1.5 million current and former student SSNs at risk says MO Auditor
A recently released cyber audit of DESE’s student data system (MOSIS) revealed several weaknesses that MO State Auditor Galloway said placed 1.5 million current and former students’ personal information, such as social security numbers, at cyber risk.
The report noted that the state has “no business reason” for collecting social security numbers. Galloway takes a strong position on data security. In a statement to KCUR she said, “We need to be proactive to be sure to limit the collection of that data if it’s not necessary and then be proactive in protecting it to make sure it doesn’t fall into the wrong hands.” This is exactly what SB530 (Onder – Dist 2), filed but never passed out of the Senate Education Committee last year, attempted to do.
Other Auditor findings include:
- DESE management has not fully established and documented user account management policies and procedures. User account management includes requesting, establishing, issuing, suspending, modifying, closing, and periodically reviewing user accounts and related user privileges. Multiple DESE users are allowed access to the MOSIS system via shared accounts; however, DESE management does not regularly monitor these accounts to ensure actions taken by account holders are appropriate.
- DESE management has not established a comprehensive data breach response policy, as recommended by the U.S. Department of Education. Without a comprehensive data breach response policy, management may not be sufficiently equipped to respond quickly and effectively in the event of a breach, increasing the risk of potential harm to affected individuals
2) Data Access and Management Policies.
(A) The department adheres to the confidentiality requirements of both federal and state laws including, but not limited to, the Family Educational Rights and Privacy Act (FERPA), the Individuals with Disabilities Education Act (IDEA), the Protection of Pupil Rights Amendment (PPRA), and the National School Lunch Act. These policies include:
1. Defining privacy, confidentiality, personally identifiable information, disclosure, access, and confidential data; and
2. Maintaining adequate privacy and confidentiality protections; including the assignment of a unique student identifier, data security, restricted access, and reasonable statistical disclosure.
(4) Data Security Plan. The department, in cooperation with the Office of Administration Information Technology Service Division (OAITSD), reviews and maintains the data security plan. This includes, but is not limited to:
(A) Guidelines for authentication of authorized access;
(B) Privacy compliance standards;
(C) Privacy security audits;
(D) Breach planning, notification, and procedures;
(E) Data retention and disposition policies; and
(F) Data security policies including electronic, physical, and administrative safeguards.
Notice that in the regulation passed by the state board, all that was required was that DESE and OAITSD have a plan. It did not give specifics of that plan and the state inter-agency data sharing agreements provide disincentive for putting strong restrictions on data sharing or access in those plans. The audit identified those weaknesses.
KCUR reported that DESE has already begun making changes based on the audit findings. For instance, DESE claimed to need SSNs to run its A+ program which offers students tuition for community college depending on their academic performance and a few other requirements. Since the audit, they have found an alternative method to track students and operate the program.
The previous Auditor Tom Schweich ran 90-day follow up compliance audits to verify if the issues identified had been addressed. Hopefully Galloway will follow in her predecessor’s footsteps and make sure that DESE and OAITSD have addressed the other issues noted in the report.