Cynthia Howell reports:
The Little Rock School District, a victim of a 2022 data security attack, is telling its past and present employees, student families and vendors that there is no evidence that their personal data has been “viewed, used or misused.”
However, that announcement — posted recently on the 21,000-student district’s website — also states that the district is providing no-cost credit monitoring and identity protection services “out of an abundance of caution.”
Additionally, the district — which apologized for the concern caused by the security breach — is telling affected individuals to be vigilant in monitoring their accounts for identity theft and fraud.
And that is exactly the right advice — to not assume that because the district paid ransom — that the data would never be misused or later appear somewhere. And even though the district may believe that “All such information was returned, and we have obtained assurances that no use was made of the information,” that is not a guarantee that it is true.
The LRSD case has raised a legal issue in Arkansas about whether a school board can have a meeting with no legally required public notice given to consider paying ransom or its response to a cyber incident. The state’s attorney general has yet to issue an opinion on that question.
Read more at Arkansas Democrat Gazette.