Are student data privacy advocates fighting the last war?

As part of Keeping Pace research and other efforts, we are continuing to monitor issues and legislation related to student data privacy. In late 2014, with help from the Data Quality Campaign, we reported “Twenty states have enacted a total of 28 bills related to data privacy this year, after all states combined enacted just one in 2013.” We don’t yet have a tally for 2015, but it appears that this issue continues to be a hot topic. Most student data privacy advocates appear concerned about the way that schools, states, and providers will use student data. These agencies and organizations have legitimate needs to use student data, but the concern is that these entities may misuse the data in ways that parents and some educators deem irresponsible or illegitimate, such as marketing to students.

I wonder, however, if that concern should be the issue driving student data privacy discussions. Perhaps, at this point, the greater worry should be about whether student data is going to be obtained by hackers, and what those hackers will do with the information.

Last week I received a letter from a company informing me that their servers had been hacked and my personal information may have been compromised. Today I received another letter saying much the same, this time from a hospital. Last week’s letter wasn’t such a surprise, but this one—from a hospital—made me realize that hackers appear to be targeting just about every type of organization (including the federal government) in search of personal information.

Then later I saw this article in Slate: Ashley Madison Got Hacked. Now 37 Million Would-Be Cheaters Might Get Exposed. (If you’re not already familiar with Ashley Madison, be careful before you follow links.) Ashley Madison is a website for online dating—more or less—intended for married people. Its business is based on helping people cheat on their spouses.

Leaving aside whatever you might think of such a business, it seems that there are few businesses that are more dependent on protecting their users’ confidentiality. Yet according to the article, even people who had cancelled their membership and were told their accounts had been deleted have had their personal information accessed.

The spate of data breaches, including from entities for which data privacy would appear to be a top concern, appears to demonstrate that the hackers are a step or two ahead of most organizations. Either there is no way to stop creative hackers, or doing so involves prohibitive costs.

Which brings us back to student data privacy. Advocates have concerns about the use of data by schools, systems, states, and providers, and seek assurances that these organizations will safeguard student information and use it only in ways that are appropriate. But based on the news reports that seem to come out nearly every week, no new law appears capable of truly protecting student information from hackers.

I don’t know what I would suggest to privacy advocates. Their concerns are legitimate. But the problem isn’t just the schools, systems, states, and companies that they know. The bigger problem may be the hackers that they don’t know. And short of ending all cloud-based use of digital student data—which is not feasible—no solution seems evident.