Many people outside of the educational sector may not have heard of the Family Educational Rights and Privacy Act. Essentially, the measure regulates access to all educational information and records. The federal act, first signed into law in 1974, has had to adapt to the changing technology of recent decades. FERPA sets forth strict rules on data destruction, and educational institutions need to have the proper equipment and knowledge in place to guarantee complete data sanitization.
FERPA in the age of data retention
When FERPA was first enacted, data storage existed primarily in the physical realm. Schools and universities storing student record data had a finite amount of room in file cabinets and – in the larger institutions – confidential archives. When these cabinets filled, the old files were either shipped off-site, thrown away or, more likely, burned.
The internet has altered this reality. While physical records still exist, they are dwarfed by a number of digital files containing student information. These files do not occupy physical space and can accumulate without end. That said, educational institutions hoarding these files will find themselves in violation of FERPA. According to a document from the Privacy Technical Assistance Center, FERPA mandates that a destruction date must be set for nearly all confidential data involving a student (excluding grades and other academic information).
This destruction date is controlled by two factors. Typically, the delete date is set once the information is no longer viable – i.e. when the student graduates or moves on to another school. Data can be retained, however, at the student or legal guardian's request. If a student enrolls in college but knows they will be doing an extended program study, abroad or with an internship, they can give permission for the university to hold onto their records until they return. Regardless, the information can never remain in an educational facility's possession indefinitely. The data must be eventually purged and there is good reason for this.
School data at serious risk
Health care is a prime target for cybersecurity attacks. Unlike retail companies, which only have access to certain information like credit cards, health care establishments contain much more sensitive personal data. Social security numbers, addresses, full names with family contact information, all of this is contained in hospitals – and in schools.
In October 2017, the U.S. Department of Education released a statement on the rise of cybercrime in the education sector. While schools may not be getting the same attention as hospitals in the news, criminals are clearly aware of the enormous amount of confidential information that they possess. In the same report, the U.S. Department of Education outlined actions that schools could take to combat cyber attacks. These included conducting security audits, updating staff training and reviewing sensitive data to ensure no peculiar access had been permitted.
While safeguarding software is important, the education sector should not overlook the need for proper hardware security. FERPA stipulates that preserving the security of all confidential data is the responsibility of the educational institution. This means that, once a device is decommissioned or sold, it must be properly disposed of.
The dangers of third-party data storage
FERPA allows for schools to share their information with third parties in a limited capacity. This measure is what gives a university the power to forward identification records directly to a hospital, should the student be in an accident and unable to immediately consent. That said, FERPA also outlines that any and all data sent to third parties must be destroyed once it is no longer relevant.
While communication with health care providers is unavoidable, schools and universities should not be quick to reach out to other third-party support. The risk of an information leak increases every time that data is copied. Even if the third party offers comprehensive software cleaning and data overwriting, this may not be enough.
Should schools need to export their data, they must ensure that the third party has an effective method of data destruction. Data that is deleted is not truly erased, only lost within the data storage. This means that while the computer is no longer able to find the data, it still exists on the drive. Data rewriting can also be a flawed method for a variety of reasons such as SSD data storage protections and bad sectors within the physical data.
"Deleting and overwriting data does not completely maintain information security."
How to properly destroy data
In order for data to be properly destroyed and FERPA guidelines met, educational institutions should follow three steps.
1. The first process is deletion and overwriting. Confidential data should be cleared off of hard drives and replaced with benign information. This will make it difficult to recover any data from the hard drives, should they be stolen or misplaced. Deleting and overwriting data, while an effective start, is not enough to maintain complete information security.
2. After the data has been deleted and written over, hard drives should be degaussed. This is true only for traditional hard drives. Traditional hard drives operate on magnetic media, meaning that everything is held in working order by a magnetic field. Degaussing machines use powerful magnets to alter that field, making it unreadable to all further access attempts.
Degaussing is the ultimate tool for disabling traditional hard drives. Educational institutions with old technology should make it a priority to own at least one degausser. NSA-Listed devices like the Proton Data T-4 Hard Drive Degausser offer the most secure method of degaussing.
3. Solid state drives are designed differently than traditional hard drives and require their own solution. For SSDs, shredding (after wiping and rewriting) is the most secure policy. Hard drive and SSD shredders do exactly what the name suggests. Turning the drive into little pieces makes it very difficult to reassemble and even harder to restore to working order. Shredding is also a final step that can occur in traditional hard drives after degaussing.
Degaussing and shredding on a budget
Not all educational institutes have the budget for the equipment they need. Many establishments – especially those operating in the public sector – do not have the money to continuously update hardware and may balk at the prospect of buying new equipment specifically for data destruction. FERPA's policy, however, is quite clear and the damage caused by a data leak would quickly outweigh the equipment costs.
To cut down on costs, however, it would be possible for school districts to "share" data destruction devices. Essentially, one facility would house the product and schools could send their data in to be destroyed. This should only be handled in-person (preferably by the school's IT head) and never done by mail.
While not every school may be able to afford its own hard drive degausser and shredder, FERPA's guidelines are explicit. Schools are responsible for complete data destruction. Simply put, this is a cost that must be addressed.