Danger Posed by Student-Data Breaches Prompts Action
By Benjamin Herold
Privacy advocates say the increased collection, storage, and
sharing of educational data pose real threats to children and families, from
identify theft to nuisance advertising, misguided profiling to increased
surveillance of everyday activities.
There is even the potential for physical harm to students,
alleges one Arizona legislator who authored a recently passed privacy law in
response to complaints that low-income children had been subjected to
unnecessary dental work by corporate-affiliated "mobile dentists"
relying on easy access to school records.
But while some parents, advocates, and academics are raising
alarms that sensitive student data are being poorly safeguarded and improperly
shared, it remains difficult to document the scope of the harm caused by the
misuse of such information.
For a decade, proponents have called for more and better use
of data in K-12 schools, arguing that good information is critical to
personalizing student learning, providing teachers with real-time feedback, and
helping policymakers make smarter decisions. All states now have longitudinal
data systems that track students' performance over time, and much of the
technology that has flooded classrooms now records even children's smallest
digital actions.
In recent months alone, however, districts and their vendors
have lost laptops and flash drives containing student information, accidentally
posted children's health information and Social Security numbers online, and
improperly released individual student test scores.
An increasingly widespread business model is also cause for
concern, privacy advocates say. In December, the Electronic Privacy Information
Center, a Washington-based nonprofit, filed a complaint with the Federal Trade
Commission accusing the popular financial-aid website Scholarships.com of
selling sensitive student information to third-party marketers without adequate
disclosures.
School Data-Security Lapses
Experts say it’s difficult to know exactly how frequently
school systems have their data compromised. Such instances can happen without
anyone knowing, and they’re not always reported. But a review of recent news
reports found some troubling incidents:
Loudoun County, Va.
The 71,000-student
Loudoun County public schools was thrust into damage-control mode last month
after an outside vendor, New York City-based Risk Solutions International,
inadvertently uploaded and left unprotected some schools’ emergency evacuation
plans, as well as “directory information” that included students’ names,
addresses, telephone numbers, dates and places of birth, course schedules, and
attendance histories, according to the Washington Post.
Rich Contartesi, the Loudoun County district’s assistant
superintendent of technology services, told Education Week that the biggest
lesson learned is that districts must be vigilant in overseeing third-party
contractors.
“You want to make sure that you know something about the
business practices, processes, and physical plant of the companies that have
your most sensitive information,” he said.
Chicago
Last November, the district reported that 2,000 students
participating in a free vision-examination program offered by the city had their
names, dates of birth, gender, and ID numbers, as well as information from
their exams, accidentally posted online.
Florida
In June, the Tallahassee Democrat reported that roughly
47,000 participants in state teacher-preparation programs had their personal
information—including names and in some cases Social Security numbers—posted on
the Internet for two weeks last spring. The information was being stored by
Florida State University.
Long Island, N.Y.
The 12,000-student Sachem Central School District suffered
three data-security breaches in recent months, including one in which the
names, ID numbers, and designations for free-lunch programs of 15,000 former
students were posted online, according to a Newsday report.
A 17-year-old student from Sachem North High School was
arrested and accused of illegally downloading and posting the information last
November, and pleaded not guilty to the charges, according to reports.
"We don't have good data on how often this is happening
in schools," said Joel R. Reidenberg, a professor of law and technology
policy at Princeton and Fordham universities. "But essentially every adult
American has had their financial information compromised. There's no reason to
think the educational world is any better."
Inappropriate Access
In 2012, the Gagnon family of Camp Verde, Ariz., became the
face of public outrage over reports that some corporate-affiliated mobile
dentists were performing unnecessary—and often traumatic—dental work on
children from poor families in order to maximize reimbursements from the
federal Medicaid program.
The Gagnon family sued Phoenix-based ReachOut Healthcare
America, a company that provides administrative support to mobile dentists,
after their medically fragile 4-year-old son, Isaac, was given two unauthorized
and unnecessary "baby root canals" while being forcibly held down
inside his school. The suit has since been settled, according to the family's
attorney, who declined to comment on the specifics of the case.
In June of last year, the U.S. Senate Judiciary Committee
concluded an investigation into complaints involving ReachOut Healthcare and
four other corporate dental chains operating across 23 states. The committee
found that the traumatic treatment endured by the Gagnon family was "not
necessarily widespread" among ReachOut Healthcare's affiliated dentists,
but criticized the company for failing to provide adequate oversight.
