A Warning to Minnesota Superintendents and Technology Directors on the Risk of School Data Hacks: Why Minnesota Needs HF Bill 1507 for Student Data Security
By Anne Taylor
Last week Tiina Rodrigue, Senior Advisor for Cybersecurity, announced that the U.S. Department of Education is warning teachers, parents, and K-12 education staff of a cyberthreat targeting school districts across the country.
Thus far, at least three states have been targeted by the extortion attempt from hackers called the “Dark Overlord” asking schools to give them money or the group will release stolen private records, according to the department.
Dark Overlord has been hacking and using violent ransom for 4 weeks now. Their chilling messages state they will ‘splatter kids’ blood in the hallways’ according to multiple sources including the U.S. Department of Education.
According to Adam Kujawa, director of malware intelligence at Malwarebites, in a school district with hundreds of teachers or administrators connected to the system, “It’s a high likelihood that one of them may have encountered one of these phishing emails.”
Kujawa explains rather than stealing the data to resell, the hackers basically build a safe around the information inside a district’s own computers. They lock it and charge thousands of dollars for the combination – the encryption key – to open the safe.
While the FBI is actively investigating, The Department of Education says the hackers are probably targeting districts “with weak data security, or well-known vulnerabilities that enable the attackers to gain access to sensitive data.” It advises districts to conduct security audits and patch vulnerable systems, train staff on data security best practices, and review sensitive data to make sure no outside actors can access it.
Locally, in August of this year, South Washington County schools made sweeping headlines when data was released on some 18,000 students after parents received an email that contained either data on 9,000 families or another file on more than 9,600 other families. Some parents with multiple students in the district received both data files in separate emails.
According to the report the files contained student names, home addresses and schools; parent names, phone numbers and email addresses; and student busing information, including pick-up and drop-off time and location and the bus route and description.
In February of 2017, investigative reporter Eric Chaloux of 5 Eyewitness News did an in-depth report entitled “In the Wrong Hands” regarding a case involving child ID theft that occurred from a family in Maplewood, Minnesota. It was discovered that the identity theft stemmed from a glitch in the family’s medical assistance application where the 9 year old child’s SSN was exposed.
It was also noted in the report that if you wait to check and discover a problem especially before a child applies for financial aid for college, it could delay them starting college. According to Eva Velasquez of the Identity Theft Resource Center in San Diego, “They find they can’t qualify for those student loans because they have bad credit and they have an identity theft issue they need to clean up,” Velasquez said.
In 2014 my school district released over 2,000 emails in what’s called a parse process that had gone awry. The email I received from the school district was 90 pages long and included 80 names and email addresses of parents, many of whom I did not know. These email addresses were frequently utilized by parents or legal guardians to access to their child’s private information.
In the year just prior, I had two additional children’s information on my private on-line school account whom I did not know, nor related to and had access to these children’s personal records including names, vaccinations, birthdate, graduation date and contact information.
That experience spawned a new interest in student data protections, hacks and breaches for a number of parents and MACC followers.
In 2013 the anti-Common Core movement was at an ultimate high and continues with the recent 2015 passage of ESSA. Student surveys became the norm – and continue to be – by both school districts and 3rd party companies and all the while parents were forced to grapple with the swell of digital education.
With the rapid adoption of on-line and 1-1 education, the old ‘desk drawer’ data was massively switched over to electronic. FERPA (Family Education Rights and Privacy Act) was gutted by former Secretary of Education Arne Duncan in 2011 which was then signed into executive order by former President Obama that only aided to the increase of exposing student PII (Personally Identifiable Information).
What does PII include? Any or all of the following: Student name, student SSN, student ID#, grade level, race, gender, ethnicity, aggregate data that includes unique interests and socioeconomic status.
While some of the local papers took interest in this news, I wrote a detailed article on the entire experience entitled, “School Data Breaches: A New Trend Coming to a Minnesota School Near You” published by Truth in American Education. It was also at this time around the country we were witnessing an increase of data breaches among banks, health insurance companies, and many, many retail shopping chains.
Not long after that experience, the question was raised not only about the content to what kinds of private information our kids are being asked and exposed to electronically on school time and without parental knowledge or consent, but more importantly what of the safety of this information, how it could be used against a student or parent if it were incorrect – or breached – and what are our schools doing to protect that information.
