Inadequate security of personal, private, and sensitive Information in school districts’ mobile computing devices – audit

I’ve often pointed out my concerns that public schools – at least those in New York that I’ve been in – do not seem to have adequate security in place for the vast troves of sensitive and confidential information they collect and retain.  So I was unsurprised to read that a recent  Office of the State Comptroller audit of 12 public school districts  found the majority lacked adequate security for personal, private, and sensitive information (PPSI) on Mobile Computing Devices (MCDs). The audit results were released on December 14, and cover the period from January 1, 2010, to May 4, 2012.

From the executive summary/press release:

Key Findings

  • The majority of the 12 districts did not have adequate security policies and procedures in place, increasing the risk that PPSI could be accessed and misused by unauthorized persons.
  • Our tests of a sample of 383 district-owned MCDs found PPSI on 71 (18.5 percent) of these devices. Without proper safeguards in place, any confidential data on these MCDs could be at risk of exposure.
  • None of the districts had developed a classification scheme or performed an inventory of the PPSI the districts possess.

The problems are evident in this statement in the report:

The sample of MCDs we initially selected included three MCDs (from three different districts) that we were unable to examine because one had been stolen and two had been lost. The district had filed a police report in the case of the stolen MCD. The districts had not realized that the other two devices were lost; it only became apparent that these two MCDs were lost when district officials were unable to locate the devices for our audit. Because we were unable to examine these devices, there is no way of knowing whether or not any of these MCDs contained PPSI, and whether adequate controls had been implemented on the devices to protect such information.

From the summary, the Key Recommendations:

  • Adopt formal written policies and procedures to ensure a sound IT environment and to protect PPSI in mobile computing devices.
  • Develop written policies and procedures that outline the proper access, use, and protection of PPSI on MCDs.
  • Complete a classification and inventory of information the district maintains to assign the appropriate security level to each type of data, and then conduct an inventory of PPSI stored on all electronic equipment to account for the confidential data maintained.

You can read the full audit report (2012-MR-2) here.

The state also issued letter reports to the following school districts: Bath [pdf]Cato-Meridian [pdf]East Rochester [pdf]Geneseo [pdf],Horseheads [pdf]Marcus Whitman [pdf]Odessa-Montour [pdf]Penfield [pdf]South Seneca [pdf]Victor [pdf]Weedsport [pdf] and Wheatland-Chili [pdf].  Most of the letters had passages like this one:

We found the District’s IT policies were nonexistent or inadequate in a few areas related to the security of PPSI. The District did not have policies governing remote access, the installation of hardware on District MCDs, or notification of affected parties in the event of a data breach. Further, the District does not have a written District-wide data classification scheme, and has not inventoried the PPSI in its possession. In addition, there was no email policy to address the use of PPSI or confidential information in email communications. Without adequate policies for protecting the security of PPSI, there is a significant risk that data, hardware, and software systems may be lost or damaged by inappropriate access and use.

Our audit identified certain vulnerabilities concerning PPSI. Because of the sensitive nature of these findings, they are not included in this report but have been communicated confidentially to District officials so they could take corrective action.

Even in the rare case where a district did have an encryption policy, it was not consistently implemented:

Although the District had an adequate policy for the encryption of mobile devices, the policy was not consistently monitored for compliance. Of the 45 MCDs we reviewed, 10 devices were not encrypted as the policy required, including one that contained PPSI. Further, there was no data breach notification policy, and the District’s email policy did not adequately address the use of PPSI or confidential information in email communications. District officials also had no Districtwide scheme for classifying PPSI according to risk, and had not conducted an inventory of all PPSI at the District.

I’m still waiting for them or the NYC Comptroller’s Office to conduct an updated audit of the NYC Education Department – for both Information Technology and security of PPSI in MCDs.

I wonder what would happen if parents started filing under FOI to obtain copies of their child’s district’s policies for security of PPSI on MCDs.  It could make for some interesting school board meetings.

About the author: Dissent