ST PAUL, Minn. — The battle to protect private information held by schools will require more coordination and more help from the legislature.
That was the overriding message from those who testified Monday at a meeting of the Legislative Commission on Cybersecurity, a joint House-Senate panel dedicated to fending off ransomware and other online attacks against government agencies.
Rep. Kristin Bahner, the Maple Grove Democrat who co-chairs the committee, said as other entities have tightened cyber defenses educational institutions have become more of a target for hackers and digital thieves.
“If those folks realize they might be a more vulnerable target, they are going to go after them. And I think you’re seeing that reflected in those cybersecurity insurance premiums going up,” Rep. Bahner told reporters.
“Schools just don’t have the dollars or the resources to be able to do that effectively on their own, so we want to share and collaborate a little more, and that’s something we’re working on very hard here in Minnesota.”
In 2023 alone, several high-profile data breaches put students, parents and employees on edge. School districts in Minneapolis, St. Paul and Rochester have all reported online incursions in to databases. The University of Minnesota and Minn. Dept. of Education have also disclosed cyberattacks and offered credit-monitoring help for those affected.
“Most districts lack the capacity to hire dedicated cybersecurity staff, which is exacerbated by the workforce shortages,” Anthony Padrnos, the executive director of technology for the Osseo Public Schools, told lawmakers.
He quoted a report from the K12 Security Information eXchange which found 1,619 cyber incidents in public schools across the United States from 2016 through 2022, including 32 in Minnesota. He stressed these are only the attacks that are publicly disclosed, which are only a fraction of actual attempts by hackers to breach school systems.
Padrnos said districts are sharing information with each other about common threats, but Minnesota doesn’t have a central agency dedicated solely to cyber defense in school settings.
“Given the interconnected nature of districts, a lack of statewide communication leaves IT leaders scrambling for information during events.”
Mario McHenry, who leads technology services for St. Paul Public Schools, said the district’s cost of cybersecurity insurance has shot up across the past few years.
“There’s been almost a 98 percent increase in our premiums. And we think it’s important to carry that insurance,” McHenry said. “This is where the legislature can help.”
University breach
Bernard Gulachek, who serves as vice president and chief information officer at the University of Minnesota, also recommended a larger role for the state to play in helping institutions secure their data.
“Securing information requires high levels of technology, and the people to do the work,” Gulachek told the panel.
“The university will continue to need state assistance to fund such improvements and we will prepare a request as part of the university’s normal legislative request process.”
Gulachek walked lawmakers through the 2021 data breach of the University’s Legacy Data Warehouse that was not discovered until 2023.
“These files did not contain Social Security numbers, but contained student admissions data as well as race and ethnicity data,” Gulachek explained.
He said a pending lawsuit prevented him from going more deeply into the details at this time, but that the U of M has done all it can to warn those affected by the break and help with credit monitoring.
“We understand this incident has caused concern among the university community, and well beyond. That concern is not something we have taken lightly.”
The Cybersecurity Commission includes several IT experts, including Rep. Steve Elkins, a Bloomington Democrat who serves on several state and national cyber committees. He took the University of Minnesota representatives to task, suggesting they kept too much data on file and for too long.
“Why would you carry P.I.I. like that, that's not necessary for managerial analysis in a data warehouse to begin with?” Elkins asked, referencing the acronym for personally identifiable information.
Gulachek said the U of M has changed its data collection and retention process over the years and the nature of cyber warfare has evolved. He pushed back against Elkins on the point about what information needs to be retained in a data warehouse.
“Data warehouses are managed differently depending upon the enterprise.”
Best practices
State Legislative Auditor Judy Randall told the commission that government agencies are required to report all data incidents to her office. She said the majority of those are accidents by employees who e-mail nonpublic data to other employees without realizing it can’t be shared.
Randall said her office and Minnesota IT, the state’s online technology agency, have both encouraged government agencies to be careful to limit the types of information they retain and be selective about which employees can gain access to that data.
“Certainly, entities have good reasons to keep Social Security numbers, for example. But can you narrow how many places you’re keeping that and then can you anonymize it some way?”
It's too early to know if the 2024 Legislature will come up with more money to help schools fend off cyberattacks, considering schools received a sizable increase in state aid last session. Either way, it's clear lawmakers are watching closely and expecting more vigilance from educational institutions.