[BreachExchange] Hilliard City Schools evaluating protocols after releasing 4, 200 names of students in public-information request

[Terrell Byrd]

https://www.dispatch.com/story/news/local/communities/hilliard/2022/03/02/hilliard-schools-re-examining-public-information-protocols/9334290002/

Hilliard City Schools leaders are reviewing protocols related to
public-information requests after learning Feb. 27 the district released
the identity of students who were subject to disciplinary measures.

“This was a mistake (and) we need to be better. ... Steps are being taken
to ensure that it won’t happen again,” Superintendent David Stewart said.

The student data released appeared to have occurred because information a
district employee intended redact from an Excel spreadsheet remained in a
copied file, he said.

The names of about 4,200 students were released, as well as the
circumstances of their discipline, Stewart said.

The district did not identify who made the public-information request, but
Hilliard City Council member and district parent Omar Tarazi told ThisWeek
that he asked the district to provide disciplinary records in compliance
with the Family Educational Rights and Privacy Act.

FERPA is a federal law that protects the privacy of student education
records. The law applies to all schools that receive funds under an
applicable program of the U.S. Department of Education, according to the
department's website.

Tarazi, an attorney, said the request was made to discover the frequency of
and the nature of disciplinary action in the school district during the
past five years.

“In collaboration and consultation with a few school board members I am
working with on a research project, I made the request for district-level
teacher and student survey data, as well as district-level discipline
records,” Tarazi said. “The request was explicit that all student
identification must be removed and must not be shared. Despite this, the
district emailed the master Excel file containing all records relating to
students with a discipline history.

“I caught the unauthorized disclosure and followed up with the small group
who were copied on the emails to make sure everyone deleted it, and I
informed the district of the breach. This was a very serious error on the
part of the district, and they need to make sure it never happens again."

Stacie Raterman, director of communications for Hilliard schools, said
district leaders are taking the matter “very seriously.”

“We are committed to doing better moving forward and certain our new
protocols will create safeguards so this never happens again,” Raterman
said.

Those protocols include only releasing documents in a PDF format, she said.

“In our effort to work with him and make the data easier for him to see, we
sent the Excel file,” Raterman said.

The district sent an email Feb. 18 to Tarazi, Stewart and board members
Beth Murdoch and Nadia Long that contained the Excel file, Raterman said.

On Feb. 27, Tarazi sent an email to Raterman, Stewart, and all five board
members, reporting the receipt of the email and informing them the file
contained student data.

In his email, Tarazi said he made the request Jan. 25 and received the
district's response Feb. 18.

Six school district employees and the district's legal counsel collaborated
on the response, according to Tarazi, who said he believed he possessed
only the information he was entitled under public-records laws and as
described in the email he received from the district.

In his Feb. 27 email, Tarazi wrote: "Unfortunately, despite the fact that I
explicitly said do not provide student identification information, and that
it is illegal to provide, the disclosed Excel file contains within it every
single discipline record for every single student by name and student ID
for the entire district from 2017-2022. This amounts to the personal
discipline records of about 4,240 students. For each student, the file
contains personal information like: the student’s name, student ID number,
gender, race code and description, disability code and description, LEP
status and description, whether the student is ESL, or has an IEP, the
incident date, time, incident description, and what disciplinary actions
were taken by the school towards that student."

Tarazi's email said he didn't open the file attachment until after he had
forwarded it to "a number of others who were similarly interested in
looking at the data."

The email was forwarded to seven people, including two members of Hilliard
City Council, two teachers, two parents and board member Zach Vorst, before
he realized the file contained personal information, according to Tarazi.

"I have since contacted those individuals and asked them to delete the
emailed files," Tarazi wrote. "Nevertheless, this data breach represents a
stunning act of incompetence on the part of the district administration and
should have never happened. There obviously needs to be immediate
accountability and transparency to make sure this never happens again."

“Our attorney spoke to the recipient of the information and confirmed the
records had been destroyed," Raterman said. "We appreciate the recipient’s
assistance in protecting the data of our students."

The information did not include Social Security numbers, birth dates,
addresses or phone numbers, Raterman said.

“This was not a request targeting any individual student in the district,"
she said. "Instead, this was part of a large data pull, including aggregate
student data, professional development records, district financial records
and more."

The district notified most affected students and parents by email Feb. 27,
and it contacted those for whom the district has no email by mail, Raterman
said.

Parents also were provided a telephone number to reach the district,
Stewart said.

Among the 80 or so families who called Feb. 28, most accepted the incident
as a mistake after learning that no student was “targeted” but rather
information about all students had been disclosed, Stewart said.

Murdoch offered a public apology Feb. 28 and shared that her child’s name
was included in the file.

“I’m deeply sorry,” Murdoch said.

There is no criminal liability for violating FERPA, so lawsuits against the
district would be unlikely, according to Fred Gittes, a Columbus attorney
with expertise in open records.

But it is possible, if complaints were filed with the U.S. Department of
Education, for an administrative remedy, Gittes said. If an investigation
were ordered and certain factors, such as whether it was a repeat
violation, were found, federal funding could be withheld as a consequence,
he said.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20220303/dff2b37c/attachment.html>