Parents: NYSED Must be Stopped from “Commodifying” PII off the backs of students! This is a Must Read!

RYRYRYR

 

FB has been buzzing this week with news that student education records containing personally identifiable information has been leaked from Sachem School District in Long Island.

A fellow blogger, No Data NY, posted this disturbing message on her website:

What we fear is here. It’s likely not an InBloom leak – probably a local hacker who seems quite ticked off at Sachem School District. According to the first page of the hacker’s site, he/she claims that the data was exposed 2 years ago by someone else and is doing this now because the district did nothing about it and would not admit it. He/she says the data will continue to be leaked (it still is now) until the district makes an admission to their errors.

I saw the data myself – how? Well, News12 Long Island stated the forum name where the data was posted. The hacker was posting frequently – quicker than the moderator or administrator of the forum could take it down.

I saw medical records (immunization, allergy, etc) and a letter from a doctor stating the child was prescribed Ritalin and his dosage. I saw a list of student ID’s with their names and whether they were receiving free lunch or not. I saw report cards. District registration documents (including name, address, date of birth, parent info.)

I saw disciplinary records – a letter to a parent (name and address included) stating their child had been suspended for smoking marijuana on the bus. BOTH the parent’s and child’s name and address were on the letter.

I called the police.

THIS is what we fear. I should not have seen those records – my stomach turned as I saw the documents. I was in a state of shock.

Could it be true? It can’t be!

Yes, it is.

Indeed, a statement on Sachem School District FB page and website confirms this news:

It has come to our attention that internal information from the Sachem Central School District has been shared on a local message board. We have run tests to show that there has been no network intrusion to the district’s systems. Suffolk County Police is involved in the matter. The school district is actively looking into and dealing with the issue. If you have any information about the situation that could help police with their investigation, please email Abuse@Sachem.edu.

UPDATE ON DATA INFORMATION:

In review of information the Sachem Central School District has been able to obtain, the only information that has been posted regarding active students is in the free and reduced lunch status list from several years ago, and the home teaching report from two years ago, which was posted last evening.

Any other information that had been posted is still being confirmed, but review indicates it to be restricted to two specific years of graduates from Sachem High School East in the 2008 and 2012 class. The person posting the information is making it clear that they are not posting documents with social security numbers, which does appear to be accurate from the investigation thus far, although further review is ongoing.

The district is continuing to work with the local authorities as well as with the FBI. As additional information becomes available, the district will make additional statements. If you have any information about the situation that could help police with their investigation, please email Abuse@Sachem.edu.

In the interest of full disclosure, whether this incident is related to data mining for or uploaded to NYSED/inbloom has not yet been established so there is no evidence to suggest that the leak resulted from InBloom or is related to any of NYSEDs data dashboard services.

But, the flurry of accusations and concerns about student privacy continue with good reason, after all.

The trajectory  NYSED is moving in, with support from the Board of Regents,  is most disturbing. It seems like everything  in education is being run like a business.

Testing is monopolized by Pearson, cha ching!

Data mining by InBloom, cha ching!

Common Core, cha ching!

Even RTT comes with a hefty price tag.

In education, profits are the goal and if your school doesn’t comply with NYSEDs vision that student information is a commodity  and is to be profited from, then NYSED dismisses your concerns opting to scoff and balk – your school simply isn’t being properly managed and you must be paranoid NYSED contends.

Apparently, NYSED and the Board of Regents felt that public education should move in a more profitable direction and is forcing districts to do so; practically, this mean cutting State aid, limiting funds available to schools, tying dubious strings to RTT awards and increasing incestuous relationships with big business is better than simply funding schools and providing aid to schools outright.

But parents are having none of it. Thankfully!

The plot still unfolds and public backlash has forced elected officials and school administrators to  reconsider  NYSEDs position on data mining and InBloom. Parents have taken notice and are fighting back. Nevertheless, this is just another distress flare from the world of education and serves as the perfect segue to discuss the harsh reality stemming from NYSEDs flawed decision making. By treating education itself as a commercial transaction the State puts children at grave risk. 

While the Sachem story continues to develop, it’s become clear that leaking of sensitive student information as a result of NYSEDs plan to develop a longitudinal data system with InBloom and 3rd party vendors is not only likely, it is more likely than not going to happen despite efforts to prevent it.

