The state of data security – or lack thereof – in NY school districts
Yesterday, I posted an item about a Lindenhurst school district audit that indicated that a school district’s funds had been illegally transferred back in 2007 and that the district had not detected the problem. Last month, a similar situation occurred with the Duanesburg School District, also in New York.
Dee Alpert, publisher of The Special Education Muckraker, sent DataBreaches.net the following commentary:
It’s been reported that an upstate NY school district, Duanesburg, was the victim of a $3 million cyber theft in December 2009. NYS Comptroller Thomas DiNapoli announced today that a Long Island school district lost $600K due to hackers in 2007. http://www.osc.state.ny.us/press/releases/feb10/020410.htm.
The Long Island school district didn’t discover the hack since its finance and IT “experts” didn’t regularly check bank account info. and computer system logs. The FBI is handling both cases. Although the Long Island situation was discovered by the district’s bank over two years ago, the Comptroller reported that the district still hadn’t made all necessary (and elementary) changes needed to keep its IT system particularly secure by the time he finished the audit.
Over the last few years the NYS Comptroller has audited every one of the almost 700 districts in NYS and disclosed, with great regularity, truly dismal IT security situations. Districts with budgets of over $100 million per year often have less secure systems than the average home computer user. Many Comptroller-reported problems were not fixed by the time re-audits were done – years later. And the same security lapses have been reported in the last year’s district audits as were reported when these began being audited. There’s no learning curve for the NY school district industry when it comes to information security.
What’s worse? These districts tend to use the same systems for student-related data, all of which is hackable to the nth degree.
Names, addresses, health insurance information, parents’ names and contact information, health records, social security numbers, etc. For kids who have, or are suspected of having, disabilities, these records can include physicians’ and evaluating experts’ assessments, diagnoses, treatment recommendations, school psychologists’ evaluation reports, teachers’ notes on student and parent conferences, guidance counselors’ notes. These records are a goldmine for people who want to steal districts’ money *and* for those who want to steal personally-identifiable information. These files would be a bonanza for folks who’d like to open bogus credit card accounts in the name of high school students. Then there are the records for teachers, principals, aides, custodians … .
Now for the bad news. NY’s version of regional educational co-ops, called BOCES, have been audited and reportedly have as bad IT security problems as their member districts do. Because the BOCES are supposed to be really expert, they process a tremendous amount of highly confidential data, including Medicaid claims, for their districts.
The NYS Education Department is the only entity in the State of NY which has the legal authority to make districts and BOCES implement reasonable IT security. As far as we can tell, it hasn’t, and won’t. Ever! It certainly didn’t make districts and BOCES with bad IT security-related audit findings in prior years correct them all. /Au contraire! /In fact, Comptroller audits have shown time after time that State Ed. hasn’t made districts and BOCES implement many, sometimes most, audit recommendations relating to finances either. What is the United States Department of Education doing about this? As far as we can tell, nothing. It sends states checks, but seemingly doesn’t care if the money is then stolen.
What an education.
If the NYS Education Department would care to respond, I’ll post their response.