How not to protect student data Colorado style

data-breach-610-jpg

Picture this: a stranger able to access your children’s bus pick-up and drop-off time and location, able to see their photos, names, phone numbers, home addresses, health records, even lunch account and activity fees. This information was amazingly vulnerable to hacking in the Lewis Palmer School district in Colorado.  Incredibly, the school district posted hints to passwords (the student’s birthday) on the district website. The student login ID and password were the SAME for both Infinite Campus (that stores student grades, demographics and other personally identifiable information) and their Google Apps for Education documents, including their Gmail accounts.  According to a district parent, who prefers to remain anonymous,

Once you logged in with your student account, you could see all names and student IDs of every student in the district, listed alphabetically down the left side of the website, with corresponding student ID.  And since it was advertised that their birthday was the password, any hacker could go onto Facebook, find out a student’s birthday and login to see all their emails and records in Google (GAFE) and in Infinite Campus.”

According to its website, the Lewis Palmer School District has publicly posted login information and clues to student passwords for three years.  At least one parent complained last fall and the school did nothing to address the vulnerability. Apparently, school officials told parents this was just the way it had to be and it was not possible to change it.

Only after a parent spoke at a school board meeting on May 19, did the district-wide become public news, thanks in part to a local reporter who wrote about it in Complete Colorado:

At a school board meeting on May 19th, a concerned parent asked the school board to fix the security breach immediately. The woman said district officials have known about the issue since the beginning of the school year. Melinda Zark told the board that in the fall she spoke to the district’s top two information technology staff members and her children’s principal about the issue with Google Apps for Education (GAFE), which is needed to connect to Infinite Campus.

However, even after the vulnerability was revealed to the school board,  in the story posted in Complete Colorado, discussed on a breach notification site, Databreaches.net,  and  on the blog of privacy advocate Bill Fitzgerald who wrote about it here, the Lewis Palmer School District still did not immediately notify all parents of the breach (as recommended by federal guidance and current Colorado law) nor did the district admit fault.

FERPA requires that the agency or institution record an unauthorized disclosure so that a parent or student will become aware of the disclosure during an inspection of the student’s education record. The district also appears to ignore the Colorado’s Department of Education’s guidance to districts that states,

“The personally identifiable information from students’ education records that a district maintains should not be available to all district employees…”Districts should establish clear methods for addressing any breaches in security.  Individuals should be designated for addressing concerns about security breaches and identifying appropriate consequences, which may need to include termination of employment or a contract.”

Nearly a week after the school board meeting, the District finally disabled the access portal to Infinite Campus accounts. As reported in Lewis Palmer’s disingenuous and incoherent account on its website:

“05.25.16 protecting your student and family personal data is of utmost importance to lpsd. yesterday, we discovered a possible security breach through normal monitoring of ip addresses accessing our systems. it appears one individual with legitimate access to our system, using the student portal, may have accessed a few middle and high student ic accounts. the ip address for this individual was immediately blocked. the individual was unable to modify data or transfer data electronically. we will be contacting the parents of the students impacted. if you do not receive a call by the end of the day, you can assume your child’s account was not impacted. we shut down student portal access to ic this morning. we apologize for the inconvenience this will cause. we had hoped to keep ic access for students up through june 1 so that they could view final grades. unfortunately, due to this possible breach, grades must be accessed through the parent portal. additionally, google accounts, where student user names could potentially be viewed, were shut down earlier this week. accounts will be upgraded and security will be enhanced over the summer. if you need assistance with your parent portal access please contact technology services at (719) 488­4700 . ­­­­­­­­­­­­­­­­­­­­­ at lewis­palmer school district 38, we value protecting student and staff data. we are committed to supporting the use of beneficial online teaching and learning resources, while keeping unnecessary data collection to a minimum. the following graphic shows a quick birds­eye view of some of the concrete steps we take to keep our staff informed and our data safe. staff, please access the spreadsheet below to find the websites / tools that have already been vetted by our team. if you have a tool you’d like to get vetted, please contact your principal to ask how to do this. ask us if you’re ever concerned or confused about wh http://www.lewispalmer.org/Page/1578