Commissioner King claims he has confidence that security safeguards will protect the unintended dissemination of student education records. He seemed optimistic that (best case scenario) privacy safeguards will be in place and information will be encrypted. He has summarily dismissed concerns over student privacy. For the most part, save for Regents Phillips, Cashin, Rosa and Tilles, the balance of the Board share Commissioner Kings optimism.

But, is NYSEDs bright and shiny optimism misplaced?

Yes.

Lets be honest, there is no way to guarantee that information provided by the district to 3rd party entities will not be misappropriated, breached, leaked or otherwise hacked. As discussed in numerous references below, truth be told, NYSED cannot guarantee that sensitive education records will be protected or that child identity will be preserved without compromise particularly given the scope and breadth of FERPA has been weakened not to mention the companies who disclaim liability for misuse of such information such as NYSED and InBloom.

NYSED states, in conclusory form,  that privacy will be protected and

“all existing data security and privacy protections remain in full effect; inBloom seeks only to make the process easier and more cost-effective for districts that wish to provide these tools to educators, students, and their families.”

What has not been addressed, is the fact that breaches are more common and disclosure of sensitive information resulting from threat actions are more than likely to occur rather than not.

A massive cyberattack in 2011  victimized Google, Facebook, Microsoft and many other big-named companies.

The names mentioned  include about a fifth of the Fortune 100, as well as many other massive corporations.
Abbot Laboratories (ABT, Fortune 500), Charles Schwab (SCHW, Fortune 500), Freddie Mac, PriceWaterhouseCoopers and Wells Fargo (WFC, Fortune 500) are all named.
Tech giants like Amazon (AMZN, Fortune 500), IBM (IBM, Fortune 500), Intel (INTC, Fortune 500), Yahoo (YHOO, Fortune 500), Cisco (CSCO, Fortune 500), Google (GOOG, Fortune 500), Facebook, and Microsoft (MSFT, Fortune 500) are also included, as well as government agencies like the European Space Agency, the IRS, and the General Services Administration. Government security contractor Northrop Grumman (NOC, Fortune 500) was on the list, as was MIT.

Ummm, this isn’t rocket science. If Goggle can get hit-then so can Sachem….and so can InBloom and NYSED. It stands to reason that no one is safe from harm.

According to the FBI,

Unlike traditional crime families, hackers may never meet, hackers possess specialized skills in high demand.

They exploit routine vulnerabilities. They move in quickly, make their money, and disappear. No company is immune, from the Fortune 500 corporation to the neighborhood “mom and pop” business.

We are also worried about trusted insiders who may be lured into selling secrets for monetary gain. Perimeter defense may not matter if the enemy is inside the gates.

The end result of these developments is that we are losing data. We are losing money. We are losing ideas and we are losing innovation. And as citizens, we are increasingly vulnerable to losing our information. Together we must find a way to stop the bleeding.

Indeed, FBI is concerned about threat actions that compromise the integrity of online information. Threat actions describe what the threat actor(s) did to cause or contribute to the incident. Every incident has at least one, but most will comprise multiple actions (and often across multiple categories). According to VERIS, there are  7 primary categories of threat actions: Malware, Hacking, Social, Misuse, Physical, Error, and Environmental. http://www.veriscommunity.net/doku.php?id=actions

What happened in Sachem has not yet been established so the “threat” that formed the basis of the leak is not yet known. But, officials are saying that there was no outside breach and that network systems had not been compromised. Perhaps this was an inside job? This is of no comfort to parents, though.

NYSED will have you believe that student information will be safe and sound. But this is far from the truth.

In the Children’s Educational Records and Privacy Study of Elementary and Secondary School State Reporting Systems, by Fordham University (study done 2009 in a pre InBloom era), authors showed that serious deficits existed in reporting and privacy data bases by schools where information has been disclosed without parental consent in violation of FERPA and where privacy practices are generally weak in schools.

CLIP found that sensitive, personalized information related to matters such as teen pregnancies, mental health, and juvenile crime is stored in a manner that violates federal privacy mandates. CLIP reports that at least 32% of states warehouse children’s social security numbers; at least 22% of states record student pregnancies; and at least 46% of the states track mental health, illness, and jail sentences as part of the children’s educational records. Also, almost all states with known programs collect family wealth indicators. Some states outsource the data processing without any restrictions on use or confidentiality for K- 12 children’s information. Access to this information and the disclosure of personal data may occur for decades and follow children well into their adult lives. http://law.fordham.edu/assets/CLIP/CLIP_Report_Childrens_Privacy_Final.pdf

Imagine what the study would say now, post data mining In Bloom.

