Keeping Students' Data Safe

Staff members are the biggest threat to Kentucky's information systems, according to David Couch, chief intelligence officer for the state's Department of Education.

Staff members are the biggest threat to Kentucky's information systems, according to David Couch, chief intelligence officer for the state's Department of Education. Shutterstock

 

Connecting state and local government leaders

David Couch, chief information officer for the Kentucky Department of Education, discusses student data privacy, the biggest threats to his state's system and cutting down on the information that school districts collect.

For more than two decades, David Couch has steered the Kentucky Department of Education’s technology policy, eventually as chief information officer and associate commissioner of education. He is the longest-serving state-level CIO of K-12 education in the country.

On his watch, Kentucky was the first state to hit multiple technology milestones in schools, starting by connecting every district to high-speed internet in 1995. Twenty years later, Kentucky was the first state to meet a national goal of providing 100 kilobytes of fibered internet access per student.

Couch recently testified at a hearing of the House Committee on Education and the Workforce, explaining the challenges facing student data privacy and urging federal officials to update the Family Educational Rights and Privacy Act, which “protects the privacy of student education records.”

Source: Kentucky Department of Education

Couch said other states can take advantage of what he and his staff  have learned over the years.

“The main thing that I’m interested in is just the word getting out  about some of the things we’ve done well,” he told Route Fifty in an  interview. “I don’t look at other states as competition, we’re all kind  of in this together. The stuff that we do, they can just copy and paste it and use it—I’m fine with that.”

Route Fifty: Why have you stayed in this position so long?

David Couch: You have to understand why I joined. Many years  ago when I graduated from high school I went to West Point. I  thought I was hot stuff, and then I found I was far behind my peers in  other states when it came to being academically prepared for that  environment. So I vowed that I would like to do something about that versus complain about it.

When I was in the Army, there was something called the Kentucky Education Reform Act, part of which focused on equity of access for all children to education technology. I was at that point in my army career where I had to decide if I would stay in and keep doing it, or be part of something where I could be part of the solution I always fussed about. It’s always been about much more than a job.

Route Fifty: Can you explain what student data privacy is and what it means?

Couch: School districts are given information about my child, and it’s important for me as a parent to know that anything else you may do with it, you’re making sure that it’s properly protected and that people who don’t need to see it, don’t see it. That goes to state government, but also to private companies—the data they’re collecting can’t be passed on without parents’ knowledge or permission.

The bigger companies are the ones involved in information systems, and obviously they take student data privacy seriously because they know if anything gets out, that security or privacy leak is bad for the future of the company. Other companies focus on special apps for classrooms, which teachers can use without first seeking permission from the district office. That’s tougher, but if they first bring in folks at the district office, they can at least make sure that certain provisions are in place, and also, at least, that the parents are informed as well as the company.

A lot of folks get caught up in, 'Let’s find the technical solution that helps protect data privacy.' And we have those, but we put more energy on the people side. You have to get those folks savvy to this and make them aware of it.

Route Fifty: You said during your recent House committee testimony that your system’s “biggest vulnerability, by far, is internal staff, not external criminals.” How do you go about training staff to be more aware of phishing attempts and other attempted attacks?

Couch: We created a “one-pager” to help folks understand the basics, which has been a good tool. We have an acceptable-use policy that districts are required to sign—we can’t require them to do it every year, but we encourage them to do it frequently. We also have something called, “It Could Happen To You, But Don’t Let It.”

We share, in that document, some of the things that have happened in Kentucky K-12 and higher ed for the purpose of letting folks know that we’re not just being theoretical—this stuff has happened. Sometimes it’s someone who’s been taken advantage of by a phishing attempt, or someone left a laptop in a car and it didn’t have encryption on it and it was taken because it had data on it, or someone emailed a spreadsheet with Social Security numbers on it and didn’t realize it, because they didn’t scroll far enough right in the cells to see the data. We have two to five of those types of incidents per year.

Part of the message is, ‘This happened to another district. Don’t let this happen to yours.’ We don’t necessarily say the district name—though you can usually easily find it, because it’s usually made the press—but we just make people aware that these are real things that happen in Kentucky. There’s got to be a part where there’s courage to say, ‘We’re not perfect but here’s what you can do to try to prevent it.’

