Keeping Students' Data Safe

For more than two decades, David Couch has steered the Kentucky Department of Education’s technology policy, eventually as chief information officer and associate commissioner of education. He is the longest-serving state-level CIO of K-12 education in the country.

On his watch, Kentucky was the first state to hit multiple technology milestones in schools, starting by connecting every district to high-speed internet in 1995. Twenty years later, Kentucky was the first state to meet a national goal of providing 100 kilobytes of fibered internet access per student.

Couch recently testified at a hearing of the House Committee on Education and the Workforce, explaining the challenges facing student data privacy and urging federal officials to update the Family Educational Rights and Privacy Act, which “protects the privacy of student education records.”

Couch said other states can take advantage of what he and his staff  have learned over the years.

“The main thing that I’m interested in is just the word getting out  about some of the things we’ve done well,” he told Route Fifty in an  interview. “I don’t look at other states as competition, we’re all kind  of in this together. The stuff that we do, they can just copy and paste it and use it—I’m fine with that.”

Route Fifty: Why have you stayed in this position so long?

David Couch: You have to understand why I joined. Many years  ago when I graduated from high school I went to West Point. I  thought I was hot stuff, and then I found I was far behind my peers in  other states when it came to being academically prepared for that  environment. So I vowed that I would like to do something about that versus complain about it.

When I was in the Army, there was something called the Kentucky Education Reform Act, part of which focused on equity of access for all children to education technology. I was at that point in my army career where I had to decide if I would stay in and keep doing it, or be part of something where I could be part of the solution I always fussed about. It’s always been about much more than a job.

Route Fifty: Can you explain what student data privacy is and what it means?

Couch: School districts are given information about my child, and it’s important for me as a parent to know that anything else you may do with it, you’re making sure that it’s properly protected and that people who don’t need to see it, don’t see it. That goes to state government, but also to private companies—the data they’re collecting can’t be passed on without parents’ knowledge or permission.

The bigger companies are the ones involved in information systems, and obviously they take student data privacy seriously because they know if anything gets out, that security or privacy leak is bad for the future of the company. Other companies focus on special apps for classrooms, which teachers can use without first seeking permission from the district office. That’s tougher, but if they first bring in folks at the district office, they can at least make sure that certain provisions are in place, and also, at least, that the parents are informed as well as the company.

A lot of folks get caught up in, 'Let’s find the technical solution that helps protect data privacy.' And we have those, but we put more energy on the people side. You have to get those folks savvy to this and make them aware of it.

Route Fifty: You said during your recent House committee testimony that your system’s “biggest vulnerability, by far, is internal staff, not external criminals.” How do you go about training staff to be more aware of phishing attempts and other attempted attacks?

Couch: We created a “one-pager” to help folks understand the basics, which has been a good tool. We have an acceptable-use policy that districts are required to sign—we can’t require them to do it every year, but we encourage them to do it frequently. We also have something called, “It Could Happen To You, But Don’t Let It.”

We share, in that document, some of the things that have happened in Kentucky K-12 and higher ed for the purpose of letting folks know that we’re not just being theoretical—this stuff has happened. Sometimes it’s someone who’s been taken advantage of by a phishing attempt, or someone left a laptop in a car and it didn’t have encryption on it and it was taken because it had data on it, or someone emailed a spreadsheet with Social Security numbers on it and didn’t realize it, because they didn’t scroll far enough right in the cells to see the data. We have two to five of those types of incidents per year.

Part of the message is, ‘This happened to another district. Don’t let this happen to yours.’ We don’t necessarily say the district name—though you can usually easily find it, because it’s usually made the press—but we just make people aware that these are real things that happen in Kentucky. There’s got to be a part where there’s courage to say, ‘We’re not perfect but here’s what you can do to try to prevent it.’

I think that’s a good and helpful tool, because it lets folks understand that we’re not perfect. And even though we weren’t hacked into, it was just as destructive in terms of people’s information getting out there.