Many questions remain about this district’s handling of student data. What personal data was accessed and is there a record of who accessed it? Also, the newly adopted technology and privacy policies seem suspect. According to the Complete Colorado news story,

During the meeting on Thursday, board member Sarah Sampayo was the only board member to recognize the concern. She brought it up as the district was discussing two new policies that deal with privacy and cyber rules. One policy asks parents and students to sign a waiver stating they understand there is no expectation of privacy when they use district technology, and the other protects the district against unauthorized use of its technology that may cause harm to a student.

Sampayo questioned the district’s technology director, Liz Walhof, about whether the district planned to make changes to the Gmail accounts. “How easily accessible is that uniquely identifying [student identification] number to the vast community,” Sampayo asked. “And is our kids’ information then protected because you can then log in … with just the kid’s ID number.”

Walhof said they continue to look into better formats, but added that right now it is not possible to issue an email without using the student’s ID number.”

What are these two new technology policies?  The first, policy JS, states that “Students shall have no expectation of privacy when using district technology resources…Students should not expect that files stored on district resources will be kept private.”

It would seem this blanket waiver may violate existing federal laws including COPPA and FERPA  as well as current Colorado privacy law and the impending new state law which has stronger protections for student data transparency and privacy and security.

Students cannot waive all their rights to privacy in such a radical manner, even if the school district wants them to do so. School district officials can have access to personal student data but only those with a specific interest and responsibility to that child.  Also, although FERPA allows school officials to disclose personal student information to third parties, these exceptions are limited in law and regulation and restricted to those with legitimate educational interests, for the purposes of research, evaluation or audit, or in cases of health and safety emergencies.  Requiring students to waive all their privacy rights as this policy implies would thus seem to violate federal law.

In addition, by posting online the log-in information for all students, including their ID numbers, and publicly advertising that the passwords to gain access are their birth dates – which are readily accessible to district employees and many others – this appears to be an open invitation to breach the system.

The second new district policy JS-E further requires parents to waive any costs or claims from damages incurred by their children’s use of the school’s technology.

If districts and schools are mandating that students use these devices, they must be responsible for keeping their personal information safe. We urge parents in this Lewis Palmer School District to contact the U.S.  Department of Education’s Privacy Technical Assistance Center (PTAC) and file a FERPA complaint, pointing out how the required blanket waiver appears to violate the privacy protections required under FERPA…  The complaint form is here: http://familypolicy.ed.gov/sites/fpco.ed.gov/files/E_Complaint_Form-ED.EMVC_.001.1_SRXV2.v071015.pdf

The form can also be downloaded, filled out and emailed to [email protected]    If a parent needs help or advice with this, you contact us at [email protected] 

Lewis Palmer parents should also ask their district and school board to immediately commission an independent security audit, to address the weaknesses in the system and determine which individuals or companies may have improperly accessed student personal information. What specific data was breached? Was personal information in Infinite Campus accessed by Google, through their Apps for Education? Why were the same user ID and password used for both systems and advertised on the school website? Why was this practice not halted immediately once the vulnerability was brought to the school board’s attention last fall? Why were parents’ concerns dismissed?

In addition, parents should urge that their district immediately adopt other security protections such as encryption for student data and training for all school district employees.  See our five principles to protect student privacy for more on what policies and practices should be adopted by all school districts and states.

At the very least, we believe that this mishandling of student data reveals troubling negligence on the part of the school district. How Lewis Palmer resolves this breach should be a litmus test for other districts and should serve as a wak­e-up call for all parents and schools.

  • Cheri Kiesecker, Leonie Haimson and Rachael Stickland on behalf of Parent Coalition for Student Privacy