Have you ever been awoken by a loud noise in the middle of the night? Your body shifts from resting to alert in an instant. What just happened? Am I safe? Is the house secure? Did I lock the doors? At some point, you either get out of bed to investigate, or assure yourself it was nothing, and you go back to sleep.
We go through a similar shift from sleepy ignorance to total awareness each time a company reports a data breach that has put our personal information at risk. Except in these incidents, we have far less control over what happens next—and far less visibility into both the causes of the breach and the subsequent fixes and safeguards that the company implements to prevent such an event from happening again.
Data security is a major concern for education, even though, much like consumers, we may take it for granted unless there is a problem. But the stakes grow higher every year. As education continues to adopt new technologies to support teaching and learning, more personal data on students and their learning activities is stored online.
Ed tech companies have a clear and direct responsibility to protect that data, and educational institutions are obligated to thoroughly vet a vendor’s security policies and practices prior to adoption. Privacy policies and end-user license agreements are helpful, but limited, as they merely represent how a company intends to use data. Industry-standard certifications like SOC-II are better as they provide some insight into how a company secures information through internal processes and safeguards. But how can you know if the software itself is vulnerable to external threats?