With regard to In Bloom’s policy on privacy safeguards, their Breach Remediation policy speaks volumes.  In Bloom Specifically disclaims any and all liability for breach of information that may occur as a result of its data mining of student information.

“Breach Remediation- inBloom, Inc and inBloom, Inc Contractors strive to keep inBloom and PII secure, and inBloom, Inc uses reasonable administrative, technical, and physical safeguards to do so, however, inBloom, Inc cannot guarantee the security of the information stored in inBloom or that the information will not be intercepted when it is being transmitted. inBloom, Inc and inBloom, Inc Contractors will maintain and update incident response plans that establish procedures to follow in case a breach occurs. inBloom, Inc and inBloom, Inc Contractors will also identify individuals within their respective organizations responsible for implementing incident response plans if a breach should occur.” https://www.inbloom.org/privacy-security-policy

Also, see InBloom terms of use policy for 3rd party providers. If you read the policy, it is shockingly lax and basically leaves confidentiality up to an “honor” system wherein third party providers simply have to “promise” not to breach confidentiality but I do not see any proactive measures in place by InBloom to prevent, pre screen or vet their third party providers before giving them access to confidential/sensitive information. Encrypting is assumed, but what measures are taken to assure that the 3rd party providers are adhering to privacy standards?

Moreover, in reviewing In Bloom’s policies and NYSED laws relating to such disclosures, it is my understanding that while In Bloom has a responsibility to notify the State and the School district of a breach, the school is not obligated to notify parents or students of a breach. While we would like to assume a district would inform student or parents in the event of a breach, the law says that they do not have to. This too speaks volumes.

There is no recourse for damages that a student may sustain as a result of a breach and/or identity theft, misappropriation or misuse of student information and FERPA does not permit a private cause of action. The only redress is to file a complaint with the FTC.

Recent amendments to FERPA have desecrated the landscape of student privacy. The slippery slope is steep.

Even the  National School Board Assoc. is worried citing serious concerns regarding privacy and sharing of student data. I found the following letter from NSBA to Arne Duncan USED in the chasm of NSBA files. From what I can tell, the changes went forward at the federal level despite NSBA concerns and the concerns were NOT addressed. Again, School districts choosing to participate in RTT are required to choose and begin submitting data via a NYSED approved dashboard. As you can see from NSBA letter, the attorney for NSBA had concerns about misappropriation of student records and breach of privacy issues on behalf of school board organizations at the state level nation wide.

I have reviewed FERPA. I assure that the concerns raised by NSBA were neither addressed nor resolved. http://www.nsba.org/SchoolLaw/Issues/FERPA-Comments.pdf

In fact, in my opinion, FERPA protections no longer exist. FERPA simply does not resemble itself and the amendments contradict legislative intent behind the measure. The changes render FERPA practically meaningless.

According to Privacy Rights Clearinghouse, there is enough evidence to show that parents are not being paranoid. https://www.privacyrights.org/data-breach

The site alleges that there have been a whopping 616,494,446 education records breached but only 3,972 of them have been made public since 2005.

FERPA  has been weakened  based on recent amendments, as I said above. Privacy laws affecting student education records that contain medical information, for example,  that one would expect to be covered under HIPAA, may not be. There is a complicated rationale surrounding FERPA  and HIPAA privacy laws, they are not simpatico. Here is a primer that provides a good start to understanding privacy of student info/records from medical and academic perspective. http://www.hhs.gov/…/hipaaferpajointguide.pdf

In the category of “What fresh he** is this?” The US Dept of Health’s “new and improved” website, claims that schools and/or school districts do NOT have to follow HIPAA privacy laws. Indeed, that is true. As set forth in the Joint HIPAA/FERPA policy guide above, medical info, once in the hand of a district is considered an “education record. ” HIPAA does not apply to “education records”, FERPA does. But, FERPA has been weakened by administrative changes to accommodate Core —–> InBloom. Simply put, schools do not have to comply or follow HIPAA laws they are exempt.

Moreover, student  info can be disseminated to 3rd parties with no liability to the district, as parents do not have a right to claim harm under FERPA, the only recourse is to file a “complaint. ” http://www.hhs.gov/…/understanding/consumers/index.html

So, how prevalent are data breach and hacking incidents anyway?

