
The NCSC has updated an alert following the increase in ransomware attacks against the education sector National Cyber Security Centre (NCSC) provides additional support for education establishments following rise in ransomware attacks since late February Spike in...
Electronic vs. Paper copies
Should you keep both electronic and paper records of some important data? In light of the ever increasing number of cyber attacks on the education sector, and the advice given by the NCSC, we at DPO For Education continue to advise our clients to keep both electronic...