Sign up for Chalkbeat New York’s free daily newsletter to keep up with NYC’s public schools.

Following two high-profile data breaches, New York City’s Education Department has moved to shore up its cybersecurity protocols, increasing its vetting of software vendors and tightening email access for schools and parent leaders.

Because of the new protocols, the school year has started without approvals for scores of programs, including popular ones like Class Dojo, technology teachers told Chalkbeat.

Meanwhile, roughly 1,000 of the city’s 1,600 or so schools have abandoned school-specific websites and email addresses, and moved their communications under a centrally managed Education Department domain — a move an Education Department spokesperson said was “critical in ensuring the security of students’ personally identifiable information.”

Department officials also notified parent leaders last week of a plan to shut down shared email accounts for parent groups to reduce the chances they could be breached.

Experts say it’s good that school systems — which have increasingly become targets of cyberattacks — are taking data security more seriously, even if it’s still unclear how effective some of the new steps will be.

But some parent leaders and educators are raising concerns about unintended consequences of the new restrictions. They argue that the changes could hamper access to critical digital tools.

“Parent leader accounts had nothing to do with the data breach and should not be the scapegoat for that issue,” Randi Garay, a member of the Chancellor’s Parent Advisory Committee and Brooklyn parent, said at a meeting last week about the plan to close shared email accounts used by some parent organizations. “It’s honestly a poor excuse to change these accounts to keep us separated and excluded from accessing information.”

The backlog of approvals for outside software vendors has some technology teachers worried about lost educational opportunities.

“Thousands of NYC kids won’t be allowed to use websites that help them,” said a technology teacher who spoke on the condition of anonymity. “This also means that instruction will be stifled, as everything is digital these days.”

Education Department officials say the safety of student data is paramount, and all the new restrictions are working towards that goal. Outside vendors were targeted in both of the city’s recent data breaches, making them a top priority for additional protections.

“Every vendor’s participation is critical to keeping our students and their families’ data safe and secure,” said department spokesperson Jenna Lyle.

School districts scramble to respond to cyberattacks

In recent years, a growing number of cyberattacks have targeted school districts. School districts store reams of student data, which can be especially valuable for hackers, and often don’t have the same level of cybersecurity as other sectors.

New York City’s public schools have been no exception. 

In early 2022, Illuminate Education, the company behind the widely used grading and attendance platform Skedula, suffered a hack that breached personal data for an estimated 820,000 current and former students. Experts said it was likely the largest single school system data breach to date.

Then, earlier this year, officials revealed that roughly 45,000 city students had data compromised during the hack of MOVEIt, a file-sharing program.

After those attacks, school systems across the country are recognizing the need to vet all of their suppliers for privacy and security, said Doug Levin, the national director of the K12 Security Information eXchange, which tracks cyberattacks against school systems.

But figuring out how to do that can be tricky. 

New York City’s Education Department has asked vendors to sign data privacy agreements for years, but in the case of Illuminate, department officials alleged that the company misrepresented its data security practices, promising that it was encrypting all student data when it was not.

In general, Levin said, many school districts are “not well equipped to be making those judgments” about software vendors’ data security practices, especially without more help from the state and federal governments and other groups with more expertise and resources.

New York City’s vetting process for vendors has been in place for several years, but officials say they added new steps to the process last spring and began enforcing it more tightly. The process now includes signing a data privacy agreement, filling out questionnaires about their data security practices, and undergoing a review by the city’s Office of Technology and Innovation.

An Education Department spokesperson acknowledged the process can take months, and Levin said that particularly for smaller companies, the vetting process can be a “very heavy lift … and potentially a very expensive one.”

In the past, schools were largely bound by an honor system not to use vendors before they’d completed approval, according to one tech teacher. But now, the DOE’s website tells school staff they are not permitted to use vendors that have not completed the approval process, and the department has disabled the “Sign in with Google” function on unapproved platforms, making it harder for schools to access those programs.

According to tech teachers, there are scores of platforms still listed as in the process of receiving approval, including ClassDojo, a widely used classroom management and messaging program.

A spokesperson for ClassDojo said the company supports the DOE’s vetting process and has been working with the agency to complete it. “We don’t anticipate any challenges,” the spokesperson said.

Educators, parents question email changes

Another part of the city’s efforts to fortify its data security is tightening access on school and parent email accounts.

Historically, many city schools have operated independent websites outside of the schools.nyc.gov domain, and have used email addresses tied to those independent websites.

That practice continued during the pandemic, as the Education Department helped schools set up their own Google accounts that would give them access to features like Google Classroom and Google Drive for use in remote instruction.

Now, the city is pushing schools to abandon those local domains and move their emails and Google activity back under the Education Department’s central domain to ensure that data stored on those servers is well-protected.

That means transferring years worth of data — a process one principal said has been “laborious” and has required multiple meetings with the tech division.

The principal is also leery of bringing all of the school’s homemade curriculum materials under central Education Department control, and said some of the Google settings under the centralized domain, including the prohibition on students sending emails outside the department’s domain, didn’t make sense for their students.

“How do they email people for research and interviews?” the principal asked. 

The move to shut down shared parent leader email addresses has also upset some parent leaders.

At last week’s meeting of the Chancellor’s Parent Advisory Committee, the leaders argued that the shared email addresses are helpful for transferring information when parent leadership changes, and that it’s important to have generic addresses for the group not tied to specific parent names. Parents are already familiar with those addresses, they noted.

An official with the Education Department’s tech division said the new Education Department external accounts would function just like the old accounts, and would give parents access to all Google Suite features.

Michael Elsen-Rooney is a reporter for Chalkbeat New York, covering NYC public schools. Contact Michael at melsen-rooney@chalkbeat.org.