Danger Posed by Student-Data Breaches Prompts Action
Privacy advocates say the increased collection, storage, and sharing of educational data pose real threats to children and families, from identify theft to nuisance advertising, misguided profiling to increased surveillance of everyday activities.
There is even the potential for physical harm to students, alleges one Arizona legislator who authored a recently passed privacy law in response to complaints that low-income children had been subjected to unnecessary dental work by corporate-affiliated "mobile dentists" relying on easy access to school records.
But while some parents, advocates, and academics are raising alarms that sensitive student data are being poorly safeguarded and improperly shared, it remains difficult to document the scope of the harm caused by the misuse of such information.
For a decade, proponents have called for more and better use of data in K-12 schools, arguing that good information is critical to personalizing student learning, providing teachers with real-time feedback, and helping policymakers make smarter decisions. All states now have longitudinal data systems that track students' performance over time, and much of the technology that has flooded classrooms now records even children's smallest digital actions.
In recent months alone, however, districts and their vendors have lost laptops and flash drives containing student information, accidentally posted children's health information and Social Security numbers online, and improperly released individual student test scores.
An increasingly widespread business model is also cause for concern, privacy advocates say. In December, the Electronic Privacy Information Center, a Washington-based nonprofit, filed a complaint with the Federal Trade Commission accusing the popular financial-aid website Scholarships.com of selling sensitive student information to third-party marketers without adequate disclosures.
Experts say it’s difficult to know exactly how frequently school systems have their data compromised. Such instances can happen without anyone knowing, and they’re not always reported. But a review of recent news reports found some troubling incidents:
Loudoun County, Va.
The 71,000-student Loudoun County public schools was thrust into damage-control mode last month after an outside vendor, New York City-based Risk Solutions International, inadvertently uploaded and left unprotected some schools’ emergency evacuation plans, as well as “directory information” that included students’ names, addresses, telephone numbers, dates and places of birth, course schedules, and attendance histories, according to the Washington Post.
Rich Contartesi, the Loudoun County district’s assistant superintendent of technology services, told Education Week that the biggest lesson learned is that districts must be vigilant in overseeing third-party contractors.
“You want to make sure that you know something about the business practices, processes, and physical plant of the companies that have your most sensitive information,” he said.
Last November, the district reported that 2,000 students participating in a free vision-examination program offered by the city had their names, dates of birth, gender, and ID numbers, as well as information from their exams, accidentally posted online.
In June, the Tallahassee Democrat reported that roughly 47,000 participants in state teacher-preparation programs had their personal information—including names and in some cases Social Security numbers—posted on the Internet for two weeks last spring. The information was being stored by Florida State University.
Long Island, N.Y.
The 12,000-student Sachem Central School District suffered three data-security breaches in recent months, including one in which the names, ID numbers, and designations for free-lunch programs of 15,000 former students were posted online, according to a Newsday report.
A 17-year-old student from Sachem North High School was arrested and accused of illegally downloading and posting the information last November, and pleaded not guilty to the charges, according to reports.
SOURCES: Education Week and news reports
"We don't have good data on how often this is happening in schools," said Joel R. Reidenberg, a professor of law and technology policy at Princeton and Fordham universities. "But essentially every adult American has had their financial information compromised. There's no reason to think the educational world is any better."
In 2012, the Gagnon family of Camp Verde, Ariz., became the face of public outrage over reports that some corporate-affiliated mobile dentists were performing unnecessary—and often traumatic—dental work on children from poor families in order to maximize reimbursements from the federal Medicaid program.
The Gagnon family sued Phoenix-based ReachOut Healthcare America, a company that provides administrative support to mobile dentists, after their medically fragile 4-year-old son, Isaac, was given two unauthorized and unnecessary "baby root canals" while being forcibly held down inside his school. The suit has since been settled, according to the family's attorney, who declined to comment on the specifics of the case.
In June of last year, the U.S. Senate Judiciary Committee concluded an investigation into complaints involving ReachOut Healthcare and four other corporate dental chains operating across 23 states. The committee found that the traumatic treatment endured by the Gagnon family was "not necessarily widespread" among ReachOut Healthcare's affiliated dentists, but criticized the company for failing to provide adequate oversight.