I think that’s a good and helpful tool, because it lets folks understand that we’re not perfect. And even though we weren’t hacked into, it was just as destructive in terms of people’s information getting out there.

Route Fifty: How has Kentucky stayed on the front lines of student data privacy and technology?

Couch: The Kentucky Education Technology System was a big component of the Kentucky Education Reform Act. KERA was about equity, access and opportunity for all kids, a change to legislation that said no matter where you grow up in a state, you should have equal access to a great educational opportunity. And the technology component was a big part of that. That’s what makes our story interesting and unique. The other thing is our long-term planning. A lot of the folks that started when I started 25 years ago have been part of this ever since, so I’ve had great stability.

For me, it started the year we were putting all of this in place and were the first to do it. We were the first to get our district offices connected to high-speed internet, then the schools, then every classroom.

We knew we were going at an aggressive pace putting the technology in, but we wanted to make sure we were dealing with the people side at the same time—teaching about being good stewards and protectors of the things in there that do good things, but can be very destructive in others’ hands. That was something we saw bubbling up. Because we were on the forefront of all of this, we saw these things early and the importance of securing it.

Route Fifty: You stated in your House testimony that last year the Kentucky K-12 system experienced more than 4 billion attempted unauthorized network connections, or attacks. That seems like an insane number; like it must be a constant onslaught. Is that what it’s like?

Couch: It is. It’s a constant 24/7 thing where folks are trying to get in. They’re trying to get something, or cause something not to work, or cause embarrassment. I was talking to the staffers for the House of Representatives and thought it was important that I mention that, because I don’t think folks realize how big it is. And that’s not specific to Kentucky—we’re not more or less than anyone else, it’s a nationwide thing.

Route Fifty: How do you deal with and stay on top of that barrage?

Couch: We can see, somewhat, where they came from, though attackers are pretty smart about hiding their tracks.

A common example is a service attack, where it’s really coming from infected home computers across the U.S. that don’t have good virus protection. People don’t realize that their home computers can be used in an attack. It’s kind of like a quiet soldier that floods the system so a particular site can’t be used for anything. I always equate it to what would happen if you wanted to go to Kroger, but at that same time someone sent 10 million people to that same Kroger in a small town. What would you do? You’d go someplace else. That’s kind of what a website attack does—makes it so it’s not usable.

There’s technology that lets you know that people have tried to get in. You have to stay on top of it constantly, because the folks trying to do it are constantly improving and getting better at it. The attacks we’ve had in the past school year are bigger than in all my years, and they’re getting bigger and bigger.

Route Fifty: Were any of those attacks successful?

Couch: I’m hesitant to say how many were successful and how many were not, because I’m not trying to encourage hackers to come after Kentucky. I can tell you that on average in Kentucky there are two to five breaches every year, and that none have come from these outside attacks. They’re all human error inside our system—the laptop left in the car, a document sent to the wrong printer. This is what goes on, over and over again.

Route Fifty: You speak often about putting school districts, staff members and agencies on a “healthy data diet.” What does that mean?

Couch: It means we only collect the data that we know is necessary, so we’re only seeing the data we really need to see. This also improves data quality and minimizes our risk of attack.

When I first got in this position I eliminated 90 percent of the data we were collecting. The legislators who had mandated its collection were long gone and, in some cases, had died, but we were still collecting it. From the district’s point of view, they were being overwhelmed.

We also encourage other organizations to be frugal and thoughtful and strategic on which data they’re asking to be collected, because these districts are there trying to educate kids every day. They can’t have researchers supplying this data all the time, even if the intentions are good.

Route Fifty: What do you think is the biggest challenge facing student data privacy today?

Couch: Just trying to provide this protective barrier the best we can. For us, that means getting the importance of cybersecurity and privacy on the radar screen of the average teacher or staff member. They can really help us in what we’re trying to do. Even if you have all of these technological things in place, if you don’t have that addressed, it becomes your greatest weakness. We have to make sure that folks, as they’re using those tools to help students, they’re being mindful of the security and privacy that need to be considered.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.