Is It Time for Your School District to Implement Multifactor Authentication?

By Education Law Group

March 22, 2022

Schools have increasingly become targets for cyberattacks. Data breaches and ransomware were two of the most frequent cyber incidents in 2021 according to K-12 SIX, a national nonprofit organization dedicated to K-12 cyber protection. Data breaches may result in loss of confidential student and employee records. This risk may be exacerbated by statutory and school policy requirements to maintain certain student records for years beyond the time when they are enrolled students. Ransomware incidents may result in lost or inaccessible data or systems. Without access to critical systems and information, daily school operations may be impossible. As schools increasingly rely on technology, now is the time for them to implement common sense protocols and widely-accepted cybersecurity best practices, including multifactor authentication (MFA).

MFA, also referred to as “Two-Factor Authentication,” “2FA,” or “Two Step Authentication,” is a multi-step process of confirming a user’s identity before the user is granted access to online services or remote networks. MFA generally requires something you know (like a pin or password) and either something you have (like a confirmation code) or something you are (like a fingerprint scan). If you have mobile banking services, chances are you have been prompted to provide MFA, such as when accessing your account from a new device.

Currently, there are no Federal or Pennsylvania laws that mandate K-12 school implementation of MFA. However, there has been renewed focus on cybersecurity by legislatures over the past year. On October 8, 2021, President Biden signed the K-12 Cybersecurity Act of 2021 (the “Act”). The Act creates a K-12 education cybersecurity initiative and requires the Director of the Cybersecurity and Infrastructure Security Agency (CISA) to evaluate and report to Congress on cybersecurity protocols implemented by K-12 educational institutions. Thereafter, the Act requires the Director of CISA to provide recommendations to schools. While we do not know what CISA’s recommendations will be, CISA provides cybersecurity resources, best practices, and bad practices, which all encourage using MFA. CISA even reports that, according to a Microsoft study, users who enable MFA are 99% less likely to be hacked.

In the absence of legal or regulatory mandates, schools may still have no choice but to implement cybersecurity controls and MFA to obtain cybersecurity insurance. As reported by K-12 SIX:

[C]yber risk insurance providers, who have a direct financial incentive to reduce the cybersecurity risks that school districts are facing as a condition of coverage, and policymakers at the state and federal levels, who have an array of proverbial carrots and sticks at their disposal to uplift the cybersecurity risk management practices of the K-12 sector.

Also, historical barriers to implementation such as cost or difficulty have improved over time. Vendors that schools regularly use for other services may also offer authentication solutions. For instance, both Google and Microsoft offer MFA options.

Schools can further ease implementation challenges with proper planning and communication. Of critical importance will be buy-in from associations. Other considerations for ease of implementation may include tiered or risk-based rollout to certain groups, stakeholder collaboration, and review of personal device and related policies.

With more cybersecurity threats, increased legal and regulatory attention, and pressure from cybersecurity insurers, now is the time to implement common sense cybersecurity protocols, including MFA.

The Appel, Yost & Zee Education Group will continue to monitor developments in K-12 cybersecurity. Should you have any questions regarding the Act, cybersecurity, or data privacy laws, please do not hesitate to reach out to any of the attorneys in the Appel, Yost & Zee Education Group.

Levin, Douglas A. (2022). “The State of K-12 Cybersecurity: Year in Review – 2022 Annual Report.” K12 Security Information Exchange (K12 SIX). Available online at: https://www.k12six.org/the-report.