Heather Graf reports that Seattle Public Schools has notified parents of approximately 8,000 students of a breach involving their records. Most of the students involved are special education students.
According to King5 News, the notification states, in part:
“Late Tuesday night Seattle Public Schools learned that a law firm retained by the district to handle a complaint against the district inadvertently sent personally identifiable student information to an individual involved in the case. The district promptly removed the law firm from the case and is working to ensure that all improperly released records are retrieved or destroyed.”
The person to whom the records were mistakenly released contacted the district to report the breach.
You can read more on King5 News. There does not appear to be any notice up on the Seattle Public Schools web site at this time.
The district has reportedly notified the U.S. Education Department of the breach to seek their assistance in investigating how the breach happened. I’d be surprised if they got any real assistance of that kind, but I’d be happy to be wrong about that.
Most people know that students’ education records are protected under FERPA, but for special education students, another federal law, the Individuals with Disabilities Education Act (IDEA) also applies. IDEA has provisions requiring confidentiality of records. Unlike FERPA, however, IDEA is enforced by the state’s education agency, not the U.S. Education Department.
So what might the consequences of this breach be? The law firm who exposed the information got fired. That’s unusual, but I do think that needs to be headlined so that law firms get the message that their clients are serious about data protection. Other than that, I don’t really expect anything else. A complaint to USED under FERPA might result in an educative letter to the District without any other consequences, and a complaint to the state is unlikely to result in any consequences for the district.
Could the FTC initiate an investigation and/or enforcement action against the law firm? I cannot think of any data security cases involving law firms, can you?
In other words, this is likely to be just another day in the education sector.
Update: In subsequent coverage on The Seattle Times , the law firm was named as Preg O’Donnell & Gillett, a firm the district uses in specific cases. While they have been fired from this case, they have not been fired from all the cases they are handling, although that is now under review. And a review definitely seems in order, as the man who received the unredacted documents
says in his letter that he brought the issue to the district’s attention a few weeks ago when he’d received a few documents with sensitive information, but nothing was done and the law firm then emailed a much larger batch.
If the District was notified weeks earlier of another problem like this and did nothing, then that’s on them as well as the law firm.