Protecting Digital Data

Protecting Digital Data

School administration make encrypting personal student digital data more important than ever

While the debate regarding the opening of many schools continues, it looks as if distance learning and school administration will continue to some degree. So, as we plow through the one-year anniversary of schools closing across the country on account of the COVID-19 pandemic, it is a good spot for a reminder of the necessity of keeping student Personally Identifiable Information (PII), secure.

PII is data that could directly identify an individual. Be it by name, address, social security number or identifying number or code, telephone number, or email address. Any information that can lead to the identity of a specific person falls under PII. A simple spreadsheet of student information and grades could fall under the wide umbrella of PII regulations.

The purpose of securing such data is twofold: 1. to fall in line with the plethora of federal and state laws and regulations mandating it, and 2. as a safeguard for the off-site use of and lack of oversight of personal PCs and laptops in teaching and administrative duties during the pandemic.

Whether it is stored or being transported, data protection is essential. The costs in money and reputation on account of data breaches, hacking and lost or stolen laptops/PCs are astronomical.

So, how do you make sure all your digital personal student data is secure and meeting regulations? One way is to encrypt all your digital files, whether they are on a USB drive or an SSD.

Before discussing those, let's take a brief look at a few of the prominent laws and regulations dictating personal student digital-data security, which would be enforced whether there was a pandemic going on or not.

The Future of Privacy Forum (FPF), a Washington, DC-based think tank that seeks to advance responsible data practices, says federal and state security requirements oblige schools and companies to use “reasonable” steps or methods to provide security regardless of the technology in use.

Three of the requirements affecting school and school systems, according to FPF, are:

FERPA. Family Educational Rights and Privacy Act (FERPA), a federal law, applies to any school that receives funds from the Department of Education and protects the privacy of a students’ school records. “Education records” include those that contain the information related to a student. Since its requirements are mandatory for schools receiving Department of Education funds, it applies to most K-12 schools and post-secondary institutions, both public and private. Enacted in 1974, FERPA is still the main federal law governing student privacy at educational institutions. While technology has made a sea change in the way student records are kept since then, Congress has made very few changes to the act.

COPPA. Children's Online Privacy Protection Act (COPPA) is another federal law that covers information that can be obtained from children under the age of 13, by companies on websites, games and mobile applications. This applies to any online product that is targeted at consumers under 13, and where the companies have “actual knowledge” that the user is under the age of 12. COPPA has a special provision allowing school officials and educators the ability to provide consent on behalf of parents for their students to be able to use online platforms in an educational setting at their school. However, this consent is limited to the collection of a student’s personal information for a school’s educational purpose, not any commercial use.

HIPAA. The Health Insurance Portability and Accountability Act (HIPAA) creates standards for electronic healthcare activities and protects the privacy and security of personally identifiable health information— including students. HIPAA is not applicable in most cases for student records. However, it and FERPA do overlap to some degree. A school is a “healthcare provider” as defined by HIPAA when it operates a health clinic offering medical care to students in the normal course of business. Also, a school must comply with HIPAA if it conducts any electronic transactions that fall under the standard.

Now on to the products that can help keep your digital data safe.

Encrypted USB Drives

Standard USB drives (such as removable media, flash drives, thumb drives, etc.) are used as file-sharing and mobility tools, backup drives, and more. While they have revolutionized data storage and transfer, they have also introduced serious security concerns. USB drives can turn up anywhere with their extreme portability, making them a very vulnerable device, susceptible to being easily accessed causing a potential breach.

Considering how much data can be stored on these drives, the damage caused by a lost or hacked drive can be unfathomable. The most effective means to secure data on such a portable storage device is encrypted USB flash drives.

A hardware-centric/software-free encryption approach to data security is the most effective means of combating someone unauthorized from viewing private, student-related information. Such a USB drive is a cost-effective and easy to implement a solution to protecting private data.

These devices meet tough industry security standards and offer the ultimate security in data protection to confidently manage situations and reduce risks arising from missing drives. The encryption/decryption functions are self-contained within these devices and do not require a software element on the host computer. Brute-force, sniffing and memory hash attacks are eliminated because there is no software encryption vulnerability.

Hardware-centric and software-free encryption eliminates most of the common attack routes used by hackers. Complete cross-platform compatibility with any OS or embedded equipment using a USB drive for storage is also a benefit of software-free encryption.

AES 256-bit encryption in XTS mode is the top-of-the-line hardware- based encrypted USB drives use. This ensures that anyone who finds such a drive cannot easily access the information by cracking the encryption. Additionally, state-of-the-art drives will lock away data on the drive when the wrong password is attempted 10 times.

These USB drives also have digitally signed firmware that cannot be altered and add a physical layer of protection to a common hack called BadUSB. Access to the physical memory is also prevented by filling the cases with epoxy.

A hardware-centric/software-free encryption approach eliminates the most commonly used attack routes and is the best defense against a breach-causing data loss as it.

Encrypted Solid State Drives (SSD)

SSDs are the preferred storage medium for PCs as they feature unbelievable speed and reliability. They have gradually replaced older-style hard disk drives over the past 10 years. SSD encryption is similar to USB drives in that it is hardware-based, but requires software to engage it.

