NIST Privacy Framework : Our Essential Data Protection Guide

Close

CASE STUDY

Private High School Tackles Data Privacy

About this Private High School

A Catholic college-preparatory school for young men in grades 7 to 12. The school enrolls more than 1,400 students from around the state.

Our employees process sensitive data every day, including files that contain student, employee, and donor information, such as passports, credit cards, and bank invoices. In our efforts to prioritize privacy, we require rules, regulations, and processes to identify, remediate, and ensure data is always secure and private. 

–CISO, Private High School 

Challenge 

Because of massive amount of personal data they handle, including financial information, SSNs, and health records, educational institutions are prime targets of cybercriminals. There were 1,619 publicly disclosed cyberattacks on schools between 2016 and 2022, according to K12 Security Information Exchange, a nonprofit focused on helping them prevent such assaults. While cybercriminals are hard at work searching for vulnerabilities, educational institutions are striving to maintain the trust of students and their families by ensuring their personal data is safe.

A private, independent Catholic High School serving more than 1,400 students in grades 7 to 12, must follow state law, which defines personal data as a first name or initial with the last name and a connection with a social security number, passport number, or driver’s license number. Additionally, the Family Educational Rights and Privacy Act (FERPA) protects the privacy of student education records, strictly defining personal information and establishing the process for managing and protecting this data.

The school needed a more effective, proactive process for protecting and securing the personal information of its students, faculty, staff, and donors. Failure to do so would result in stiff penalties, impact student privacy, and damage the school’s reputation.

Solution 

The school prioritized a proactive data privacy protection process with the most highly recommended data protection solution, Spirion. They now understand user habits and can course correct the mishandling of sensitive data.

School executives were acutely aware of the need to protect the institution from costly fines and reputation damage should a breach occur. The IT department met with each department to understand what type of data they use and how they use it. In partnership with an attorney , the school began creating security policies, processes, training tools, and solidifying its data retention schedule.

Analysis and policy creation exposed the need for a better overall understanding of the school’s data. The team chose Spirion based on price point and functionality. Soon after implementing the product, they had complete visibility and control of their sensitive personal data footprint.

Results 

The ability to locate personal information reduces the risk of misuse or theft for the school. The CISOs team utilizes their new insights into personal data across its network to understand user behaviors, revise processes, and institute policies. They now rapidly act upon any personal data discovered.

“Moving to Spirion opened the risk and data protection conversation across the entire campus. Our initial need to identify, understand, and protect data has sparked further progress in policies around where personal data can reside, as well as purchasing Box to replace our file server, and the implementation of two-factor authentication,” shares the CISO. “Spirion has helped us identify our gaps, blind spots, and the behaviors of data owners. We not only reduce the risk of unauthorized data access, but we can modify user behavior, our processes, and policies to ensure we protect data before a breach occurs.”