Recent data breaches offer important lessons for schools

Authors: Kristél Kriel, Nathan Schissel, Katie Newman

A data breach in British Columbia is one of several recent incidents to impact schools across Canada, serving as a reminder that educational institutions must remain vigilant amid mounting cyber threats.

On January 18, B.C.’s Maple Ridge – Pitt Meadows School District announced a data breach affecting more than 19,000 staff and students. The compromised data included first and last names, email addresses and student grades, according to a bulletin. While the school district considered the sensitivity of this information to be low, it warned staff and students to be on the lookout for phishing emails.

One of several breaches affecting schools

The B.C. breach was the latest in a spate of data breaches affecting school boards – some of which compromised highly sensitive information and resulted in classes being cancelled.

Last December, the Huron-Superior Catholic District School Board cancelled classes following a ransomware attack that shut down the school board’s communication network and compromised employees’ social insurance numbers, dates of birth and compensation and banking information.

The Durham District School Board experienced a “cyber incident” in November 2022 that disrupted computer systems and online courses and left teachers scrambling to take attendance manually.

In July 2022, a cyberattack against the Waterloo Region District School Board compromised the data of staff and students and caused delays in administering payroll.

The B.C. school district said it had found no evidence of suspicious activity on its network and suggested a compromised staff or student email account may have caused the breach. In a note to parents and staff, the school district said it would inform the Office of the Information and Privacy Commissioner for B.C. of the breach and “take all the necessary steps” to avoid similar breaches in the future.

Onus on schools to protect data is “extremely high”

The Office of the Saskatchewan Information and Privacy Commissioner has noted that the “onus on school divisions to protect student data is extremely high.”

In addition to students’ contact information, schools may also be in possession of highly sensitive data such as students’ medical records, personal information about family members (including criminal records), details about custody issues and interactions with social services and the justice system.

Saskatchewan’s Privacy Commissioner urged school divisions to maintain up-to-date privacy practices and procedures, address privacy and data issues in their contracts with third parties, and have adequate training in place for staff to understand and manage privacy risks.

Stateside, the Cybersecurity & Infrastructure Security Agency recently published recommendations designed to protect schools from cyber threats, acknowledging that school divisions typically have limited resources and encouraging collaboration to bolster cybersecurity.

The B.C. breach highlights the importance of educational institutions and other public sector organizations having sound privacy policies and breach response plans in place. As we’ve discussed in other blogs, most breaches present a real risk of significant harm, and when they do, they must be reported to the relevant privacy commissioner and the affected individuals.

The lawyers in the MLT Aikins Privacy, Data Protection & Cybersecurity group have wide-ranging experience advising organizations in the public sector on developing privacy policies, training staff on privacy procedures and responding to breaches. Download our cybersecurity checklist to asses your current cyber strategy or contact us to learn more.

Note: This article is of a general nature only and is not exhaustive of all possible legal rights or remedies. In addition, laws may change over time and should be interpreted only in the context of particular circumstances such that these materials are not intended to be relied upon or taken as legal advice or opinion. Readers should consult a legal professional for specific advice in any particular situation.