Accountability Matters for Kids’ Personal Data

Data breaches have become commonplace in the news cycle in today’s digital age. 

This summer alone, we have seen the AT&T data breach and CrowdStrike infrastructure outage cause catastrophic disruption to daily life. On the surface, the inconveniences caused by breaches hitting industries like telecoms and airlines that are crucial to the way we live, work, and travel are just that – inconveniences that elicit national conversations around cybersecurity and how to better fend off bad actors and protect data moving forward. 

For most, these data breaches do not evoke much emotion other than confusion and annoyance. Nevertheless, what happens when our most vulnerable population is targeted?

Children are at highest risk and cannot defend themselves against cybersecurity attacks. Sadly, attacks on this population are increasing. Between 2016 and 2022, more than 1,600 publicly disclosed cyberattacks have been on schools and school systems. 

What compounds these risks is often an insufficient response from businesses and institutions to cyber crises. Failure to properly secure child data and fully disclose the extent of a breach once it happens can lead to a serious breakdown of trust between healthcare providers, technology vendors, and the families they serve.

An unfortunate example came in March 2023, when the Minneapolis public school system fell victim to a cyberattack that led to the publication of thousands of stolen files online. This breach exposed highly sensitive information about students, including intimate details of student mental-health crises, child-abuse inquiries, and even campus rape cases. Despite the severity and impact of the incident, no individuals or entities have been prosecuted or held accountable. Legal actions or accountability measures taken against the perpetrators or any involved parties remain unreported. 

This surge in data breaches within child-centric institutions underscores the urgent need to examine past incidents closely to ensure accountability, prevent future incidents, avoid costly mistakes, and better protect our children in the future. Step one is critical reforms to data protection and breach reporting requirements. 

This should include a thorough, independent audit of data security practices and those of subsidiaries and vendors; implementation of state-of-the-art data protection measures across all systems and those of partners; complete transparency regarding the full extent of a data breach, including notification to all affected parties, regardless of state boundaries; a comprehensive update of privacy policies to reflect current best-practices and regulatory requirements; and a regular, mandatory data security training for all employees and stringent vetting of vendors with access to sensitive data.

Further, companies that experience data breaches – especially those involving private medical information of minors – should be deemed ineligible for any state or federal contracts until those companies can demonstrate proper remediation of their privacy and security policies and practices. 

Negligence in these matters raises serious doubts about companies’ commitment to safeguarding sensitive information and their ability to adapt to emerging cybersecurity challenges. The recurring nature of these breaches affecting children's data in healthcare and educational settings underscores a systemic failure in protecting our most vulnerable population. 

It is a moral imperative that policymakers, industry leaders, and regulatory bodies work together to hold companies accountable and implement these critical reforms before more children’s lives are needlessly compromised.

Francisco Canseco is a former member of Congress who represented Texas’s 23rd congressional district.