Law & Courts

Danger Posed by Student-Data Breaches Prompts Action

By Benjamin Herold — January 22, 2014 7 min read
  • Save to favorites
  • Print

Privacy advocates say the increased collection, storage, and sharing of educational data pose real threats to children and families, from identify theft to nuisance advertising, misguided profiling to increased surveillance of everyday activities.

There is even the potential for physical harm to students, alleges one Arizona legislator who authored a recently passed privacy law in response to complaints that low-income children had been subjected to unnecessary dental work by corporate-affiliated “mobile dentists” relying on easy access to school records.

But while some parents, advocates, and academics are raising alarms that sensitive student data are being poorly safeguarded and improperly shared, it remains difficult to document the scope of the harm caused by the misuse of such information.

For a decade, proponents have called for more and better use of data in K-12 schools, arguing that good information is critical to personalizing student learning, providing teachers with real-time feedback, and helping policymakers make smarter decisions. All states now have longitudinal data systems that track students’ performance over time, and much of the technology that has flooded classrooms now records even children’s smallest digital actions.

In recent months alone, however, districts and their vendors have lost laptops and flash drives containing student information, accidentally posted children’s health information and Social Security numbers online, and improperly released individual student test scores.

An increasingly widespread business model is also cause for concern, privacy advocates say. In December, the Electronic Privacy Information Center, a Washington-based nonprofit, filed a complaint with the Federal Trade Commission accusing the popular financial-aid website Scholarships.com of selling sensitive student information to third-party marketers without adequate disclosures.

School Data-Security Lapses

Experts say it’s difficult to know exactly how frequently school systems have their data compromised. Such instances can happen without anyone knowing, and they’re not always reported. But a review of recent news reports found some troubling incidents:

Loudoun County, Va.
The 71,000-student Loudoun County public schools was thrust into damage-control mode last month after an outside vendor, New York City-based Risk Solutions International, inadvertently uploaded and left unprotected some schools’ emergency evacuation plans, as well as “directory information” that included students’ names, addresses, telephone numbers, dates and places of birth, course schedules, and attendance histories, according to the Washington Post.

Rich Contartesi, the Loudoun County district’s assistant superintendent of technology services, told Education Week that the biggest lesson learned is that districts must be vigilant in overseeing third-party contractors.

“You want to make sure that you know something about the business practices, processes, and physical plant of the companies that have your most sensitive information,” he said.

Chicago
Last November, the district reported that 2,000 students participating in a free vision-examination program offered by the city had their names, dates of birth, gender, and ID numbers, as well as information from their exams, accidentally posted online.

Florida
In June, the Tallahassee Democrat reported that roughly 47,000 participants in state teacher-preparation programs had their personal information—including names and in some cases Social Security numbers—posted on the Internet for two weeks last spring. The information was being stored by Florida State University.

Long Island, N.Y.
The 12,000-student Sachem Central School District suffered three data-security breaches in recent months, including one in which the names, ID numbers, and designations for free-lunch programs of 15,000 former students were posted online, according to a Newsday report.

A 17-year-old student from Sachem North High School was arrested and accused of illegally downloading and posting the information last November, and pleaded not guilty to the charges, according to reports.

SOURCES: Education Week and news reports

“We don’t have good data on how often this is happening in schools,” said Joel R. Reidenberg, a professor of law and technology policy at Princeton and Fordham universities. “But essentially every adult American has had their financial information compromised. There’s no reason to think the educational world is any better.”

Inappropriate Access

In 2012, the Gagnon family of Camp Verde, Ariz., became the face of public outrage over reports that some corporate-affiliated mobile dentists were performing unnecessary—and often traumatic—dental work on children from poor families in order to maximize reimbursements from the federal Medicaid program.

The Gagnon family sued Phoenix-based ReachOut Healthcare America, a company that provides administrative support to mobile dentists, after their medically fragile 4-year-old son, Isaac, was given two unauthorized and unnecessary “baby root canals” while being forcibly held down inside his school. The suit has since been settled, according to the family’s attorney, who declined to comment on the specifics of the case.