According to “The Year in Hacking: By the Numbers” in The New York Times, a recent report by Verizon found that there were 621 data breaches last year and 47,000 reported security incidents. Times reporter writes,

“Security experts like to say that there are now only two types of companies left in the United States: those that have been hacked and those that don’t know they’ve been hacked.” See: http://bits.blogs.nytimes.com/2013/04/22/the-year-in-hacking-by-the-numbers/

If this is little consolation to you, wait until you read the Verizon DBIR report. It can be found here: http://www.verizonenterprise.com/DBIR/2013/

So, if businesses are considered hot spots for obtaining personal information, then why would student data be exempt from the interest of hackers around the world? Child identity theft is one of the fastest growing markets for illegal activity and it can be years, decades, before any one realizes that there was a breach-too late for damage control at that time. InBloom declaims liability at the outset. This speaks volumes.

According to the FTC , privacy at school is a legitimate concern with child identity theft being one of the fastest growing problems facing law enforcement. The FTC points out in a resource to parents located on its website, that schools cannot protect student privacy with any guarantee. It can be years, decades, before any one realizes that there was a breach-too late for damage control at that time. http://www.ftc.gov/bcp/edu/pubs/consumer/alerts/alt056.pdf

The Better Business Bureau raises concerns and recommends that parents limit the chances that a child’s information will be stolen or misused at school. See: http://www.bbb.org/blog/2012/10/protecting-your-child-from-identitytheft/#sthash.mKWYlfmB.dpuf

The BBB position that parents should be vigilant about protecting their child’s information is ironic, because FERPA amendments have now taken parents rights to object to such disclosure away.

In addition to the objections raised regarding FERPA, the National School Board Association worries that the data might be misapplied or misused against students causing them harm:

“Additionally, the data collected for this data item encourages a school official to engage in a subjective determination of which ―offense‖ may have occurred based on a student’s own possibly incomplete/inaccurate description of events. For example, a student reporting an incident is not going to know the difference between sexual harassment, sexual assault, rape, attempted rape, or sexual battery. This calls into question the validity and accuracy of the data, particularly in cases of the ―eggshell‖ plaintiff in which a person may unreasonably perceive actions or words of others as threats or attacks, when they actually are not. Consequently, school districts should be reluctant to define a particular incident as falling into a certain category based on a student’s description of the ―incident‖ for fear of mischaracterizing it. In doing so, a school district risks having the reported numbers being perceived by OCR as those of a district having less of a safe school environment than actually exists.”
http://www.nsba.org/SchoolLaw/Issues/NSBA-Submits-Comments-to-the-US-Department-of-Education-on-its-Notice.pdf

Education Counsel, lawyers for InBloom,  issued a lawyerly opinion of FERPA and Privacy basically bragging about how and to what extent information can be disseminated legally as authorized under FERPA under the new changes. They clearly state:

Disclosures of PII from student records to the SLI to enable this purpose fall squarely within these FERPA provisions that authorize disclosures needed to provide outsourced services to participating school districts. https://www.inbloom.org/…/files/inBloom-and-ferpa.pdf

In other words, PII is not subject to FERPA as a result of this loophole and may be disseminated without NYSED or parental consent.

NYSED patronizes  parents alleging that all will be well and fine in the virtual world. But the evidence suggests otherwise.

FTC has a Blog advising parents to protect their child’s info to prevent identity theft.
http://www.consumer.ftc.gov/…/0040-child-identity-theft

Despite King and District’s attempts to quell concerns, the Ways and Means committee suggests that children are particularly vulnerable targets and that child identity theft is a legitimate concern for parents in the age of technology and data dissemination. http://waysandmeans.house.gov/news/documentsingle.aspx.

Moreover, this Fed Hearing transcript of testimony discusses ways sensitive info is disseminated and stolen via breach, usually as a result of lack of due care by legitimate businesses who have access to the info http://ftc.gov/os/2011/09/110901identitythefttestimony.pdf

FERPA Policy Guide for Parents per FTC suggests that parents scrutinize records closely to protect privacy.
http://www2.ed.gov/…/gen/guid/fpco/ferpa/for-parents.pdf

PPRA Guide for Parents (concerns privacy issues and surveys) recommends that parents scrutinize surveys and to whom the information is released to protect privacy.
http://www2.ed.gov/…/gen/guid/fpco/pdf/ppraforparents.pdf

As demonstrated above, parents have no control or power over student privacy and we cannot protect our children from legitimate data mining concerns. Governmental agencies strongly urge parents to be vigilant in protecting the privacy of our own children but the reality is that we no longer have the power to do so nor can we withhold consent over concerns. The Board of Education of each school district has  been trusted with that power.

