If we’ve learned anything about privacy this year, it’s this: 2014 is the year of the data breach. Each week, the list of companies warning users about compromised data grows, with even the University of Maryland joining Target, Yahoo, Kickstarter and Angry Birds in the League of the Hacked.
Over the past week, it’s been next-to-impossible to surf the web or social media without running into the news about Heartbleed, one of the biggest security vulnerabilities ever found in the critical infrastructure of the Internet. For schools, students and parents, it’s the latest headache (heartache?) over issues of data privacy and security. Last year, the New York Times reported how Edmodo, an online learning network with tens of millions of users, had foregone a common encryption protocol to safeguard user data. (The company says the issue has since been fixed.)
Given the recent influx of web-based tools in education, this hole affecting two-thirds of the Internet is especially frightening for educators and schools as they scramble to determine whether their data and that of the students, families and communities they serve is at risk.
Since its disclosure just a few days ago, technologists everywhere have been scrambling to patch their security protocols as quickly as possible. Here are a few tips for edtech entrepreneurs to help get the conversation started with your users:
1. Open the lines of communication with your users as soon as you can. Whether you’ve taken care of Heartbleed or not, share this information with your users as soon as you can. This information will be especially valuable to educators and administrators as many are anxious and uncertain of how to proceed in the wake of such a widespread problem affecting the majority of the web.
2. Think twice before linking to your login page in an email blast to your users. Including a button or link may make it easier for educators to get to your site, but it’s an easy way to groom your users for phishing attacks from malicious sources. Instead, encourage your educators to navigate to your site manually through a bookmark.
3. Encourage teachers to confirm that other tools they use have been patched before they login or change passwords on other sites. In most cases, this advice would seem counterintuitive, but encouraging teachers to change all of their passwords on sites that may still be vulnerable will leave them insecure.
4. Let educators know that there is no way of knowing whether their information was breached or not. Heartbleed has been quietly lurking around in OpenSSL code for over two years, and it is impossible to know whether your users’ information was breached or not. While the likelihood of a hacker exploiting this hole to steal homework assignments or grades is low, it is vital to let users know that a lack of evidence does not mean that their information was safe. In times of crisis (yes, this is a time of crisis!) honesty and openness are the best policy and absolute right thing to do for your users.
5. Provide value to your users in your messaging by sharing easy-to-implement security solutions in their classrooms. Powerful password management tools like 1Password, LastPass, and KeePass are offering discounts and tools to help web users identify vulnerable services and adopt better security practices in their web use.
6. If you’re an education technology company that was not affected by the OpenSSL vulnerability, let your users know this and use the opportunity to educate them on how you secure their data. There is never, ever a bad time to educate and empower your users on keeping their data (and that of their students) safe and sound.
While this flaw in OpenSSL is one of the most serious and widespread security vulnerabilities that the web as ever seen, it presents an excellent opportunity to be open, proactive, and transparent about how your company protects the grades, content, learning analytics and other precious student information in 21st century classrooms everywhere.