In June of last year, the U.S. Senate Judiciary Committee concluded an investigation into complaints involving ReachOut Healthcare and four other corporate dental chains operating across 23 states. The committee found that the traumatic treatment endured by the Gagnon family was “not necessarily widespread” among ReachOut Healthcare’s affiliated dentists, but criticized the company for failing to provide adequate oversight.

The committee also recommended that Nashville, Tenn.-based Church Street Health Management be excluded from the Medicaid program after a review of treatment records found that two-thirds of the baby root canals, or pulpotomies, performed at a Phoenix clinic operated by the company were likely unnecessary. The company, now known as CSHM, has since gone through bankruptcy proceedings and taken on new management, allowing for continued participation in the Medicaid program, said Perry Hall, a senior strategist for the public relations firm Lovell Communications.

Arizona state Sen. Kimberly Yee, a Republican, said inappropriate access to student records helped fuel the abuses by mobile dentists in her state and elsewhere.

ReachOut Healthcare’s practice is to “make friends with employees on [school] campuses, particularly those in administrative or nursing offices, take them to lunch, and thereafter ask for student information databases,” Ms. Yee maintained.

In response, she sponsored a bill, signed into law last year, strengthening the procedures for reporting violations related to the release of student directory information—which typically includes name, address, and phone number—to third-party vendors. Under the federal Family Educational Rights and Privacy Act, or FERPA, schools may disclose such information so long as parents are provided the opportunity to opt out of any such releases.

Ms. Yee said her goal was to maintain “the privacy of students on campuses from outside vendors who want to obtain [directory] lists to increase their client bases.”

In an email, company spokesman Eric Tolkin wrote that “student directories are only used in approximately 2 percent of schools served by dentists affiliated with ReachOut Healthcare.”

That would still involve thousands of students: In Arizona alone, dental teams affiliated with the company provided services to more than 100,000 children in 2010 and 2011, according to Mr. Tolkin.

In part because of parent complaints about unwanted solicitations made using student directory information, a number of districts, including the 37,000-student Peoria Unified School District outside Phoenix, have severed ties with the company.

“We let them know we wouldn’t be able to continue the relationship given what seemed to be an abuse of that information,” said Danielle Airey, the Peoria district’s director of public relations.

Security Breakdown

Privacy advocates, though, offer few such specific examples of children being harmed as the direct result of having their personal information compromised.

The fallout from identity theft, for example, might not be known for years, especially when it involves children, said Mr. Reidenberg, the Fordham professor.

That’s cause for concern, he said, given the volume and scope of accidental data breaches in K-12 systems. In 2009, for example, the Philadelphia-based Public Consulting Group, a private contractor of the Tennessee Department of Education, inadvertently left the names, addresses, dates of birth, and full Social Security numbers of more than 18,000 Nashville Public Schools students available online for more than two months. Affected families were notified of the breach and given free identity-theft and online-credit monitoring, according to Nashville school officials.

Just as alarming, advocates say, is that many businesses now encourage children, families, educators, and district officials to pay for online content and services with personal information.

Unfair Practices

In its FTC complaint over the “deceptive and unfair” business practices of Highland Park, Ill.-based Scholarships.com, the Electronic Privacy Information Center, or EPIC, accused the website of encouraging its 14 million users to provide sensitive information, then using an affiliated entity of the company known as American Student Marketing, or ASM, to sell that data to third-party marketers without adequate disclosures.

The site invites users to indicate their sexual orientation, if they are clinically depressed, if they have a drug addiction, and if they have parents who are illegal immigrants, among other pieces of information. According to the complaint, ASM then sells that information to marketers.

In an email, Scholarships.com said users have the option to provide the sensitive information referenced in EPIC’s complaint, that such information is collected primarily to direct users to relevant scholarship opportunities, and that most third-party marketing comes from postsecondary institutions.

In a telephone interview, company vice president Kevin N. Ladd also suggested that using individuals’ personal information to support targeted advertising is hardly unique to Scholarships.com.

Data proponents acknowledge the growing furor around privacy concerns, but say better security practices, clearer consent procedures, and improved contracting protocols can mitigate risks without dampening data’s educational benefits.

Ms. Barnes of EPIC, though, stressed the need for a wide perspective on what those risks actually are.

“From our standpoint, the initial harm comes when the law is violated and when student consumers lose control over their data,” she said.