Many SSDs come standard with 256-bit AES encryption. This puts a wall around the data stored on the drive. However, as it is the computer’s hard drive, it requires software to lock that wall. Fortunately, organizations may have the lock in place already as part of their OS.

Education institutions and organizations who deploy data security measures from other major vendors are in luck as well as most of these companies also provide a software component to lock the encrypted data on SSDs.

Here are a few encryption methods that your SSDs should include. The more types an SSD has, the secure the personal-student data.

AES 256-Bit Encryption. AES (Advanced Encryption Standard) is a symmetric encryption algorithm (this means that the encryption and decryption keys are the same). AES is known as a "block cipher" where data is divided into 128-bit blocks before being scrambled with a 256-bit key. AES 256-bit encryption is an international standard and is recognized by the government, among others. AES-256 encryption is nearly undecipherable, making it the strongest encryption standard available.

TCG Opal 2.0. This protocol can initialize, authenticate and manage encrypted SSDs by using independent software vendors featuring TCG Opal 2.0 security management solutions such as Symantec™, McAfee™, WinMagic®, and others.

Microsoft eDrive Support. Microsoft eDrive is a security storage specification program that is provided through the Pro and Enterprise editions of Windows 8, and above. While an SSD may feature AES 256-bit encryption, it is wide open if not used in conjunction with eDrive or any of the other solutions listed above from the major security software vendors. In other words, AES 256-bit encryption on an SSD provides a fence around the data. The software solution is the lock that keeps the fence closed.

If you, your school or the school district are not using encrypted USB drives or encrypted SSDs, your personal student data could be at risk of being hacked or breached, as well as you not being compliant with strict federal and state regulations protecting personal student information.

Here are a couple of Kingston USB products to give you an idea of what is available and what you, as a teacher or school district, should be using.

• DataTraveler® 2000 (DT2000). It is designed with an alphanumeric keypad that locks the drive with a word or number combination of your choosing for easy-to-use PIN protection. The keypad works on any device, such as a Windows PC, MacBook or Chromebook. It features hardware-based Full-disk AES 256-bit data encryption in XTS mode, which means the encryption is done on the drive with no trace of your PIN left on the system and provides a level of security that the government and other such organizations around the world have adopted.

It also has FIPS 140-2 Level 3 certification, including military-grade anti-tampering protections, to meet a frequently requested corporate IT requirement. Its fast storage speed allows for speedier data transfers. The DT2000 can be used on any device with a USB 2.0 or USB 3.0 port, which includes virtually all later model digital devices. With an adapter, it can also be used on devices with a USB-C data port.

• The DataTraveler® Vault Privacy 3.0 USB flash drive (DTVP30) provides affordable business-grade security (thanks to its 256-bit AES hardware-based encryption in XTS mode) that ensures 100% protection of stored data. Complex password protection with minimum characteristics prevents unauthorized access. Plus, for additional peace of mind, the drive locks down and reformats after 10 intrusion attempts.

School administrators will be glad to know that the DTVP30 can be customized in various ways to meet internal IT requirements. It is FIPS- 197 certified and TAA compliant to meet frequently requested corporate and government IT requirements. Its SuperSpeed USB 3.0 technology means you will not be compromising transfer speeds for security.

It is unknown how long before students are back in the classroom but either way it’s best to be sure that all efforts in personal data protection are being made.

This article originally appeared in the May / June 2021 issue of Campus Security Today.

Featured

  • CISA Releases Anonymous Threat Response Guidance and Toolkit for K-12 Schools

    The Cybersecurity and Infrastructure Security Agency (CISA) recently released the Anonymized Threat Response Guidance: A Toolkit for K-12 Schools, a new resource to help kindergarten through grade 12 (K-12) schools and their law enforcement and community partners create tailored approaches to addressing anonymous threats of violence, including those received on social media. The toolkit outlines steps school leaders can take to assess and respond to anonymous threats, better prepare for and prevent future threats, and work in coordination with law enforcement and other local partners when these threats arise. It is co-sealed with the Federal Bureau of Investigation (FBI), which provided expert feedback on the toolkit’s key principles and strategies. Read Now

  • How Hospitals are Using Modern Technology to Improve Security

    Workplace violence is a serious and growing challenge for many organizations — including those in the healthcare industry. According to the U.S. Bureau of Labor Statistics, workers in healthcare and social services experience the highest rates of injuries caused by workplace violence and are five times as likely to suffer a workplace violence injury than workers overall — and aggressive incidents are rising. Read Now

  • Father of Georgia School Shooting Suspect Charged in Connection With Attack

    Colin Gray, the father of the 14-year-old Georgia school shooting suspect, has also been charged in connection with the attack. The 54-year-old father was charged with four counts of involuntary manslaughter, two counts of second-degree murder and eight counts of cruelty to children. Read Now

  • Safeguarding Stony Brook University Hospital: HALO’S Commitment to Health & Safety

    The healthcare industry is experiencing an alarming escalation of violence, including an increase in threats against healthcare workers. As a result, it is looking for ways to be proactive and protect its staff and patients.  According to the Bureau of Labor Statistics,  the rate of injuries from violent attacks against medical professionals grew by 63% from 2011 to 2018 and hospital safety directors say that aggression against staff escalated as the COVID-19 pandemic intensified in 2020.      Read Now

Webinars