Route Fifty: How has Kentucky stayed on the front lines of student data privacy and technology?

Couch: The Kentucky Education Technology System was a big component of the Kentucky Education Reform Act. KERA was about equity, access and opportunity for all kids, a change to legislation that said no matter where you grow up in a state, you should have equal access to a great educational opportunity. And the technology component was a big part of that. That’s what makes our story interesting and unique. The other thing is our long-term planning. A lot of the folks that started when I started 25 years ago have been part of this ever since, so I’ve had great stability.

For me, it started the year we were putting all of this in place and were the first to do it. We were the first to get our district offices connected to high-speed internet, then the schools, then every classroom.

We knew we were going at an aggressive pace putting the technology in, but we wanted to make sure we were dealing with the people side at the same time—teaching about being good stewards and protectors of the things in there that do good things, but can be very destructive in others’ hands. That was something we saw bubbling up. Because we were on the forefront of all of this, we saw these things early and the importance of securing it.

Route Fifty: You stated in your House testimony that last year the Kentucky K-12 system experienced more than 4 billion attempted unauthorized network connections, or attacks. That seems like an insane number; like it must be a constant onslaught. Is that what it’s like?

Couch: It is. It’s a constant 24/7 thing where folks are trying to get in. They’re trying to get something, or cause something not to work, or cause embarrassment. I was talking to the staffers for the House of Representatives and thought it was important that I mention that, because I don’t think folks realize how big it is. And that’s not specific to Kentucky—we’re not more or less than anyone else, it’s a nationwide thing.

Route Fifty: How do you deal with and stay on top of that barrage?

Couch: We can see, somewhat, where they came from, though attackers are pretty smart about hiding their tracks.

A common example is a service attack, where it’s really coming from infected home computers across the U.S. that don’t have good virus protection. People don’t realize that their home computers can be used in an attack. It’s kind of like a quiet soldier that floods the system so a particular site can’t be used for anything. I always equate it to what would happen if you wanted to go to Kroger, but at that same time someone sent 10 million people to that same Kroger in a small town. What would you do? You’d go someplace else. That’s kind of what a website attack does—makes it so it’s not usable.

There’s technology that lets you know that people have tried to get in. You have to stay on top of it constantly, because the folks trying to do it are constantly improving and getting better at it. The attacks we’ve had in the past school year are bigger than in all my years, and they’re getting bigger and bigger.

Route Fifty: Were any of those attacks successful?

Couch: I’m hesitant to say how many were successful and how many were not, because I’m not trying to encourage hackers to come after Kentucky. I can tell you that on average in Kentucky there are two to five breaches every year, and that none have come from these outside attacks. They’re all human error inside our system—the laptop left in the car, a document sent to the wrong printer. This is what goes on, over and over again.

Route Fifty: You speak often about putting school districts, staff members and agencies on a “healthy data diet.” What does that mean?

Couch: It means we only collect the data that we know is necessary, so we’re only seeing the data we really need to see. This also improves data quality and minimizes our risk of attack.

When I first got in this position I eliminated 90 percent of the data we were collecting. The legislators who had mandated its collection were long gone and, in some cases, had died, but we were still collecting it. From the district’s point of view, they were being overwhelmed.

We also encourage other organizations to be frugal and thoughtful and strategic on which data they’re asking to be collected, because these districts are there trying to educate kids every day. They can’t have researchers supplying this data all the time, even if the intentions are good.

Route Fifty: What do you think is the biggest challenge facing student data privacy today?

Couch: Just trying to provide this protective barrier the best we can. For us, that means getting the importance of cybersecurity and privacy on the radar screen of the average teacher or staff member. They can really help us in what we’re trying to do. Even if you have all of these technological things in place, if you don’t have that addressed, it becomes your greatest weakness. We have to make sure that folks, as they’re using those tools to help students, they’re being mindful of the security and privacy that need to be considered.