A Texas parent who reported a school district security breach involving sensitive student records spent the next two years facing federal charges and trying to get his laptop back
Back in August 2009, DataBreaches.net reported that a parent had his work and personal computers seized by the FBI after he reported a security breach to his child’s school district, Leander ISD, and the Texas Education Agency. The parent, Mark Short, had discovered a working login on the district’s web site for a vendor-maintained database of students’ educational records. Having not received all of his child’s records that he had requested under FERPA (the federal law that gives parents the right to inspect all of their children’s education records), Short explored the database enough to confirm that it contained additional records on his child as well as sensitive information on other students. Short then notified the district of their security lapse and filed a complaint with the state.
Rather than thanking him for alerting them to their security gaffe and FERPA noncompliance, the district reportedly referred the matter to law enforcement, who treated him as a criminal.
Short informed DataBreaches.net that his personal laptop was seized by FBI agents without a search warrant “under the guise of concluding the investigation.” Short claims that he was not informed that he could refuse, and that after the FBI hung on to the computer for one week and he started insisting on its return, the FBI first obtained and served him with a search warrant for the laptop they had already seized.
Short has kept DataBreaches.net apprised of the case over the past two years, and now reports:
Two years after the FBI seized my personal property and just two days before a scheduled hearing to force the return of my computer, the US District Attorney has decided to not prosecute and return my computer.
This is after I was offered plea agreements two or more times and refused. Then I would get threatened that I would face prosecution if I did not accept.
The entire situation has been costly for Short, who lost his job due to the FBI showing up his workplace and seizing his work computer. It also created significant family stress. Short tells DataBreaches.net:
This has been a huge “pain in the ass” in order to assert individual rights and force a return of personal property – potentially improperly obtained; however, the government has really exceeded their mandate in this case. For them to seize my computer, refuse to return it (even after two years) without even making a formal charge is insane.
I can see why some people would rather just give-in to the federal government and simply forfeit their personal property. However, I cannot do that and allow the continued erosion of individual constitutional rights and freedoms.
In the meantime, the school district that had failed to turn over all his child’s records and that had failed to adequately secure access to the outsourced records has incurred no penalty for noncompliance with FERPA’s requirement nor for the breach.
What’s wrong with this picture?
Serves him right. He committed a crime by rooting around in an unsecured server. Just as a burglar commits a crime by entering your house when you didn’t lock the door. The fact that security was poor doesn’t justify his criminal act. That this guy only lost his job and wasn’t arrested should count him as lucky. And besides, he deserves it for spying on his kid.
“Spying on his kid” – ? Are you KIDDING me? Parents cannot “spy” on their kids; by definition, they MUST and SHOULD know what their children are up to, including their grades and school performance.
Regardless of whether he should or should not have poked around the database, the fact that the school has NOT been prosecuted is unfathomable.
I share your amazement that “withheld” would consider this spying on a child. The parent was attempting to do what the FTC and every major advocacy organization recommends parents do: inspect your child’s records. In this case, the parent’s diligent efforts were thwarted by a district that seemingly decided they were only obligated to provide records if he could tell them what the records were, by name. Of course, since most parents have no idea what’s in their child’s records (which is why they should request inspection of ALL records), it’s impossible for any parent to provide such specific information. One would have to believe that the district had no knowledge of what they had uploaded to eSped or conveniently forgot about eSped when replying to his FERPA demands. Otherwise, there’s no reasonable excuse that I can find for their failure to produce the records in response to his request.
Of course, that doesn’t justify taking matters into your own hands, but when your district withholds records and the state doesn’t enforce the law, I am not inclined to want to prosecute a parent who did not try to hide what he had done and even alerted them to their security breach so as to prevent someone less honorable from accessing those data.
So let me get this straight: everyone is entitled to privacy, UNLESS they are minors, in which case their parents are justified hacking into school computers to find out if there is something they don’t know.
This is absurd.
There is no privacy of minors’ education records from their parents. At age 18, the rights transfer to the student and then the parent has very limited rights.
Parents have the right to inspect the education records to protect their children. Read FERPA and the history of the legislation some time.
This is a data security/breach issue that would not have occurred had the district complied with FERPA. Their failure to do so doesn’t make the parent’s act legal, but it does make it somewhat understandable to anyone who’s experienced with the system and the frustration parents experience trying to protect their children by inspecting records for inaccuracies, false claims about disciplinary matters, etc.
IMO, the only place a recognized privacy violation comes into it is to the extent that the parent viewed other students’ information, thereby violating their privacy. But for you to claim that parents who inspect or try to inspect education records that they are legally entitled to inspect are spying on their children, well, you’re entitled to your opinion, however ridiculous or trollish it seems to others.
Bottom line is, there are proper procedures for requesting information. If the information is not available in a timely matter there are grievance actions one can take. Taking things into your own hands – especially if there are moral or legal issues involved is a touchy subject. Its not only his children records that he went over, the potential was for him to have viewed many other personal issues that may be listed in the school records about other children and teachers that may be sensitive. Unless the “visit” was controlled and overseen by a representative of the school or state authority, it was a bad move on his part.
The FBI will always side with a more trusted organization over a person. If he was thinking a bit more clearer, he may have relized that after bugging them about the kids records, that they may have a mild grudge against him, and what a better way to get him off the schools’ back than to twist the story to make him look bad in the limelight. He should have contacted the local authorities and given his story there are well, it would have covered his behind alittle better. News is drama, most of the facts may or may not be hearsay. Don’t always believe everything you read as 100% accurate because dirt sells.
He may have been the victim in this case, but next time seek legal counsel, or ask a what if question to the state board of education before you dive into something thats a potential slap upside the head. If you would have told the state about the insecurity of the site, and the fact that they have been ignoring your requests, you’d still have your job and they may not.
This is an amazing story, thank you Databreaches for publishing it for our consumption.
I’m always amazed the people out there with the “Serves him right” attitude. I personally would rather someone with good intentions find my information and make me aware of it so I can secure it than to have some nefarious individual find it and use it to their advantage without my knowledge.
Admin, I’m sure you have better numbers than I do – but it costs the average citizen years of headache and thousands and thousands of dollars to get their identity sorted after it has been stolen and used illegally.