I’ve often pointed out my concerns that public schools – at least those in New York that I’ve been in – do not seem to have adequate security in place for the vast troves of sensitive and confidential information they collect and retain. So I was unsurprised to read that a recent Office of the State Comptroller audit of 12 public school districts found the majority lacked adequate security for personal, private, and sensitive information (PPSI) on Mobile Computing Devices (MCDs). The audit results were released on December 14, and cover the period from January 1, 2010, to May 4, 2012.
From the executive summary/press release:
Key Findings
- The majority of the 12 districts did not have adequate security policies and procedures in place, increasing the risk that PPSI could be accessed and misused by unauthorized persons.
- Our tests of a sample of 383 district-owned MCDs found PPSI on 71 (18.5 percent) of these devices. Without proper safeguards in place, any confidential data on these MCDs could be at risk of exposure.
- None of the districts had developed a classification scheme or performed an inventory of the PPSI the districts possess.
The problems are evident in this statement in the report:
The sample of MCDs we initially selected included three MCDs (from three different districts) that we were unable to examine because one had been stolen and two had been lost. The district had filed a police report in the case of the stolen MCD. The districts had not realized that the other two devices were lost; it only became apparent that these two MCDs were lost when district officials were unable to locate the devices for our audit. Because we were unable to examine these devices, there is no way of knowing whether or not any of these MCDs contained PPSI, and whether adequate controls had been implemented on the devices to protect such information.
From the summary, the Key Recommendations:
- Adopt formal written policies and procedures to ensure a sound IT environment and to protect PPSI in mobile computing devices.
- Develop written policies and procedures that outline the proper access, use, and protection of PPSI on MCDs.
- Complete a classification and inventory of information the district maintains to assign the appropriate security level to each type of data, and then conduct an inventory of PPSI stored on all electronic equipment to account for the confidential data maintained.
You can read the full audit report (2012-MR-2) here.
The state also issued letter reports to the following school districts: Bath [pdf], Cato-Meridian [pdf], East Rochester [pdf], Geneseo [pdf],Horseheads [pdf], Marcus Whitman [pdf], Odessa-Montour [pdf], Penfield [pdf], South Seneca [pdf], Victor [pdf], Weedsport [pdf] and Wheatland-Chili [pdf]. Most of the letters had passages like this one:
We found the District’s IT policies were nonexistent or inadequate in a few areas related to the security of PPSI. The District did not have policies governing remote access, the installation of hardware on District MCDs, or notification of affected parties in the event of a data breach. Further, the District does not have a written District-wide data classification scheme, and has not inventoried the PPSI in its possession. In addition, there was no email policy to address the use of PPSI or confidential information in email communications. Without adequate policies for protecting the security of PPSI, there is a significant risk that data, hardware, and software systems may be lost or damaged by inappropriate access and use.
Our audit identified certain vulnerabilities concerning PPSI. Because of the sensitive nature of these findings, they are not included in this report but have been communicated confidentially to District officials so they could take corrective action.
Even in the rare case where a district did have an encryption policy, it was not consistently implemented:
Although the District had an adequate policy for the encryption of mobile devices, the policy was not consistently monitored for compliance. Of the 45 MCDs we reviewed, 10 devices were not encrypted as the policy required, including one that contained PPSI. Further, there was no data breach notification policy, and the District’s email policy did not adequately address the use of PPSI or confidential information in email communications. District officials also had no Districtwide scheme for classifying PPSI according to risk, and had not conducted an inventory of all PPSI at the District.
I’m still waiting for them or the NYC Comptroller’s Office to conduct an updated audit of the NYC Education Department – for both Information Technology and security of PPSI in MCDs.
I wonder what would happen if parents started filing under FOI to obtain copies of their child’s district’s policies for security of PPSI on MCDs. It could make for some interesting school board meetings.
The problem with this is sort of larger than one is to believe. Should a child’s identity be compromised, its something that may not be thought about in many different arenas.
Kids identities can be stolen and used for false ID’s for illegal immigrants.
Kids identities can be mis-used on IRS documents, on a fraudulent return to maximize a bogus return
Kids privacy information is important too, they are at a vulnerable point in their lives, and some may have a condition that they do not want leaked out.
The problem with any state, city local or government organization is they give devices to individuals and forget about them. People who use these devices become so used to these devices that they may think over time that they own them. There isn’t a MANDATORY cycle in place to rotate state-owned gear. A Manadatory cycle would have an account lockout and can only be reset by a member of the IT staff. This allows the state to inventory, update and reissue devices.
This isn’t that hard; if it is a routine, it can be effective and followed. People will then have less “own” value, people are less likely to stretch the rules knowing that they will have to turn the device in for something else. It can be done every ~6 months, or maybe yearly.
People will complain, but tough. Its NOT your device, and there are set rules and conditions that should be met. Unfortunately – Empathy seems to have more weight over security. That is why these issues appear. No use of persoanl devices for state-recorded data. No transfering of state-recorded data through personal emails. Use devices like a secure thumb drive similar to Ironkey – 10 tries at the password and data is destroyed.
Staff memebers do status quo if there isn’t anything to follow. Some may come up with their own ideas, and it may be shot down becuase ‘its not supported by the state’. So unless they hire some one with a brian that can muster up a generalized state-wide policy with minimum requirements, and throws in that state inspectors MAY do short notice spot checks at any organzation with state issued devices, then the issue is doomed for failure.
Wait for the fire to subside and sweep the ashes under the rug once more.
Thanks for calling this post & audit to my attention. I was pleased to see FERPA mentioned in the audit. Could this be the impetus to audit schools for FERPA compliance? Why wait for an audit showing it’s not just a mobile device problem.
It’s not just a mobile device problem.
New term for me. PPSI. Personal, private & sensitive information.
Lots of that being warehoused within our education system.
I doubt that either DiNapoli’s office or Liu’s office will conduct a FERPA audit, but you could always call/email them and ask. I really want Liu’s office to audit PPSI data security for students and employees in DOE.