Contributing Writer Michelle R. Davis contributed to this article.
A version of this article appeared in the January 22, 2014 edition of Education Week as Personal Danger of Data Breaches Prompts Action

Events

Jobs Virtual Career Fair for Teachers and K-12 Staff
Find teaching jobs and other jobs in K-12 education at the EdWeek Top School Jobs virtual career fair.
Ed-Tech Policy Webinar Artificial Intelligence in Practice: Building a Roadmap for AI Use in Schools
AI in education: game-changer or classroom chaos? Join our webinar & learn how to navigate this evolving tech responsibly.
Education Webinar Developing and Executing Impactful Research Campaigns to Fuel Your Ed Marketing Strategy 
Develop impactful research campaigns to fuel your marketing. Join the EdWeek Research Center for a webinar with actionable take-aways for companies who sell to K-12 districts.

EdWeek Top School Jobs

Teacher Jobs
Search over ten thousand teaching jobs nationwide — elementary, middle, high school and more.
View Jobs
Principal Jobs
Find hundreds of jobs for principals, assistant principals, and other school leadership roles.
View Jobs
Administrator Jobs
Over a thousand district-level jobs: superintendents, directors, more.
View Jobs
Support Staff Jobs
Search thousands of jobs, from paraprofessionals to counselors and more.
View Jobs

Read Next

Law & Courts When Blocking Social Media Critics, School Officials Have Protections, Supreme Court Says
The court said public officials' own pages may be "state action," but only when they are exercising government authority.
6 min read
An American flag waves in front of the Supreme Court building on Capitol Hill in Washington, on Nov. 2, 2020.
An American flag waves in front of the Supreme Court building on Capitol Hill in Washington, on Nov. 2, 2020.
Patrick Semansky/AP
Law & Courts Oklahoma Nonbinary Student's Death Shines a Light on Families' Legal Recourse for Bullying
Students facing bullying and harassment from their peers face legal roadblocks in suing districts, but settlements appear to be on the rise
11 min read
A photograph of Nex Benedict, a nonbinary teenager who died a day after a fight in a high school bathroom, is projected during a candlelight service at Point A Gallery, on Feb. 24, 2024, in Oklahoma City. Federal officials will investigate the Oklahoma school district where Benedict died, according to a letter sent by the U.S. Department of Education on March 1, 2024.
A photograph of Nex Benedict, a nonbinary teenager who died a day after a fight in a high school restroom, is projected during a candlelight service at Point A Gallery, on Feb. 24, 2024, in Oklahoma City. Federal officials will investigate the Oklahoma school district where Benedict died, according to a letter sent by the U.S. Department of Education on March 1, 2024.
Nate Billings/The Oklahoman via AP
Law & Courts Supreme Court Declines Case on Selective High School Aiming to Boost Racial Diversity
Some advocates saw the K-12 case as the logical next step after last year's decision against affirmative action in college admissions
7 min read
Rising seniors at the Thomas Jefferson High School for Science and Technology gather on the campus in Alexandria, Va., Aug. 10, 2020. From left in front are, Dinan Elsyad, Sean Nguyen, and Tiffany Ji. From left at rear are Jordan Lee and Shibli Nomani. A federal appeals court’s ruling in May 2023 about the admissions policy at the elite public high school in Virginia may provide a vehicle for the U.S. Supreme Court to flesh out the intended scope of its ruling Thursday, June 29, 2023, banning affirmative action in college admissions.
A group of rising seniors at the Thomas Jefferson High School for Science and Technology gather on the campus in Alexandria, Va., in August 2020. From left in front are, Dinan Elsyad, Sean Nguyen, and Tiffany Ji. From left at rear are Jordan Lee and Shibli Nomani. The U.S. Supreme Court on Feb. 20 declined to hear a challenge to an admissions plan for the selective high school that was facially race neutral but designed to boost the enrollment of Black and Hispanic students.
J. Scott Applewhite/AP
Law & Courts School District Lawsuits Against Social Media Companies Are Piling Up
More than 200 school districts are now suing the major social media companies over the youth mental health crisis.
7 min read
A close up of a statue of the blindfolded lady justice against a light blue background with a ghosted image of a hands holding a cellphone with Facebook "Like" and "Love" icons hovering above it.
iStock/Getty