More state policymakers are recognizing the serious consequences that cyberattacks can have on K-12 schools, but the policy response is “still insufficient,” according to the Consortium for School Networking’s analysis of school-related cybersecurity bills introduced in 2022.
Legislators in 36 states introduced 232 school-related cybersecurity bills, the report found. That’s 62 more than were introduced in 2021 and more than twice the number of bills introduced in 2020. Thirty-seven of the cybersecurity bills introduced in 2022 were enacted, compared with 49 in 2021 and 10 in 2021, according to the report.
Cyberattacks are now a daily threat for schools as the number of incidents has increased in recent years. Most notably, in 2022, two big districts—Los Angeles Unified and New York City—faced cybersecurity challenges.
Protecting sensitive data is becoming more challenging as districts lean further into technology use for teaching, learning, and managing their systems, and as cybercriminals become more sophisticated. It’s also a challenge as teachers and district leaders perceive the threat of cyberattacks very differently.
The most common cybersecurity policy strategies adopted by states in 2022 include mandatory incident reporting, prevention and contingency planning requirements, and expansion of the cybersecurity workforce, the report found. In many cases, the adopted bills also provided funding for schools and districts to pay for these activities.
For example, California enacted a law that requires districts to report cyberattacks that impact more than 500 students or personnel, and establishes a statewide database to track the attacks reported. And in Alabama, a new law provides funding for hiring district technology coordinators.
Twenty-seven of the bills introduced in 2022 focused on cybersecurity training requirements. The bills enacted provide funding for training, establish a liaison program to assist districts, and develop a cyber assessment and an online database of training resources.
The CoSN report argued that the new laws are not comprehensive enough to address the cybersecurity challenges school districts face.
State Educational Technology Directors Association Executive Director Julia Fallon agreed that more needs to be done, with a focus on the “unique needs” of the K-12 industry sector.
“Just taking business models that are out in the corporate space and applying it to K-12 doesn’t necessarily solve the problems,” Fallon said.
Here are some policy improvements to consider in 2023, according to the report:
- Prevention strategies should reflect industry standards and best practices and should include realistic timelines for completing the requirements.
- Policymakers should find ways to remove the stigma associated with reporting attacks so that every attack can be a learning opportunity for others.
- To address workforce gaps, it’s not enough to fund new higher education degree programs, because that strategy “takes years to yield benefits.” There should be more emphasis on shorter-term credentialing options and more funding for compensation to compete with the private sector.
