Remember when you signed your BYOD agreement?  Did you read it?  I’m going to go off on a limb and say the answer is no.  Well, if you bothered to read it, you agreed to the Student Data Transparency Act, or SDTA, a document that the State of Colorado passed into law. Fully implemented on August 10^th, 2016, the purpose of the legislation was to reveal and protect your school data.  Though the law has its bright spots, it only protects your data from being sold in most situations, most being the key word.  Programs such as Edmodo have also been put on hold  because of the SDTA.  All of this revolves around the key clause of student ‘Personally Identifiable Information’, which is basically any legal information the Colorado Department of Education has.

First, let’s start with Edmodo, a program many teachers enjoyed using rather than Google Classroom.  In District 20, as you may have noticed, use of the program is pending due to a disagreement between lawyers over the collection of roster data by Edmodo.  Edmodo acts as a sort of school social media platform along as a digital inbox, and it can collect phone numbers and emails.  Under the new law, such collection is illegal.  Even though this prevents the roster data to be stolen, it does nothing to improve cyber-security concerns, which is arguably more important because of widespread weakness in government computer systems.

Next up are the suspicious clauses in the wording of the bill. First, the direct exclusion of active contractors from the clauses protecting student data, opened loopholes for companies to transfer data, and culminated in the statement: “SELL STUDENT PERSONALLY IDENTIFIABLE INFORMATION; EXCEPT THAT THIS PROHIBITION DOES NOT APPLY TO THE PURCHASE, MERGER, OR OTHER TYPE OF ACQUISITION OF A SCHOOL SERVICE CONTRACT PROVIDER.”  Now, what you need to understand is that even though this is a somewhat restrictive clause, it does open a loophole in which parent companies can trade information by selling or merging divisions or doing the same with shell companies, which opens up the possibility of illicit transfer of student information.

Lastly, there is nothing addressing cyber-security in the SDTA.  Even though the law was a transfer of liability and included the protection of student data, there are no requirements for contractors or schools to verify or revamp any security infrastructure.  This leaves vulnerabilities in the school’s system to the point where, even students with the right tools can launch Denial of Service (DOS) attacks on WiFi networks to shut them down, infiltrate databases with SQL attacks, and perform mass mailer attacks, which have been used to hack institutions such as the DNC and Equifax.

Overall, the purpose to protect student data is fulfilled, yet there are glaring holes within the law that undermine its purpose of protecting student data.  This issue is becoming more and more important as digital data becomes increasingly vulnerable to attack, and it is increasingly clear that simply shuffling around legal liability isn’t enough to truly protect our student data infrastructure.  As of now, there is no talk of revisiting the SDTA as it stands today by the State of Colorado.