FB has been buzzing this week with news that student education records containing personally identifiable information has been leaked from Sachem School District in Long Island.
A fellow blogger, No Data NY, posted this disturbing message on her website:
What we fear is here. It’s likely not an InBloom leak – probably a local hacker who seems quite ticked off at Sachem School District. According to the first page of the hacker’s site, he/she claims that the data was exposed 2 years ago by someone else and is doing this now because the district did nothing about it and would not admit it. He/she says the data will continue to be leaked (it still is now) until the district makes an admission to their errors.
I saw the data myself – how? Well, News12 Long Island stated the forum name where the data was posted. The hacker was posting frequently – quicker than the moderator or administrator of the forum could take it down.
I saw medical records (immunization, allergy, etc) and a letter from a doctor stating the child was prescribed Ritalin and his dosage. I saw a list of student ID’s with their names and whether they were receiving free lunch or not. I saw report cards. District registration documents (including name, address, date of birth, parent info.)
I saw disciplinary records – a letter to a parent (name and address included) stating their child had been suspended for smoking marijuana on the bus. BOTH the parent’s and child’s name and address were on the letter.
I called the police.
THIS is what we fear. I should not have seen those records – my stomach turned as I saw the documents. I was in a state of shock.
Could it be true? It can’t be!
Yes, it is.
Indeed, a statement on Sachem School District FB page and website confirms this news:
It has come to our attention that internal information from the Sachem Central School District has been shared on a local message board. We have run tests to show that there has been no network intrusion to the district’s systems. Suffolk County Police is involved in the matter. The school district is actively looking into and dealing with the issue. If you have any information about the situation that could help police with their investigation, please email Abuse@Sachem.edu.
UPDATE ON DATA INFORMATION:
In review of information the Sachem Central School District has been able to obtain, the only information that has been posted regarding active students is in the free and reduced lunch status list from several years ago, and the home teaching report from two years ago, which was posted last evening.
Any other information that had been posted is still being confirmed, but review indicates it to be restricted to two specific years of graduates from Sachem High School East in the 2008 and 2012 class. The person posting the information is making it clear that they are not posting documents with social security numbers, which does appear to be accurate from the investigation thus far, although further review is ongoing.
The district is continuing to work with the local authorities as well as with the FBI. As additional information becomes available, the district will make additional statements. If you have any information about the situation that could help police with their investigation, please email Abuse@Sachem.edu.
In the interest of full disclosure, whether this incident is related to data mining for or uploaded to NYSED/inbloom has not yet been established so there is no evidence to suggest that the leak resulted from InBloom or is related to any of NYSEDs data dashboard services.
But, the flurry of accusations and concerns about student privacy continue with good reason, after all.
The trajectory NYSED is moving in, with support from the Board of Regents, is most disturbing. It seems like everything in education is being run like a business.
Testing is monopolized by Pearson, cha ching!
Data mining by InBloom, cha ching!
Common Core, cha ching!
Even RTT comes with a hefty price tag.
In education, profits are the goal and if your school doesn’t comply with NYSEDs vision that student information is a commodity and is to be profited from, then NYSED dismisses your concerns opting to scoff and balk – your school simply isn’t being properly managed and you must be paranoid NYSED contends.
Apparently, NYSED and the Board of Regents felt that public education should move in a more profitable direction and is forcing districts to do so; practically, this mean cutting State aid, limiting funds available to schools, tying dubious strings to RTT awards and increasing incestuous relationships with big business is better than simply funding schools and providing aid to schools outright.
But parents are having none of it. Thankfully!
The plot still unfolds and public backlash has forced elected officials and school administrators to reconsider NYSEDs position on data mining and InBloom. Parents have taken notice and are fighting back. Nevertheless, this is just another distress flare from the world of education and serves as the perfect segue to discuss the harsh reality stemming from NYSEDs flawed decision making. By treating education itself as a commercial transaction the State puts children at grave risk.
While the Sachem story continues to develop, it’s become clear that leaking of sensitive student information as a result of NYSEDs plan to develop a longitudinal data system with InBloom and 3rd party vendors is not only likely, it is more likely than not going to happen despite efforts to prevent it.
Commissioner King claims he has confidence that security safeguards will protect the unintended dissemination of student education records. He seemed optimistic that (best case scenario) privacy safeguards will be in place and information will be encrypted. He has summarily dismissed concerns over student privacy. For the most part, save for Regents Phillips, Cashin, Rosa and Tilles, the balance of the Board share Commissioner Kings optimism.
