Friday, March 29, 2013

Protecting Data is Still YOUR Responsibility

Source: http://goo.gl/LsO12


Love this data about identity theft and K-12 schools...folks, we are failing on this and we need to do something about it.
Data breaches leave people six times more likely to become victims of identity theft, according to a survey this year by Javelin Research. Schools warn parents to monitor their children's credit after a data breach. But credit reports only turn up 1 percent of fraud on children's credit histories because thieves pair children's Social Security numbers with new names and birth dates, according to a study by Debix, which sells identity protection services...more than 18,000 child identity theft complaints were reported to the Federal Trade Commission, compared with about 6,500 cases in 2003. 
Only half of K-12 schools use encryption to scramble sensitive data in case it falls into the wrong hands, according to a February survey of more than 100 IT employees at K-12 schools nationwide.  School districts in 26 states now ask for students' Social Security numbers. One of those states is Texas, where education officials need those numbers to connect K-12 records to higher education and workforce data, according to Debbie Ratcliffe, a spokeswoman for the Texas Education Agency.
Ratcliffe said the agency takes pains to protect sensitive student information, storing data behind firewalls and using other identifying information in most data sets. But last year, the agency asked eight Texas school districts to send confidential student information, including Social Security numbers, through the mail on unencrypted CDs for research purposes. (Source: http://www.huffingtonpost.com/2011/12/15/students-identity-theft_n_1140119.html)
Why am I bringing this up? Earlier this week, a colleague shared this question:
How does your District share confidential documents via email?  We are looking at ways to potentially email SpEd, Finance, HR data etc.  
Ideally we'd like to find a way to attach secure documents within Google Apps.
I promptly shared a proposal a colleague and I had put together and that goes for review next week. That information elicited this response:
Can you not upload the documents to Drive and then share with the intended audience?
My response included the following epistle typed on my mobile phone:

Yes, however data remains unencrypted and now is stored that way in the cloud. Some prefer data to be encrypted before it leaves your computer so that in case of a breach, you are protected by safe harbor...in that case, you dont have to report loss of unencrypted data. 
Encrypted = safe harbor
Unencrypted = pay for identity theft protection, public scandal 
Boxcryptor.com is an interesting cross device tool to use that is designed for encryption implementation in cloud storage, including Drive, box.net, Dropbox, etc. It wont work for emailing files but adds security when storing confidential data in cloud. Free for personal use, available on android, iOS, win, mac. 
You can also 7zip compress files with AES-256 encryption turned on. 7zip.org for windows, Keka for mac are two tools to use. 
My preference is encrypt confidential data before storing it in the cloud when possible. AESCRYPT.COM is an easy cross platform way to do that...linux, mac, windows...not chromebook 
For chromebook, i use Mailvelope app. Works great to encrypt on screen content, although it uses public/private key encryption which can be confusing for newbies.
Neither boxcryptor or mailvelope would work well in a larger org IMHO. Solid personal tools, though.

Of course, I've mentioned these tools before here at Around the Corner. The response to this message was:
Somehow I don't expect to see this in my lifetime, but doesn't this point to the shortcomings of using attachments to emails as a way of disseminating sensitive information?  I must admit I am personally finding it very hard to kick the habit of nearly thirty years, but attaching files to then send to different places would seem crazy if it were invented today...
And here's my long response:


Thanks for the opportunity to share. To respond to your point quite simply: Yes, attachments are antiquated and people still do it. You know, that answer works for weight loss, too. :-)

For fun, some other thoughts:

Email is firmly entrenched in K-12 education among administrators, clerical staff, as THE way to share information. We have many options available to us, from network drives (in some places), intranet servers, WEBDav solutions like OwnCloud.org or just plain Windows Server-based, etc. But people keep coming back--in spite of professional learning--to the old standby. That's why entrenched IT directors (read old type) avoid switching to cloud-based email for core users; encrypted emails in a district-hosted Exchange server is their preference (yuck!). Fortunately, they're wrong about security or we'd all still be paying hundreds of thousands of dollars for MS Exchange or figuring out how to do SquirrelMail.

Another problem is that the users who have the most access to confidential data are the ones who still use MS Excel--because it "allows you to do more with data than Google Sheets"--and they'd rather not switch. So, in crafting a confidential data protection plan, this is the type of user you're dealing with...the one who slaps a password on their MS Excel spreadsheet then emails it to the people who need it.

The question of Family Educational Rights and Privacy Act (FERPA) compliance was raised during most sessions. Session attendees appeared to be comfortable with the typical subsequent discussion pointing out that FERPA compliance is more a task of user behavior rather than infrastructure, and that the features within Google Apps allow FERPA compliance. (Source: http://edtechlife.com/?p=2236)
And, we're increasingly mobile. People still lose USB flash drives, even when they are driving just from one campus to another, walking out the door. Laptops still disappear, lost or stolen. Data encryption needs are on the rise, whether the data is attached to email, uploaded to intranet/internet/cloud storage, saved on a USB flash or external hard drive, or at home on someone's laptop. The loss of confidential data still has the same consequences.

K-12 educators and support staff are largely unaware of the threats and vulnerabilities associated with the information systems they use.  For example, private student data can be stolen, lost, and/or exposed to the public. This threat is especially pertinent as educators and support staff are obligated to protect sensitive information such as Student Test Numbers under the Family Educational Rights and Privacy Act, or FERPA, which is one of the nation’s strongest privacy protection laws.  These individuals need opportunities to learn about the threats and countermeasures associated with information protection. (Source: Purdue University - Data Security in K-12)

The other issue that's frustrating, as you know, is the low-tech level of end users. Even as the technology gets easier--speeding the dissemination of confidential data onto various mobile devices--to use, end-user effort to learn how to protect that data remains easier. That's why "enterprise level encryption" in K-12 is an option that's difficult to implement.

As for putting confidential data into GoogleDrive, let's remember that the FERPA responsibility is the District's, not Google's. If we screw up--we post unencrypted confidential data into GoogleDrive--then that's a decision and responsibility that falls on the District staff that took that step.

If my reasoning is faulty in this, please point it out. 






Everything posted on Miguel Guhlin's blogs/wikis are his personal opinion and do not necessarily represent the views of his employer(s) or its clients. Read Full Disclosure


No comments:

Subscribe via email

Enter your email address:

Delivered by FeedBurner

Disclaimer

Disclaimer

Everything posted on Miguel Guhlin's blogs/wikis are his personal opinion and do not necessarily represent the views of his employer(s) or its clients. Read Full Disclosure