The committee also recommended that Nashville, Tenn.-based Church Street Health Management be excluded from the Medicaid program after a review of treatment records found that two-thirds of the baby root canals, or pulpotomies, performed at a Phoenix clinic operated by the company were likely unnecessary. The company, now known as CSHM, has since gone through bankruptcy proceedings and taken on new management, allowing for continued participation in the Medicaid program, said Perry Hall, a senior strategist for the public relations firm Lovell Communications.
Arizona state Sen. Kimberly Yee, a Republican, said inappropriate access to student records helped fuel the abuses by mobile dentists in her state and elsewhere.
ReachOut Healthcare's practice is to "make friends with employees on [school] campuses, particularly those in administrative or nursing offices, take them to lunch, and thereafter ask for student information databases," Ms. Yee maintained.
In response, she sponsored a bill, signed into law last year, strengthening the procedures for reporting violations related to the release of student directory information—which typically includes name, address, and phone number—to third-party vendors. Under the federal Family Educational Rights and Privacy Act, or FERPA, schools may disclose such information so long as parents are provided the opportunity to opt out of any such releases.
Ms. Yee said her goal was to maintain "the privacy of students on campuses from outside vendors who want to obtain [directory] lists to increase their client bases."
In an email, company spokesman Eric Tolkin wrote that "student directories are only used in approximately 2 percent of schools served by dentists affiliated with ReachOut Healthcare."
That would still involve thousands of students: In Arizona alone, dental teams affiliated with the company provided services to more than 100,000 children in 2010 and 2011, according to Mr. Tolkin.
In part because of parent complaints about unwanted solicitations made using student directory information, a number of districts, including the 37,000-student Peoria Unified School District outside Phoenix, have severed ties with the company.
"We let them know we wouldn't be able to continue the relationship given what seemed to be an abuse of that information," said Danielle Airey, the Peoria district's director of public relations.
Privacy advocates, though, offer few such specific examples of children being harmed as the direct result of having their personal information compromised.
The fallout from identity theft, for example, might not be known for years, especially when it involves children, said Mr. Reidenberg, the Fordham professor.
That's cause for concern, he said, given the volume and scope of accidental data breaches in K-12 systems. In 2009, for example, the Philadelphia-based Public Consulting Group, a private contractor of the Tennessee Department of Education, inadvertently left the names, addresses, dates of birth, and full Social Security numbers of more than 18,000 Nashville Public Schools students available online for more than two months. Affected families were notified of the breach and given free identity-theft and online-credit monitoring, according to Nashville school officials.
Just as alarming, advocates say, is that many businesses now encourage children, families, educators, and district officials to pay for online content and services with personal information.
In its FTC complaint over the "deceptive and unfair" business practices of Highland Park, Ill.-based Scholarships.com, the Electronic Privacy Information Center, or EPIC, accused the website of encouraging its 14 million users to provide sensitive information, then using an affiliated entity of the company known as American Student Marketing, or ASM, to sell that data to third-party marketers without adequate disclosures.
The site invites users to indicate their sexual orientation, if they are clinically depressed, if they have a drug addiction, and if they have parents who are illegal immigrants, among other pieces of information. According to the complaint, ASM then sells that information to marketers.
In an email, Scholarships.com said users have the option to provide the sensitive information referenced in EPIC's complaint, that such information is collected primarily to direct users to relevant scholarship opportunities, and that most third-party marketing comes from postsecondary institutions.
In a telephone interview, company vice president Kevin N. Ladd also suggested that using individuals' personal information to support targeted advertising is hardly unique to Scholarships.com.
Data proponents acknowledge the growing furor around privacy concerns, but say better security practices, clearer consent procedures, and improved contracting protocols can mitigate risks without dampening data's educational benefits.
Ms. Barnes of EPIC, though, stressed the need for a wide perspective on what those risks actually are.
"From our standpoint, the initial harm comes when the law is violated and when student consumers lose control over their data," she said.
Vol. 33, Issue 18, Pages 1, 11Published in Print: January 22, 2014, as Personal Danger of Data Breaches Prompts Action