As criticism is mounting about too much ed tech in schools, the recent Canvas data breach further threatens the trust families have in classroom technology, a leading education cybersecurity expert said.
When major cybersecurity incidents like the Canvas breach occur, they threaten the trust families have in schools to take care of their children and their data — not to mention the trust that schools give to vendors to help with their daily operations, said Michael Klein, senior director for preparedness and response at the Institute for Security and Technology.
“One of my big concerns with this particular incident is that it seems to have endangered that trust in a way beyond what we had seen before,” said Klein, who previously worked in the U.S. Department of Education as the senior advisor for cybersecurity.
Since ed tech provider and Canvas developer Instructure announced it had been the victim of a pair of data breaches earlier in May, multiple class action lawsuits have been filed against the ed tech company in federal district courts over the incident. On May 11, just days after the second incident, Instructure revealed it had “reached an agreement” with an unauthorized threat actor.
Moving forward, Klein said, strategic communication will be key to reestablish trust among vendors, schools and communities. But that communication is a two-way street, he added.
“We need to hear families when they express skepticism about educational technology, because this is happening in an environment where you have increased pushback against the use of technology in schools with children,” Klein said. “One reason this particular incident could be a turning point is because a learning management system is the one system that students interact with that is required for school to function in a lot of places.”
A second cybersecurity incident, on May 7, caused major disruptions to schools and colleges nationwide after the cyber gang ShinyHunters posted a message that was seen by some users on their Canvas platforms. The group claimed responsibility for both Canvas breaches but has not been named in the company’s communications about the incident.
As part of its agreement with an unnamed threat actor, Instructure said the hackers returned the stolen data and provided “shred logs” confirming they destroyed copies of it.
The company said the hackers were able to gain unauthorized access to Canvas systems during the April 29 and May 7 breaches through its Free for Teachers platform. The exposed data included usernames, email addresses, course names, enrollment information and messages, Instructure said, adding that “core learning data (course content, submissions, credentials) was not compromised.”
Screen time in classrooms
Screen time in classrooms has been a particular point of concern as ed tech pushback gains momentum.
At the federal level, the U.S. Department of Health and Human Services issued a surgeon general’s advisory on May 20 that flagged harmful screen use by children and teens as a “public health concern.” The advisory highlighted that harmful screen use by youth can cause negative impacts on their cognitive and emotional development, physical and metabolic health, educational outcomes and mental health.
Meanwhile, at least nine laws have passed across eight states to limit screen time and ed tech in schools, said Amelia Vance, founder and president of the Public Interest Privacy Center.
The surgeon general’s advisory was accompanied by a 29-page toolkit that calls for schools to “limit screen use by assigning work in books or on paper whenever possible.”
Lawsuits likely to face uphill battle
In one of the class action lawsuits against Instructure, filed May 5 in the U.S. District Court in the District of Utah, plaintiff Jabon Peterman said his sensitive personal information was impacted in the Canvas data breach.
The lawsuit alleges that Instructure was negligent in handling and safeguarding users’ data and had breached an implied contract with users to protect their information. Additionally, because of Instructure’s breach of confidence, the lawsuit said that Canvas users have suffered or will suffer injury from identity theft, loss of how their private information is used and out-of-pocket expenses related to prevention, detection and recovery from identity theft, fraud or the unauthorized use of their data.
Additionally, users impacted by the Canvas incident and this breach of confidence have or will face “other forms of injury and/or harm, including, but not limited to, anxiety, emotional distress, loss of privacy, and other economic and non-economic losses.”
The challenge with these kinds of class action lawsuits is that the current legal system doesn’t provide strong protections for people whose data privacy has been violated, Vance said.
That’s why it’s critical that contracts with vendors allow for legal actions “that actually have some bite,” she said. Such contract measures can include mandating the company to provide some level of funding or requiring notifications in the event of a breach.
“Because, absent that contract, most of the lawsuits aren’t going to succeed,” Vance said.
In a letter posted on Instructure’s website Tuesday, CEO Steve Daly said the “threats facing academic institutions and education technology providers aren’t going away.” He added that no single platform can build a resilient ecosystem on its own, but that it can be possible as a community.
As part of that, Daly said Instructure is forming an advisory board “focused on security and resilience” in addition to holding conversations with government leaders, technology partners, and institutions to build a stronger system together.