Choosing whether to participate or not in RTT is one step  schools can take in slaying NYSEDs stranglehold on student education records. http://wp.me/p44iDJ-1s, http://wp.me/p44iDJ-39, http://wp.me/p44iDJ-1B

Demanding that InBloom delete school district education records off its system  is another. http://wp.me/p44iDJ-I

In closing, the ASSEMBLY STANDING COMMITTEE ON EDUCATION seeks testimony examining the effects of the storage, use, and the disclosure of personally identifiable student information by school districts and the State Education Department to third-party vendors, as well as the costs associated with collaborating with third-party vendors. The hearing will be held 11/20/13 in Albany.   http://assembly.state.ny.us/comm/Ed/20131024/

personally plan to submit testimony and an opinion on this subject if I cannot make it in person. I urge parents, educators and administrators to voice your concerns, provide evidence and facts to back your position up – and fight back.

NYSED must be stopped from commodifying PII off the backs of our children.

 

 

Additional references:

Sachem leak:

http://www.longisland.com/news/11-08-13/sachem-students-personal-information-leaked-to-the-web.html

http://www.databreaches.net/ny-sachem-school-district-has-student-data-leak/

http://www.newsday.com/long-island/suffolk/police-sachem-look-into-possible-data-leak-1.6408064

Virginia school leak:

http://www.washingtonpost.com/blogs/the-state-of-nova/post/fairfax-underground-website-ordered-to-remove-fairfax-high-school-grades/2012/12/21/0326c090-4bb0-11e2-a6a6-aabac85e8036_blog.html

http://statisticbrain.com/information-leak-statistics/

http://www.verizonenterprise.com/DBIR/2013/

http://www.edweek.org/ew/articles/2009/11/04/10report-b1.h29.html?tkn=PSNF5ZUOjdR%2FOd49iQa7bPuvXE2Rm%2FSgja8i&intc=es

http://law.fordham.edu/assets/CLIP/CLIP_Report_Childrens_Privacy_Final.pdf

http://ftc.gov/os/2012/03/120326privacyreport.pdf

FERPA Policy Guide for Parents per FTC

http://www2.ed.gov/…/gen/guid/fpco/ferpa/for-parents.pdf

PPRA Guide for Parents (concerns privacy issues and surveys)

http://money.cnn.com/2011/10/27/technology/rsa_hack_widespread/index.htm

http://www2.ed.gov/…/gen/guid/fpco/pdf/ppraforparents.pdf

http://www.pcworld.com/article/2036177/one-in-five-data-breaches-are-the-result-of-cyberespionage-verizon-says.html

Chronology of Data Breaches | Privacy Rights Clearinghouse

rp_data-breach-investigations-report-2013_en_xg-3

Advertisements

4 thoughts on “Parents: NYSED Must be Stopped from “Commodifying” PII off the backs of students! This is a Must Read!

  1. Very comprehensive and informative. Thanks.

    What is interesting is that the breaches in the past had zero to do with inBloom as far as we know & as you have also said. And the breach wasn’t necessarily cloud related. So can we say the cloud is less secure than local retention of records? It would be impossible to say given you don’t have to report breaches.

    Regarding NSBA submission to the 2011 NPRM – they pretty much were talking about US ED’s over step of administrative authority as did EPIC and a good number of those submitting testimony.

    NSBA has not be stellar when it comes to protection of PII.

    1. You are most welcome! I agree with you, Sheila Kaplan.
      Given your vast experience and knowledge in this area, I thank you so much for the feedback! It is unfortunate that the EPIC lawsuit was summarily dismissed. The lawsuit was the only vehicle students/parents had to challenge the overreaching and sweeping policies of USDE and NYSED. What rights do parents have to protect their children? None. Neither NYSED nor InBloom has provided any option for parents in the realm of prohibiting the use of PII and/or protecting student privacy at the outset. While I concede that almost everything is online these days, most of the information will not be as readiy accessible to “authorized users” as educational records that contain PII. Moreover, this P-20 eectronic transcirpt set to follow students is a recipe for disaster and misuse. The slippery slope is steep.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s