Scott Travis reports:
When the Broward School District learned that hackers may have accessed the personal data of thousands of people from district servers, its response was to hide and delay.
The district took extraordinary steps to keep the public, including 50,000 potential victims, from learning about ransomware attacks that took place from November 2020 to March 2021, a South Florida Sun Sentinel investigation has found.
Read more at the Sun Sentinel. It’s a long read detailing all the myriad ways the district not only failed to be timely transparent, but discussed how NOT to be transparent and how NOT to respond transparently to freedom of information requests from the journalist.
One of the points in the story deals with the district obtaining only a verbal report from consultants so that there was no written document that might have to be produced in response to open records laws or discovery. As this blogger told Travis, this is not the first time I have seen that — avoiding having written reports that might show negligence in security is something this site reported in another case more than 8 years ago. But to the extent that this might be becoming a trend/common strategy used by law firms or advisors on incident response, it is concerning and legislators need to protect the public — not the entities — by insisting on public records for accountability.