Another data theft in the education sector. And yet again, no one did anything wrong because there was never any policy.
Yesterday I added a breach to DataLossDB involving the Morgan Road Middle School in Georgia. A flash drive with unencrypted student information, including SSNs, was stolen from an teacher’s unattended car. A gradebook was also stolen. In his statement to the media, Richmond County School System Superintendent Frank Roberson said that the information in the teacher’s possession was not unusual. I agree, but why was the District using Social Security numbers instead of non-SSN identifiers? Does a teacher really need to know students’ SSNs? But here’s the part that really rankled:
Dr. Roberson says bottom line, the teacher did not break policy and because of that will not face consequences.
If there was no policy that said “Don’t leave unencrypted student information in unattended vehicles,” then I agree the teacher cannot be disciplined. But the school district should be in pillories.
Then lo and behold, there’s another news story this morning about how 60 80 Charlotte-Mecklenburg Schools employees in North Carolina have been warned to be on guard against identity theft after files containing their personal data were stolen from a human resource employee’s car.
The personnel files, which contained names, addresses, Social Security numbers, dates of birth and driver’s license numbers, were stolen Nov. 28, when the HR employee stopped for lunch, CMS spokeswoman Tahira Stalberte said. She said a CMS investigation determined that the employee, who was driving from one district office to another, did nothing wrong.
If no one is doing anything wrong by leaving personal information that could be used for ID theft in unattended vehicles, then the school districts are responsible for their failure to implement reasonable security policies, the states are responsible for not auditing the districts and sending a clear message about protection of data, and the U.S. Department of Education is responsible for not promoting regulations that would adequately protect the personal, private and sensitive information of students and employees.
No one’s to blame? I think there’s a lot of blame to go around. And it’s more than high time parents and employees insisted on adequate data security.
Ahhhh another Security by obscurity. These “simple folk” – for lack of other kind words don’t have a clue. Anywhere in the US – or the world for that matter – teachers can be ripe targets to steal from. All it takes is an observant thief that watches a handful of teachers leave the building to see who might be carrying laptops, tablets or flash drives.
They don’t get it. Kids PII is more important than adults. Their data could very well be used for nearly a decade before they even have a clue what a credit report is, or what a dependent on an IRS form actually is.
Its more of an “I don’t care” attitude than anything else. There is no care in these type of cases. No attention to detail. Customer service ends when the teachers leave the classroms. They supposedly are overworked and underpaid – though they have more time off than any other profession I know of.
How can the people fight this sort of lax mentality? The people voted in the superintendent of schools. They need to bring these sort of issues up and fire them and elect some one thats going to be able to do their job. Any change will apparently be better. Chances are it can’t gt muh worse.
Each parent needs to individually file a complaint to the State Board of Education. Since this is unacceptable, they need to push this crap back up the chute so the people who are supposedly responsible for this gets to smell what the outcome could eventually be.
The identity information doesnt change much. Some one could sit on this data for YEARS and then at the “right opportunity” start using or selling it. Back tracking the true source of PII information can be very painful.
I hope the Feds get involved. I know they have bigger things to worry about, but some one should call them and have them read the information and then call them and read them the riot act.
Clearly our educators are missing all the “teachable” moments as the data breaches of education facilities continue. In some instances, such as the University of North Carolina, they have had multiple “teachable” moments. I have said it before, until there are financial penalties this behavior will not change.
Ironically, UNC itself tried to impose penalties by demoting the researcher in the mammography database breach. Why haven’t they demoted themselves over all the other breaches? Maybe I should draft a FOI request parents can send to their school boards to request copies of relevant policies and a draft statement to be read at school board meetings to get districts to address their woeful lack of security. Hmmm…
I think it is time for accountability. Companies are not holding CIOs or CSOs responsible. They need to be fired. The technology is available to prevent 98% of the breaches, IT and Security leaders are not protecting company assets like they should!
Companies need to be held accountable and that means financially. Companies and the government should have to pay each consumer a fee everytime they disclose their data and let the individual decide if they want to spend it on credit protection.