Executive Summary

  • Schools are one of the most consistently attacked sectors, accounting for nearly 75% of all ransomware cases in 2020
  • Student data is some of the most valuable data for hackers
  • Leakage of that data exposes schools to violations of FERPA, among other issues
  • A solution that secures the entire suite of apps used in the classroom today is essential to protect against data leakage and prevent FERPA violations


Educators hold tons of sensitive information about students. From birthdays to allergies, medical conditions to family histories, educators are tasked with ingesting this information for all their students and then protecting it from getting out.

The law that governs it is called the Family Educational Rights and Privacy Act, or FERPA. Since the law was first introduced in 1974, a lot has changed. Now, teachers and educators have tons of tools at their disposal to share information.

In the era of remote schooling, that’s been essential. What’s made more dangerous, however, is the potential leakage of information. 

Educational information isn’t just shared via email. It’s on Microsoft Teams and Zoom, Google Drive and Dropbox. Every school district has expanded its suites—meaning there’s more room for error. With teachers and students balancing learning from home with other responsibilities, accidental sharing of personal information is more likely. 

That’s a problem because schools are consistently one of the most attacked sectors. According to one report, ransomware attacks on schools increased by 388% in the third quarter. In 2020, 1,681 schools and universities were hit with ransomware, accounting for nearly 75% of all reported ransomware cases in the US

The Fairfax County School District in Virginia, the tenth-largest in the country, was also hit with a ransomware attack. In North Carolina, the Haywood schools had to close for an entire week in August due to a cyber-attack; it was the fifth in the state experienced in 2020. In 2019, there was just one. 

In Hartford, Connecticut, the first day of in-person and remote school was delayed after a ransomware attack. 

The school system in Yazoo County, Mississippi reported that it paid $300,000 to a company to help recover stolen data. 

Schools don’t just have snow days. They have ransomware days. 

Attackers are looking for all the rich data that schools hold. Social security numbers; addresses; medical information—it’s all there.

There are common-sense things to keep in mind when dealing with FERPA. First, teachers and administrators shouldn’t send grades or other non-directory information such as disciplinary history or social security information via email. Programs that a school doesn’t have a contract with shouldn’t be used. 

Those are good measures to prevent accidental sharing. 

But if there’s a compromise and bad actors are in the system, accidental sharing goes out the window.

The best way to prevent that from happening is to have proper email security. Most attacks start with email and it is the number one threat resulting in breaches. Some 91% of breaches start with email. The best way to stop data loss is to prevent your cloud accounts from being compromised. That starts with stopping phishing attacks.

Beyond that, implementing data loss prevention technology is critical. This gives admins the ability to inventory records and control how they are shared. And it ensures that sensitive information isn’t disclosed publicly. 

A strong DLP program will create and automate universal policies across multiple cloud applications, so as to control how files are shared amongst internal and external users.

This works in two ways. One, it stops accidental sharing of information. Consider the use case with one organization that has departments regulated by FERPA. Within days of deploying Avanan’s Data Protection, the organization saw a 30% improvement in the use of data encryption. Further, they worked with Avanan to create a custom policy. If users are properly protecting data, the system rewards the end-user. If an employee attempts to send sensitive data outside the organization, they are stopped and given notice. 

It’s also important to protect against outside actors. Should a hacker infiltrate the system, a DLP policy that’s already identified and marked files containing confidential, financial and personal information would come in handy. Additionally, watermarking and file retraction can provide audit trails and file controls long after a document has left the organization. 

Between hefty ransomware payments and potential Department of Education investigations, violating FERPA can have major repercussions.

Stopping malicious emails and securing data is more essential than ever. 

Learn More About Avanan for EDU