In the summer of 2015, I attended a training seminar for superintendents on the FERPA law through the Minnesota Department of Education. Two Federal Education trainers explained to public school district officials in detail how to handle student data, some of the features of the FERPA law and where there are serious potential data threats.
At that time, the trainers themselves disclosed just how bad the data breach was that had just hit U.S. government officials early that June. Two major breaches of U.S. government databases holding personnel records and security-clearance files exposed sensitive information about at least 22.1 million people, including not only federal employees and contractors but their families and friends. U.S. officials quietly stated that all this was traced back to Chinese government according to the Washington Post.
Throughout the presentation, the instructors mentioned continually how schools and teachers themselves are becoming targets for data breaches. Just how much our Minnesota superintendents had concerns regarding the seriousness of this we don’t know. What we do know is that many parents of school districts are increasingly growing concerned about the lack of disclosure, transparency and training both technology staff and teachers may or may not have on where the data goes and what district officials are doing to protect that.
Below is a takeaway list of just some of the mounting issues surrounding the FERPA amendment, student data and ties with our Federal Education system. The state of Minnesota has some of the most lax student data laws and has NOT updated those laws since 1980. All the more reason for a student data bill in our state.
- Data retention laws are determined by the state. Usually one year after a student grade is issued and cannot destroy the data pending request. In example, a grade is entered into system, and becomes part of the Ed record system.
- It is “too complicated” for today? Pre-K programs, health records and FERPA all overlap. Just follow the money.
- On HIPPA: Student vaccination records are part of the student record, while FERPA actually protects the health record.
- Due to copywrite laws (*these came with the changes under Common Core) teachers can no longer send electronically or send home original test(s).
- Assessments on child: It is a vendor rule that tests cannot be handed back to parents. While teachers MUST give access to a parent in person, they may NOT give them paper copy to keep.
- FERPA says parents can opt out of data collection, but that really only means ‘directory information’.
- What does Directory Information include? “May” include name, address, email, photo, DOB, school, grade, dates of attendance, activities, awards (the district gets to decide).
- Can also include yearbook, class ring company, newspaper, athletic company (sharing height, weight)
- If released under directory data, NO RESTRICTION on who it gets sent to
- Parents ARE allowed to opt-out of directory information and should be notified on an annual basis (according to most parents, this does NOT happen)
- Just because you can share data under FERPA doesn’t mean you have to. School districts can decide NOT to send data; however, that depends on the Grant Management Stipulations
- Is it permissible for school officials or volunteers to share data, but only with legitimate “Ed interest” AND must be disclosed to parents on an annual basis (many districts are not following this either, and this includes the use of Americorp VISTA volunteers)
- Is discipline records part of Ed record? The only FERPA exception is if the student poses a risk to others (health & safety exemption)
- Schools and community colleges MUST honor parent request to access child records and receive copy of records and must also be outlined in a school’s annual notice (*schools may NOT charge an outrageous “go away” fee for asking for their child’s record)
- Schools may disclose PII (personally identifiable information) on “consent agreements”. Most parents do not even know what they’ve consented to because of the lack of transparency in contracts between 3rd party companies and the school district).
- You many anatomize the data. Many will say they do, but don’t.
- iPad Apps: Best to vet in advance BEFORE releasing apps to teachers. Are school district officials approving apps? How well trained are teachers on data privacy via electronic means?
- BINDING CONTRACTS: What are the terms of service? Are they binding with the District? Is the money tied to the school or student data? School districts ARE liable.
- The only full proof way to protect data, is to never release ANY data at all
Know that every state now has a SLDS (State Longitudinal Data System) that was required by Obama administration through stimulus money guidelines in order to store and share individual student data from Preschool through 8 years after high school (P20). We are now seeing the very predictable problem that is now occurring across our American schools.
Just last summer Minnesota governor Mark Dayton sought nearly $46 million to upgrade state government computer systems in order to better ward off any potential cybersecurity attacks or data breaches.
According to the Star Tribune, The Department of Education would have received about $10 million to beef up their systems’ security but did not pass due to deep legislative disagreements over last year’s budget surplus.
Called the “Student Data Privacy Act,” HF1507 would complement existing student data rules in the Minnesota Data Practices Act and the Federal Education Rights and Privacy Act.
While this is just the appetizer of the data trail you and your child leave with your public school district, remember, private schools must also be vigilant. Remember that ALL digital education data is accessible, exploitable and must be protected.