The committee also recommended that Nashville, Tenn.-based
Church Street Health Management be excluded from the Medicaid program after a
review of treatment records found that two-thirds of the baby root canals, or
pulpotomies, performed at a Phoenix clinic operated by the company were likely
unnecessary. The company, now known as CSHM, has since gone through bankruptcy
proceedings and taken on new management, allowing for continued participation
in the Medicaid program, said Perry Hall, a senior strategist for the public
relations firm Lovell Communications.
Arizona state Sen. Kimberly Yee, a Republican, said
inappropriate access to student records helped fuel the abuses by mobile
dentists in her state and elsewhere.
ReachOut Healthcare's practice is to "make friends with
employees on [school] campuses, particularly those in administrative or nursing
offices, take them to lunch, and thereafter ask for student information databases,"
Ms. Yee maintained.
In response, she sponsored a bill, signed into law last
year, strengthening the procedures for reporting violations related to the
release of student directory information—which typically includes name,
address, and phone number—to third-party vendors. Under the federal Family
Educational Rights and Privacy Act, or FERPA, schools may disclose such
information so long as parents are provided the opportunity to opt out of any
such releases.
Ms. Yee said her goal was to maintain "the privacy of
students on campuses from outside vendors who want to obtain [directory] lists
to increase their client bases."
In an email, company spokesman Eric Tolkin wrote that
"student directories are only used in approximately 2 percent of schools served
by dentists affiliated with ReachOut Healthcare."
That would still involve thousands of students: In Arizona
alone, dental teams affiliated with the company provided services to more than
100,000 children in 2010 and 2011, according to Mr. Tolkin.
In part because of parent complaints about unwanted
solicitations made using student directory information, a number of districts,
including the 37,000-student Peoria Unified School District outside Phoenix,
have severed ties with the company.
"We let them know we wouldn't be able to continue the
relationship given what seemed to be an abuse of that information," said
Danielle Airey, the Peoria district's director of public relations.
Security Breakdown
Privacy advocates, though, offer few such specific examples
of children being harmed as the direct result of having their personal
information compromised.
The fallout from identity theft, for example, might not be
known for years, especially when it involves children, said Mr. Reidenberg, the
Fordham professor.
That's cause for concern, he said, given the volume and
scope of accidental data breaches in K-12 systems. In 2009, for example, the
Philadelphia-based Public
Consulting Group, a private contractor of the Tennessee Department of
Education, inadvertently left the names, addresses, dates of birth, and full
Social Security numbers of more than 18,000 Nashville Public Schools students
available online for more than two months. Affected families were notified of
the breach and given free identity-theft and online-credit monitoring,
according to Nashville school officials.
Just as alarming, advocates say, is that many businesses now
encourage children, families, educators, and district officials to pay for
online content and services with personal information.
Unfair Practices
In its FTC complaint over the "deceptive and
unfair" business practices of Highland Park, Ill.-based Scholarships.com,
the Electronic Privacy Information Center, or EPIC, accused the website of
encouraging its 14 million users to provide sensitive information, then using
an affiliated entity of the company known as American Student Marketing, or
ASM, to sell that data to third-party marketers without adequate disclosures.
The site invites users to indicate their sexual orientation,
if they are clinically depressed, if they have a drug addiction, and if they
have parents who are illegal immigrants, among other pieces of information.
According to the complaint, ASM then sells that information to marketers.
In an email, Scholarships.com said users have the option to
provide the sensitive information referenced in EPIC's complaint, that such
information is collected primarily to direct users to relevant scholarship
opportunities, and that most third-party marketing comes from postsecondary institutions.
In a telephone interview, company vice president Kevin N.
Ladd also suggested that using individuals' personal information to support
targeted advertising is hardly unique to Scholarships.com.
Related Blog
Data proponents acknowledge the growing furor around privacy
concerns, but say better security practices, clearer consent procedures, and
improved contracting protocols can mitigate risks without dampening data's
educational benefits.
Ms. Barnes of EPIC, though, stressed the need for a wide
perspective on what those risks actually are.
"From our standpoint, the initial harm comes when the
law is violated and when student consumers lose control over their data,"
she said.
Contributing Writer Michelle R. Davis contributed to this
article.
Vol. 33, Issue 18, Pages 1,11
..
No comments:
Post a Comment