Responsible device retirement should be taken seriously across all industries, including education. Schools and universities are using more technology than ever, allowing sensitive information to flow through schools and their devices. These devices might help to elevate our students’ learning experience, but they can pose huge cybersecurity risks if they are not properly disposed of and wiped. Right now, in K-12 schools, over 38 million Chromebooks have been distributed, with most of them implemented between 2020 and 2022. Although this technology is becoming more common in school systems, many schools don’t have a secure, proper way to dispose of these devices when the time comes. It’s critical for schools and universities to understand the importance of responsible retirement and ITAD practices.
Why Education Is One of the High-Risk Sectors
A Nord Security study says that education in the United States is the fifth most targeted industry or sector for data breaches. Over the last two decades, there have been more than 3,000 data breaches in school systems, affecting more than 37 million records. Although cyberattacks may be one form of security breach that the education sector experiences, they’re not the main cause of breaches. Improper disposal, devices without data sanitization, and untrustworthy vendors can all cause data breaches in the education industry. With that said, not only are data breaches extremely dangerous, but they can also be costly, with an average cost of over $3 million.
All About FERPA Compliance
FERPA is a compliance law that applies to student records, but its implications for device retirement are often overlooked. FERPA, or the Family Educational Rights and Privacy Act, applies to every single school that receives federal funding, which is almost all of them, and it covers any record that is associated with the student. It also covers a variety of personal information, including Social Security numbers, educational records, transcripts, grades, student IDs, special education documents, and much more. When it comes to IT teams within schools, there are a few things we consistently see go wrong when working under FERPA.
Factory Resets Only
Some IT teams think that factory resetting devices will help to delete all of the data and information on them, but this isn’t the case. Factory resetting a device doesn’t erase all of the data in cached files, browser history, and saved credentials. Professional data wiping is the only way to properly and securely eliminate all that information.
Batch Certificates
Audit requirements for FERPA state that there must be sterilization certificates for every single device, not for groups of devices. Listing the manufacturer, model, serial number, and destruction method for each and every device is necessary for FERPA compliance.
Chain of Custody
When we look at ITAD as a whole, chain of custody is an important and critical part of the process. Within educational institutions, 73% of them fail to maintain a proper chain of custody, leading to unkept records and missing information.
NIST 800-88: Data Sanitization Standards
FERPA is a pretty standard and well-known compliance law, but NIST 800-88 is one that many might not fully understand. This standard focuses only on how the data is destroyed, which FERPA doesn’t cover. The National Institute of Standards and Technology has established this standard to ensure a consistent approach to how these unused devices are professionally wiped. There are three main categories of this that can be completed:
Clear: This is where the data is overwritten, and it’s appropriate for low-sensitivity information and usually used for repurposing devices.
Purge: This uses advanced techniques such as cryptographic erasure, which help prevent lab recovery attempts. This is the standard for most student data.
Destroy: This option will result in the physical destruction of the device, which may involve shredding, disintegration, or degaussing. This method is essential for devices that can’t be professionally wiped.
According to the compliance standard, student information and data must be purged or destroyed to ensure that all of the sensitive information is no longer accessible.
Why You Need a Plan ASAP for Device Retirement
As a university or school system, it’s crucial to implement a system for proper ITAD of devices sooner rather than later. As we stated previously, Chromebooks in schools were implemented over a couple of short years, which means these devices will need to be properly erased and disposed of at the same time. This can lead to a variety of issues, such as missing data, disorganized systems, and an overwhelming number of devices to disposition within a short timeframe. With inventory, different destruction methods, chain of custody, documentation, and overall compliance, the process can be stressful without a clear plan in place.
Implementing Proper ITAD in Education
Implementing a proper ITAD process in the education sector is essential for protecting student information and staying compliant. There’s a huge gap in security in ITAD for school systems, making vulnerabilities much higher. If you are a university or a school system, developing a foolproof plan for the destruction and processing of unused devices is crucial to staying on top of compliance and protecting your students. Putting a plan in place now is recommended so you are prepared for the increased number of devices that may need to be disposed of at one time. Partnering with a trusted ITAD vendor and creating a step-by-step plan can help set the stage for a plan that makes all the difference.
