Park Hill Data Breach One of Many to Come
Park Hill School District in the Kansas City suburbs finally announced that back in April they had a data breach of student and faculty data, including social security numbers and employee records. A former employee enabled the data of over 10,000 students and faculty to be accessed on the internet. The breach was discovered when someone did a simple Google search. An extensive investigation involving the FBI took place and finally, in July, the individuals whose data was mistakenly made public were informed of the breach and offered fraud monitoring services.
Well that’s just fantastic. For three months, while those on the inside investigated how it happened and who all had been affected, no one in Park Hill even knew there had been a breach. The overriding bureaucratic decision not to “panic the public” meant that potential identify fraud could be occurring for 90 days before anyone even knew there was a problem. There was no chance to put a block on your child’s credit just in case. Just let the officials do their job and when they are ready, they will tell you what they allowed to happen. At the end of the day the important thing is to maintain the image of control for the district, it’s not the children.
The data was taken out of the school district on a hard drive by a former employee, not a vendor authorized to have it, not a researcher who asked for it and not a current staff person. The recently passed HB1490 has language in it to protect data, but it only mentions protecting breaches in these types of scenarios where third parties are given access to it. They haven’t even thought of the scenario like Park Hill. The problem is, once the data is out there, no matter how it got out there, there’s no getting it back. That’s how secure your child’s data is.
Park Hill did not release any details of who the ex-employee was or what the reason was that he/she took the hard drive or connected it to a computer at home. There are many possibilities, from the purely innocent (finishing an advanced degree assignment that required the data), to the idiotic (forgot the data was there and accidentally uploaded it as part of another unrelated upload) to the truly sinister (connecting with black market identity thieves because he/she needed some money having lost his/her job.) Superintendent Springston said he didn’t think there was any criminal intent. We will probably never know for sure. The reason for the breach is almost immaterial. The fact that a former employee, or even an existing employee, can load data onto a portable hard drive and remove it from the school building without anyone being aware of that is highly concerning and utterly unacceptable.
Remember that the Consumer Affairs Bureau says minor’s data is the most valuable and sought after data for identity thieves. Most parents don’t check their child’s credit report until they are filling out those college FAFSA forms. That means thieves have up to a decade of unfettered use of your child’s identity if they can get hold of school information like SS#, birth date, and address.
I can’t tell from the Park Hill news release whether they followed the state’s only data breach law, passed in 2009, HB0062. According to that law “In the event an Entity notifies more than 1,000 consumers at one time pursuant to this section, the Entity shall notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis of the timing, distribution, and content of the notice.” The law also requires the Missouri Attorney General’s office be notified under these conditions. While this data does not contain credit information or financial accounts, it still contains enough data to create a credit account. The AG should have been notified.
According to HB0062
Notification [of consumers] is not required if, after an appropriate investigation by the Entity or after consultation with the relevant federal, state, or local agencies responsible for law enforcement, the Entity determines that a risk of identity theft or other fraud to any consumer is not reasonably likely to occur as a result of the breach. Such a determination shall be documented in writing and the documentation shall be maintained for five years.
Park Hill has assured everyone that they are working on policies to ensure that this doesn’t happen again, unless of course it happens in some other way that they did not anticipate. Then they may have a breach again.
Knowing that there are at least 61 data points that DESE requires districts to collect, and over 400 data points that the National Data Quality Campaign would like states to collect in the state longitudinal database, and that districts have such lax protection policies, wouldn’t the best policy for now be to not collect any but the barest minimum of data? Isn’t it time the states start telling the feds that they will no longer collect and share information like social security numbers, which have nothing to do with education, with them?