[BreachExchange] Maryland Delegate Promises New Legislation in Wake of Student Data Breach

Audrey McNeil audrey at riskbasedsecurity.com
Fri Dec 23 14:45:07 EST 2016


http://www.govtech.com/education/Maryland-Delegate-
Promises-New-Legislation-in-Wake-of-Student-Data-Breach.html

A Maryland state legislator said he has been “stonewalled” in getting
information about a data breach affecting about 1,000 former Frederick
County students and will introduce legislation addressing what went wrong.

“If I, as a member of the Maryland General Assembly, cannot get answers,
then I cannot imagine how the young adults facing a life of looking over
their shoulders must feel,” Del. David E. Vogt III, R-District 4, wrote in
a statement his office sent The Frederick News-Post on Wednesday.

He said his legislation would give more meaningful assistance to victims of
the breach and would require stronger security for information in the
future.

The breach affected about 1,000 former students who attended Frederick
County Public Schools between November 2005 and November 2006. Their names,
birth dates and Social Security numbers were stolen before 2010.

The list has been visible recently on a website, where someone offered to
sell 20,000 Social Security numbers, with the associated birthdays and
names. The person posted 1,000 names and numbers as a sample. Many of the
1,000 have been confirmed as former Frederick County students.

The district started investigating the breach in September after getting a
tip from a former student whose name is on the list. District
representatives have said the investigation needed to be done before the
district contacted victims.

Former students identified on the website will be mailed a letter by the
end of the week, district spokesman Michael Doerrer said. The letters,
which had not been mailed as of 4 p.m. Wednesday, will notify past students
they were on the list and offer one year of credit monitoring.

Robert McGinley, who graduated from Walkersville High School in 2011,
started a petition online calling for the school system to offer seven
years of credit monitoring. The petition, posted at change.org, had more
than 500 signatures as of 6 p.m. Wednesday.

McGinley said his name was not listed on the website, but he is friends
with many people who were. He wants to know if his information is among the
20,000 identities that the website was offering for sale.

He is drafting a letter to send to Gov. Larry Hogan, along with the
petition once it gets 1,000 signatures.

Asked if the district would consider expanding the number of years of
credit service it will cover, Doerrer repeated that one year is the
industry standard for a data breach.

Former students on the list are starting careers and might not be able to
afford their own credit monitoring, which adds up, McGinley said.

“This is a $200 million mistake made by the state,” he said. “People get
identity theft monitoring because they did shady stuff online. They didn’t
do it because they went to school. ... That’s the main aggravating factor
in all this — we just went to school.”

Vogt said in his statement that he plans legislation in the upcoming
session requiring responsible organizations to provide up to five years of
free identity and credit monitoring services for victims of the FCPS breach
and future breaches.

He also will propose removing a requirement that FCPS and other systems
transmit students’ personal information to the state if the Maryland State
Department of Education “cannot maintain an industry-accepted standard in
their information technology systems.”

Frederick County Public Schools said Monday that it is likely that
students’ personal information was stolen from a state government computer
system, but the education department disputed that.

Vogt said he’s made it a priority to compel the department and Frederick
County Public Schools to release relevant information that can point to the
origin of the data breach, a rationalization for a several-month delay in
notifying victims and the number of students whose information is still
being sold online.

“Parents, former students, and concerned citizens are still waiting for
answers regarding the FCPS data breach — this legislator included,” his
statement says. “The personal information of thousands of Frederick County
students continues to be auctioned off in illegal online marketplaces, but
the government entities tasked with protecting this information would
rather engage in a nontransparent bureaucratic blame-game than admit
responsibility and provide citizens with the answers they now need to
protect themselves.”

“This situation is immensely serious, and the organizations involved should
prioritize what is best for the victims of this crime rather than what is
best for the images of their organizations,” he said.

Data breaches and student privacy are a large concern, said Marc Rotenberg,
the president and executive director of the Electronic Privacy Information
Center, a public interest research center that tracks news and legislation
on First Amendment and constitutional issues of privacy.

He said the typical practice after a breach is to notify victims and offer
credit monitoring. He thinks the district should do a thorough review of
security practices after personal information is compromised.

“I think organizations need to carefully consider whether they need to keep
the information,” he said. “If you can’t protect it, you shouldn’t collect
it.”

The subject of student data privacy has been especially important in recent
years because schools are under pressure to collect more information, such
as behavioral and family information, and make it available to third
parties for consulting or research, Rotenberg said. The more that
information is shared, the greater the risk it will be compromised, he said.

A Maryland Department of Legislative Services’ audit, released in April
2015, found the school system needs to enhance internal controls and
accountability for a number of its financial operations, including
procurement, contract monitoring, disbursements, human resources and
payroll processing, information system security and food service supplies.
The audit found FCPS had not taken steps to properly secure critical
computer applications and its network.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161223/adbbe561/attachment.html>


More information about the BreachExchange mailing list