But, is NYSEDs bright and shiny optimism misplaced?
Lets be honest, there is no way to guarantee that information provided by the district to 3rd party entities will not be misappropriated, breached, leaked or otherwise hacked. As discussed in numerous references below, truth be told, NYSED cannot guarantee that sensitive education records will be protected or that child identity will be preserved without compromise particularly given the scope and breadth of FERPA has been weakened not to mention the companies who disclaim liability for misuse of such information such as NYSED and InBloom.
NYSED states, in conclusory form, that privacy will be protected and
“all existing data security and privacy protections remain in full effect; inBloom seeks only to make the process easier and more cost-effective for districts that wish to provide these tools to educators, students, and their families.”
What has not been addressed, is the fact that breaches are more common and disclosure of sensitive information resulting from threat actions are more than likely to occur rather than not.
A massive cyberattack in 2011 victimized Google, Facebook, Microsoft and many other big-named companies.
The names mentioned include about a fifth of the Fortune 100, as well as many other massive corporations.
Abbot Laboratories (ABT, Fortune 500), Charles Schwab (SCHW, Fortune 500), Freddie Mac, PriceWaterhouseCoopers and Wells Fargo (WFC, Fortune 500) are all named.
Tech giants like Amazon (AMZN, Fortune 500), IBM (IBM, Fortune 500), Intel (INTC, Fortune 500), Yahoo (YHOO, Fortune 500), Cisco (CSCO, Fortune 500), Google (GOOG, Fortune 500), Facebook, and Microsoft (MSFT, Fortune 500) are also included, as well as government agencies like the European Space Agency, the IRS, and the General Services Administration. Government security contractor Northrop Grumman (NOC, Fortune 500) was on the list, as was MIT.
Ummm, this isn’t rocket science. If Goggle can get hit-then so can Sachem….and so can InBloom and NYSED. It stands to reason that no one is safe from harm.
According to the FBI,
Unlike traditional crime families, hackers may never meet, hackers possess specialized skills in high demand.
They exploit routine vulnerabilities. They move in quickly, make their money, and disappear. No company is immune, from the Fortune 500 corporation to the neighborhood “mom and pop” business.
We are also worried about trusted insiders who may be lured into selling secrets for monetary gain. Perimeter defense may not matter if the enemy is inside the gates.
The end result of these developments is that we are losing data. We are losing money. We are losing ideas and we are losing innovation. And as citizens, we are increasingly vulnerable to losing our information. Together we must find a way to stop the bleeding.
Indeed, FBI is concerned about threat actions that compromise the integrity of online information. Threat actions describe what the threat actor(s) did to cause or contribute to the incident. Every incident has at least one, but most will comprise multiple actions (and often across multiple categories). According to VERIS, there are 7 primary categories of threat actions: Malware, Hacking, Social, Misuse, Physical, Error, and Environmental. http://www.veriscommunity.net/doku.php?id=actions
What happened in Sachem has not yet been established so the “threat” that formed the basis of the leak is not yet known. But, officials are saying that there was no outside breach and that network systems had not been compromised. Perhaps this was an inside job? This is of no comfort to parents, though.
NYSED will have you believe that student information will be safe and sound. But this is far from the truth.
In the Children’s Educational Records and Privacy Study of Elementary and Secondary School State Reporting Systems, by Fordham University (study done 2009 in a pre InBloom era), authors showed that serious deficits existed in reporting and privacy data bases by schools where information has been disclosed without parental consent in violation of FERPA and where privacy practices are generally weak in schools.
CLIP found that sensitive, personalized information related to matters such as teen pregnancies, mental health, and juvenile crime is stored in a manner that violates federal privacy mandates. CLIP reports that at least 32% of states warehouse children’s social security numbers; at least 22% of states record student pregnancies; and at least 46% of the states track mental health, illness, and jail sentences as part of the children’s educational records. Also, almost all states with known programs collect family wealth indicators. Some states outsource the data processing without any restrictions on use or confidentiality for K- 12 children’s information. Access to this information and the disclosure of personal data may occur for decades and follow children well into their adult lives. http://law.fordham.edu/assets/CLIP/CLIP_Report_Childrens_Privacy_Final.pdf
Imagine what the study would say now, post data mining In Bloom.
With regard to In Bloom’s policy on privacy safeguards, their Breach Remediation policy speaks volumes. In Bloom Specifically disclaims any and all liability for breach of information that may occur as a result of its data mining of student information.
