Talawanda Board of Education discusses cybersecurity, Medicaid cuts during September meeting

The Talawanda Board of Education (BOE) met on Sept. 11 for their monthly meeting to discuss cybersecurity options and Medicaid cuts.

Safety presentation 

Marc Hopkins, the chief technology officer at the Southwest Ohio Computer Association (SWOCA), gave a presentation to the Talawanda BOE about cybersecurity laws at a state and federal level.

Hopkins previously gave a longer version of the same presentation to Talawanda school district (TSD) teachers on the first day of school this year.

“Cybersecurity is not a cookie cutter solution,” he said. “We are not ever going to be done when talking about cybersecurity.”

Cybersecurity is constantly changing, and protecting students and children is more important than ever, according to Hopkins.

Cybersecurity incidents can lead to breaches, which consist of private data and personal information being stolen online, according to Hopkins.

“We only have 1,700 incidents across education,” he said. “Thirty-five percent of those incidents led to confirmed (data) breaches, but in education, 86% of those incidents have led to breaches.”

Hopkins believes that either academic institutions are not reporting these incidents enough, or academic institutions are five times more likely to have a breach occur if an incident isn’t reported. 

Incidents can lead to breaches, which consist of private data and personal information being stolen online, according to Hopkins.

Hopkins believes that academic institutions are more susceptible to these incidents because of the large internet connections and high number of devices using that internet. 

Within these networks, student data is stored. 

A vulnerable kind of data belonging to students is called privately identifiable information (PII). This includes information such as names, email addresses and home addresses, which can be sold online from $5 to $15, according to Hopkins.

Academic institutions carry even more data on top of this, such as social security numbers and birth dates. This sort of data can be sold online for as high as $100 million, according to Hopkins.

“A typical student is six to eight years away from even checking their credit report,” Hopkins said. “That’s a much longer time between compromise and detection that that identity can be used for various purposes.”

Additionally, Hopkins spoke to the BOE about the legal requirements for cybersecurity at both the state and federal levels of government. 

Hopkins mentioned the Federal Education Rights and Privacy Act (FERPA), which acknowledges that a parent of a student over the age of 18 still has some control over their educational rights, according to Hopkins.

“They require parental consent for us to use its tools,” Hopkins said, “This is telling us that FERPA is an issue at play, especially with the age of the factor of 18 being considered.”

The other federal bill Hopkins explained to the board was the Children’s Online Privacy and Protection Act (COPPA), which recognizes children age 13 and under might not be able to understand the implications of sharing or oversharing their data.

“COPPA is the responsibility of the website owner to not collect data from individuals under the age of 13 without expressed written permission from the parents,” he said.

While the TSD is not required by law to comply with FERPA or COPPA, Hopkins urged the board to at least be aware of it and what it encompasses when discussing and making decisions on cybersecurity. 

Hopkins also shared two bills with the board that are active on the state level.

Hopkins spoke about Ohio Senate Bill 29 (S.B. 29), which recognizes the fact that third party technology providers utilize the data they collect for marketing purposes, according to Hopkins. 

“S.B. 29 is basically FERPA with additional guidelines and additional teeth,” he added.

The bill highlights the importance of the school’s duty to protect and maintain student records and information.

S.B. 29 took effect on Oct. 24, 2024.

Another bill, Ohio House Bill 96 (H.B. 96) applies to any scenario that involves a district being compromised by ransomware and having no other option than to pay the ransome in order to prevent the sharing of students’ private and personal information online.

H.B. 96 takes effect on Sept. 30, 2025 and will give the board the power to approve of any ransom decision.

Additionally, H.B. 96 requires academic institutions to report any cyber incidents to the Ohio Cyber Incident Center (OCIC) within seven days of the incident. The state auditor must also be notified about the cyber incident within 30 days.

These incidents include the loss of data confidentiality, integrity or availability and operational disruption or unauthorized access due to a third party or supply chain compromise.

Hopkins explained the importance of verifying the third party systems schools use to manage and track information. 

“We have to be very, very cautious as to who has access to our student’s data,” he said. “(We) have to ensure that the agreement (between) the district and the third party allows us to meet these requirements of H.B. 96.”

Hopkins noted that the TSD has until July 1, 2026 to “adopt a moral cybersecurity program and framework.”

While Hopkins believes that the TSD is well on their way to following this requirement, he urged the board to focus on the organizational aspects of the program, such as updating its incident response plan, assessing current systems to organize where data is in the current system and formally adopting the new framework. 

Medicaid cuts

Matt Wyatt, board member, dedicated his legislative liaison report during the meeting to speak about the proposed Medicaid cuts and their effect on the school district. 

“It has a tremendous effect,” Wyatt said. “When these children struggle, our school struggles. When our school struggles, our community struggles and they pay a price.”

Wyatt shared statistics of Medicaid members throughout Butler county, claiming that roughly 91,809 Medicaid users are facing cuts in the county alone. A little more that 50,000 of these people are children, according to Wyatt.

“Thousands of children won’t receive preventive care,” he said. “Thousands of children who will arrive at school sicker, stay home more often and fall further behind academically.”

Wyatt expressed concern toward the strained staff in the TSD, believing that the district is not equipped to handle the fallout of the cuts.

“Our school nurses are overwhelmed, our guidance counselors are stretched thin and our teachers are becoming de facto healthcare workers” he said.

Wyatt believes that if the proposed Medicaid cuts are approved, the responsibility of care will fall on the district’s schools as well as taxpayers, who will see higher property taxes and reduced services, according to Wyatt.

“This is not just poor policy,” he said, “it’s financial recklessness.”

Wyatt proposed combating these cuts by hiring more nurses, maintaining the music and arts programs, expanding meal programs and increasing counselor staff.

Wyatt urged the BOE to consider options and learn more about combating the proposed cuts. 

The BOE will meet again on Oct. 9 at 7 p.m.