Concerns about personal student data breaches go big time

Real cases of student data compromises reported

There is real, growing concern about the way sensitive personal data is being collected and stored on government computer systems. Already in the new Kentucky legislative session, House Bill 5 has been introduced to tighten rules for collection and security of personal data across all state agencies. This bill includes collection of personal data on students, as well.

The attention comes none too soon, as a recent article in Education Week (Danger Posed by Student-Data Breaches Prompts Action) shows.

Says EdWeek:

“Privacy advocates say the increased collection, storage, and sharing of educational data pose real threats to children and families, from identify theft to nuisance advertising, misguided profiling to increased surveillance of everyday activities.”

The article talks about a case in Arizona where schools released personal student data to a group of private dentists who then performed unnecessary dental work on those students to collect Medicaid funds.

Data breaches mentioned by EdWeek include:

• A report about a New York City cloud services provider that “inadvertently uploaded and left unprotected some schools’ emergency evacuation plans, as well as “directory information” that included students’ names, addresses, telephone numbers, dates and places of birth, course schedules, and attendance histories.”

• A report from Chicago “that 2,000 students participating in a free vision-examination program offered by the city had their names, dates of birth, gender, and ID numbers, as well as information from their exams, accidentally posted online.”• A report from Florida that “roughly 47,000 participants in state teacher-preparation programs had their personal information—including names and in some cases Social Security numbers—posted on the Internet for two weeks last spring.”

• A hack into the Sachem Central School District, which “suffered three data-security breaches in recent months, including one in which the names, ID numbers, and designations for free-lunch programs of 15,000 former students were posted online.”

There have been some security issues in Kentucky, as well.

We reported on one breach in “Infinite Campus Student Software Security Issue?” back in 2009.Only a few months ago, there were reports of more attempts to penetrate or at least disrupt Kentucky’s Infinite Campus student data system.

The Kentucky Department of Education says it fended off those attacks, but it can be difficult to know about such things with certainty, as the delayed bad news about millions of credit card data hacks at Target and Neiman-Marcus stores during the Christmas season attest.

There are also issues about parent ability to avoid disclosure of sensitive data to their local school and to prevent that data from straying further afield to computers beyond the control of the local school. You can learn more about that by clicking the “Read more” link below.

In any event, student data collected in Kentucky becomes a juicier target for thieves over time as more and more information is collected. So, at the very least, it is well past time for the legislature to at least look at the options to tighten up the ship of state data to improve personal privacy and security.

While a massive amount of digital data is now being collected on students, safeguards have not kept pace. A stunningly shocking report released in December from the Fordham Law School’s Center on Law and Information Policy, “Privacy and Cloud Computing in Public Schools,” talks about some of the serious issues caused by casual rules for the storage of student data in off site locations away from the school or government agency. To begin, the report says use of off-site storage is astonishingly widespread:

• 95% of districts (nationwide) rely on cloud services for a diverse range of functions including data mining related to student performance, support for classroom activities, student guidance, data hosting, as well as special services such as cafeteria payments and transportation planning.

However,

• Cloud services are poorly understood, non-transparent, and weakly governed: only 25% of districts inform parents of their use of cloud services, 20% of districts fail to have policies governing the use of online services, and a sizeable plurality of districts have rampant gaps in their contract documentation, including missing privacy policies.

• Districts frequently surrender control of student information when using cloud services: fewer than 25% of the agreements specify the purpose for disclosures of student information,

• Fewer than 7% of the contracts restrict the sale or marketing of student information by vendors, and many agreements allow vendors to change the terms without notice.

• An overwhelming majority of cloud service contracts do not address parental notice, consent, or access to student information.

• Some services even require parents to activate accounts and, in the process, consent to privacy policies that may contradict those in the district’s agreement with the vendor.

• School district cloud service agreements generally do not provide for data security and even allow vendors to retain student information in perpetuity with alarming frequency. Yet, basic norms of information privacy require data security.

The Fordham report is written from the viewpoint of several federal laws that were enacted to protect personal student data. Unfortunately, the US Department of Education took it upon itself a few years ago to virtually gut those laws in an action that is highly questionable. The end result is that Kentuckians cannot rely on federal statutes to protect their children. Thus, it is well past time, as I said earlier, for the state legislature to weigh in on this absolutely critical situation that, left unchecked, could lead to ruined privacy and futures for hundreds of thousands of Kentucky’s children.