“Breach Remediation- inBloom, Inc and inBloom, Inc Contractors strive to keep inBloom and PII secure, and inBloom, Inc uses reasonable administrative, technical, and physical safeguards to do so, however, inBloom, Inc cannot guarantee the security of the information stored in inBloom or that the information will not be intercepted when it is being transmitted. inBloom, Inc and inBloom, Inc Contractors will maintain and update incident response plans that establish procedures to follow in case a breach occurs. inBloom, Inc and inBloom, Inc Contractors will also identify individuals within their respective organizations responsible for implementing incident response plans if a breach should occur.” https://www.inbloom.org/privacy-security-policy
Moreover, in reviewing In Bloom’s policies and NYSED laws relating to such disclosures, it is my understanding that while In Bloom has a responsibility to notify the State and the School district of a breach, the school is not obligated to notify parents or students of a breach. While we would like to assume a district would inform student or parents in the event of a breach, the law says that they do not have to. This too speaks volumes.
There is no recourse for damages that a student may sustain as a result of a breach and/or identity theft, misappropriation or misuse of student information and FERPA does not permit a private cause of action. The only redress is to file a complaint with the FTC.
Recent amendments to FERPA have desecrated the landscape of student privacy. The slippery slope is steep.
Even the National School Board Assoc. is worried citing serious concerns regarding privacy and sharing of student data. I found the following letter from NSBA to Arne Duncan USED in the chasm of NSBA files. From what I can tell, the changes went forward at the federal level despite NSBA concerns and the concerns were NOT addressed. Again, School districts choosing to participate in RTT are required to choose and begin submitting data via a NYSED approved dashboard. As you can see from NSBA letter, the attorney for NSBA had concerns about misappropriation of student records and breach of privacy issues on behalf of school board organizations at the state level nation wide.
I have reviewed FERPA. I assure that the concerns raised by NSBA were neither addressed nor resolved. http://www.nsba.org/SchoolLaw/Issues/FERPA-Comments.pdf
In fact, in my opinion, FERPA protections no longer exist. FERPA simply does not resemble itself and the amendments contradict legislative intent behind the measure. The changes render FERPA practically meaningless.
According to Privacy Rights Clearinghouse, there is enough evidence to show that parents are not being paranoid. https://www.privacyrights.org/data-breach
The site alleges that there have been a whopping 616,494,446 education records breached but only 3,972 of them have been made public since 2005.
FERPA has been weakened based on recent amendments, as I said above. Privacy laws affecting student education records that contain medical information, for example, that one would expect to be covered under HIPAA, may not be. There is a complicated rationale surrounding FERPA and HIPAA privacy laws, they are not simpatico. Here is a primer that provides a good start to understanding privacy of student info/records from medical and academic perspective. http://www.hhs.gov/…/hipaaferpajointguide.pdf
In the category of “What fresh he** is this?” The US Dept of Health’s “new and improved” website, claims that schools and/or school districts do NOT have to follow HIPAA privacy laws. Indeed, that is true. As set forth in the Joint HIPAA/FERPA policy guide above, medical info, once in the hand of a district is considered an “education record. ” HIPAA does not apply to “education records”, FERPA does. But, FERPA has been weakened by administrative changes to accommodate Core —–> InBloom. Simply put, schools do not have to comply or follow HIPAA laws they are exempt.
Moreover, student info can be disseminated to 3rd parties with no liability to the district, as parents do not have a right to claim harm under FERPA, the only recourse is to file a “complaint. ” http://www.hhs.gov/…/understanding/consumers/index.html
So, how prevalent are data breach and hacking incidents anyway?
According to “The Year in Hacking: By the Numbers” in The New York Times, a recent report by Verizon found that there were 621 data breaches last year and 47,000 reported security incidents. Times reporter writes,
“Security experts like to say that there are now only two types of companies left in the United States: those that have been hacked and those that don’t know they’ve been hacked.” See: http://bits.blogs.nytimes.com/2013/04/22/the-year-in-hacking-by-the-numbers/
If this is little consolation to you, wait until you read the Verizon DBIR report. It can be found here: http://www.verizonenterprise.com/DBIR/2013/
So, if businesses are considered hot spots for obtaining personal information, then why would student data be exempt from the interest of hackers around the world? Child identity theft is one of the fastest growing markets for illegal activity and it can be years, decades, before any one realizes that there was a breach-too late for damage control at that time. InBloom declaims liability at the outset. This speaks volumes.
