Note: This is part of a Securing Confidential Data online course.
Be a Responsible Digital CitizenDid you know that students in Grades 6-8, and by extension all educators in Texas, are expected to practice safe and appropriate online behavior, personal security guidelines, digital identity, digital etiquette, and acceptable use of technology; and understand the negative impact of inappropriate technology use, including online bullying and harassment, hacking, intentional virus setting, invasion of privacy, and piracy such as software, music, video, and other media (Source: TEKS Chapter 126; 5 C-D)?
Personal security guidelines, preventing hacking are key aspects of digital citizenship and are addressed by learning how to better safeguard confidential data. Doing so can prevent data security breaches that can be embarrassing to school Districts.
Why Secure Data?
A data security breach occurs any time there is unauthorized access to school district data, including FERPA data. Lost laptops are the main cause of data breaches.
There are many reasons why you should protect the information you use on your computer, including:
- Ensuring that your information remains confidential and only those who should access that information, can
- Knowing that no one has been able to change your information, so you can depend on its accuracy (information integrity)
- Making sure that your information is available when you need it (by making back-up copies and, if appropriate, storing the back-up copies off-site)
Consequences of NOT Securing Data
There can be various consequences to not securing data, such as the following:
- Direct costs are incurred by school districts for having to notify individuals whose confidential data has been compromised, as well as notify credit agencies.
- The cost of paying for credit protection for individuals affected.
- The school district may suffer damage to reputation.
- Staff may be disciplined or terminated depending on the severity of the data breach.
Laptop theft facts that make encryption of confidential data important:
Personally Identifiable Information (PII)
- Statistics show that as many as one in ten laptops will be stolen or lost from an organization over the lifetime of each computer.
- 86% of security practitioners report that someone in their organization has had a laptop lost or stolen.
- 56% report that it resulted in a data breach.
- Encryption of data stops cyber criminals from stealing data on laptops.
Ninety-seven percent of stolen computers are NEVER recovered. That means that confidential data could be out there indefinitely, waiting like a time-bomb to explode until someone discovers it and then uses it.
The following represent case studies for Texas school districts that suffered a data breach (Source: PrivacyRights.org) during the 2011-2013 calendar years:
- Texas School Districts:
- San Antonio, Tx Large Urban District: An April 19 car burglary resulted in the exposure of student information. An external hard drive containing letters associated with students who applied to the [name of campus removed] was stolen from a teacher's car. The letters contained applicant names, Social Security numbers, dates of birth, home addresses, phone numbers, and previous school district information.
- Texas School District: The District discovered that a number of employees had their names, Social Security numbers, disability plan information, and salary information available on a publicly accessible website. Employees who were enrolled for disability insurance had their information posted in April 2011 on the Employee Benefits/Risk Management website.
- Texas School District: Two students may face criminal charges for hacking into the School District's network server and accessing a file with 14,500 student names and Social Security numbers. The students are a high school junior and a senior. Students who attended during the 2008-2009 school year may have been affected.
- Texas School District: Hackers accessed a District server and were able to collect the personal information of students, teachers and other employees. There were names, Social Security numbers, and addresses from approximately 63,000 students and 9,000 teachers on the district's internal network (myepisd.org). The District was not aware of the breach until a computer security company noticed hackers bragging about breaking into the District's system. Names, ethnicity codes, and student ID numbers for 26 students were posted by hackers.
- Texas School District: Between August 2010 and January 2011, CDs that were mailed to the Texas Education Agency (TEA) were lost. The CDs were unencrypted and contained student Social Security numbers, dates of birth and ethnicity. The CDs were sent to TEA so that identifying information could be removed and the information could be passed along to the University of Texas at Dallas Education Research Center. According to a TEA spokesperson, the ISD’s data set is missing from a set of other district information that was sent. Though the TEA claims that only Laredo student information was exposed, the information of 164,406 students from eight Texas school districts was sent. The information on the unencrypted disks goes back 20 years. This information includes current and former students in the top 10% of their class who graduated between 1992-2010 from [various] school districts.
- Texas University: Alumni who graduated before 1985 and requested copies of their transcripts may have been affected by a breach involving accidental disclosure. Certain alumni had their names, Social Security numbers, addresses, and telephone numbers in an electronic file that was emailed to an individual who would not normally have access to such information. The person who received the email notified the organization.
- Texas Law School: An administrative error resulted in recently admitted students receiving an email with the information of all recently admitted students. Student names, addresses, grades, LSAT scores, race, scholarship amount, and other types of personal information were available in the email attachment. No Social Security numbers or dates of birth were in the emailed spreadsheet. Students were encouraged to treat the data with the confidentiality of a lawyer and immediately delete the email.
What could have been done differently in each of these cases? Encryption of the data being transmitted via email, or stored on a computer, USB flash drive or web site. Encrypting the confidential data is the single-most important step that could have been taken.
What should be encrypted?
Encrypt all critical files on your device; any of the following items is considered “critical:"
- Name, address and birth date. This information can be used in combination with other data to impersonate you.
- Documents with social security numbers in them.
- Documents with credit card numbers, bank account information, etc.
- Any information that might be considered confidential. This can be your spouse or child’s medical information, house insurance, etc.
- FERPA data
Personally Identifiable Information (PII)
To better protect District staff and students, campuses and departments should avoid public displays of personally identifiable information that is not appropriate for a professional setting. Examples of these include--but are not limited to--the following:
- Names such nicknames, maiden name, mother’s maiden name, or alias.
- Personal identification numbers, such as social security numbers, passport number, driver’s license number, taxpayer identification number, financial account or credit card number.
- Home mailing address information, such as street address or personal email address.
- Your years of marriage, the name of your spouse and/or children, as well as relatives.
- Date of birth, place of birth, race, religion, weight, activities, geographical indicators, medical information, financial information.
Do not post the information for any individual staff member—or student as defined in the Family Educational Rights and Privacy Act (FERPA)--on the Web, send it via email, store it on portable media (including laptops, USB flash drives, mobile phones) unless it is unavoidable and the data is encrypted.
Everything posted on Miguel Guhlin's blogs/wikis are his personal opinion and do not necessarily represent the views of his employer(s) or its clients. Read Full Disclosure