According to the FTC , privacy at school is a legitimate concern with child identity theft being one of the fastest growing problems facing law enforcement. The FTC points out in a resource to parents located on its website, that schools cannot protect student privacy with any guarantee. It can be years, decades, before any one realizes that there was a breach-too late for damage control at that time. http://www.ftc.gov/bcp/edu/pubs/consumer/alerts/alt056.pdf
The Better Business Bureau raises concerns and recommends that parents limit the chances that a child’s information will be stolen or misused at school. See: http://www.bbb.org/blog/2012/10/protecting-your-child-from-identitytheft/#sthash.mKWYlfmB.dpuf
The BBB position that parents should be vigilant about protecting their child’s information is ironic, because FERPA amendments have now taken parents rights to object to such disclosure away.
In addition to the objections raised regarding FERPA, the National School Board Association worries that the data might be misapplied or misused against students causing them harm:
“Additionally, the data collected for this data item encourages a school official to engage in a subjective determination of which ―offense‖ may have occurred based on a student’s own possibly incomplete/inaccurate description of events. For example, a student reporting an incident is not going to know the difference between sexual harassment, sexual assault, rape, attempted rape, or sexual battery. This calls into question the validity and accuracy of the data, particularly in cases of the ―eggshell‖ plaintiff in which a person may unreasonably perceive actions or words of others as threats or attacks, when they actually are not. Consequently, school districts should be reluctant to define a particular incident as falling into a certain category based on a student’s description of the ―incident‖ for fear of mischaracterizing it. In doing so, a school district risks having the reported numbers being perceived by OCR as those of a district having less of a safe school environment than actually exists.”
Education Counsel, lawyers for InBloom, issued a lawyerly opinion of FERPA and Privacy basically bragging about how and to what extent information can be disseminated legally as authorized under FERPA under the new changes. They clearly state:
Disclosures of PII from student records to the SLI to enable this purpose fall squarely within these FERPA provisions that authorize disclosures needed to provide outsourced services to participating school districts. https://www.inbloom.org/…/files/inBloom-and-ferpa.pdf
In other words, PII is not subject to FERPA as a result of this loophole and may be disseminated without NYSED or parental consent.
NYSED patronizes parents alleging that all will be well and fine in the virtual world. But the evidence suggests otherwise.
FTC has a Blog advising parents to protect their child’s info to prevent identity theft.
Despite King and District’s attempts to quell concerns, the Ways and Means committee suggests that children are particularly vulnerable targets and that child identity theft is a legitimate concern for parents in the age of technology and data dissemination. http://waysandmeans.house.gov/news/documentsingle.aspx.
Moreover, this Fed Hearing transcript of testimony discusses ways sensitive info is disseminated and stolen via breach, usually as a result of lack of due care by legitimate businesses who have access to the info http://ftc.gov/os/2011/09/110901identitythefttestimony.pdf
FERPA Policy Guide for Parents per FTC suggests that parents scrutinize records closely to protect privacy.
PPRA Guide for Parents (concerns privacy issues and surveys) recommends that parents scrutinize surveys and to whom the information is released to protect privacy.
As demonstrated above, parents have no control or power over student privacy and we cannot protect our children from legitimate data mining concerns. Governmental agencies strongly urge parents to be vigilant in protecting the privacy of our own children but the reality is that we no longer have the power to do so nor can we withhold consent over concerns. The Board of Education of each school district has been trusted with that power.
Choosing whether to participate or not in RTT is one step schools can take in slaying NYSEDs stranglehold on student education records. http://wp.me/p44iDJ-1s, http://wp.me/p44iDJ-39, http://wp.me/p44iDJ-1B
Demanding that InBloom delete school district education records off its system is another. http://wp.me/p44iDJ-I
In closing, the ASSEMBLY STANDING COMMITTEE ON EDUCATION seeks testimony examining the effects of the storage, use, and the disclosure of personally identifiable student information by school districts and the State Education Department to third-party vendors, as well as the costs associated with collaborating with third-party vendors. The hearing will be held 11/20/13 in Albany. http://assembly.state.ny.us/comm/Ed/20131024/
I personally plan to submit testimony and an opinion on this subject if I cannot make it in person. I urge parents, educators and administrators to voice your concerns, provide evidence and facts to back your position up – and fight back.
NYSED must be stopped from commodifying PII off the backs of our children.
Virginia school leak:
FERPA Policy Guide for Parents per FTC
PPRA Guide for Parents (concerns privacy issues and surveys)