Law & Courts

Danger Posed by Student-Data Breaches Prompts Action

By Benjamin Herold — January 22, 2014 7 min read
  • Save to favorites
  • Print

Privacy advocates say the increased collection, storage, and sharing of educational data pose real threats to children and families, from identify theft to nuisance advertising, misguided profiling to increased surveillance of everyday activities.

There is even the potential for physical harm to students, alleges one Arizona legislator who authored a recently passed privacy law in response to complaints that low-income children had been subjected to unnecessary dental work by corporate-affiliated “mobile dentists” relying on easy access to school records.

But while some parents, advocates, and academics are raising alarms that sensitive student data are being poorly safeguarded and improperly shared, it remains difficult to document the scope of the harm caused by the misuse of such information.

For a decade, proponents have called for more and better use of data in K-12 schools, arguing that good information is critical to personalizing student learning, providing teachers with real-time feedback, and helping policymakers make smarter decisions. All states now have longitudinal data systems that track students’ performance over time, and much of the technology that has flooded classrooms now records even children’s smallest digital actions.

In recent months alone, however, districts and their vendors have lost laptops and flash drives containing student information, accidentally posted children’s health information and Social Security numbers online, and improperly released individual student test scores.

An increasingly widespread business model is also cause for concern, privacy advocates say. In December, the Electronic Privacy Information Center, a Washington-based nonprofit, filed a complaint with the Federal Trade Commission accusing the popular financial-aid website Scholarships.com of selling sensitive student information to third-party marketers without adequate disclosures.

School Data-Security Lapses

Experts say it’s difficult to know exactly how frequently school systems have their data compromised. Such instances can happen without anyone knowing, and they’re not always reported. But a review of recent news reports found some troubling incidents:

Loudoun County, Va.
The 71,000-student Loudoun County public schools was thrust into damage-control mode last month after an outside vendor, New York City-based Risk Solutions International, inadvertently uploaded and left unprotected some schools’ emergency evacuation plans, as well as “directory information” that included students’ names, addresses, telephone numbers, dates and places of birth, course schedules, and attendance histories, according to the Washington Post.

Rich Contartesi, the Loudoun County district’s assistant superintendent of technology services, told Education Week that the biggest lesson learned is that districts must be vigilant in overseeing third-party contractors.

“You want to make sure that you know something about the business practices, processes, and physical plant of the companies that have your most sensitive information,” he said.

Chicago
Last November, the district reported that 2,000 students participating in a free vision-examination program offered by the city had their names, dates of birth, gender, and ID numbers, as well as information from their exams, accidentally posted online.

Florida
In June, the Tallahassee Democrat reported that roughly 47,000 participants in state teacher-preparation programs had their personal information—including names and in some cases Social Security numbers—posted on the Internet for two weeks last spring. The information was being stored by Florida State University.

Long Island, N.Y.
The 12,000-student Sachem Central School District suffered three data-security breaches in recent months, including one in which the names, ID numbers, and designations for free-lunch programs of 15,000 former students were posted online, according to a Newsday report.

A 17-year-old student from Sachem North High School was arrested and accused of illegally downloading and posting the information last November, and pleaded not guilty to the charges, according to reports.

SOURCES: Education Week and news reports

“We don’t have good data on how often this is happening in schools,” said Joel R. Reidenberg, a professor of law and technology policy at Princeton and Fordham universities. “But essentially every adult American has had their financial information compromised. There’s no reason to think the educational world is any better.”

Inappropriate Access

In 2012, the Gagnon family of Camp Verde, Ariz., became the face of public outrage over reports that some corporate-affiliated mobile dentists were performing unnecessary—and often traumatic—dental work on children from poor families in order to maximize reimbursements from the federal Medicaid program.

The Gagnon family sued Phoenix-based ReachOut Healthcare America, a company that provides administrative support to mobile dentists, after their medically fragile 4-year-old son, Isaac, was given two unauthorized and unnecessary “baby root canals” while being forcibly held down inside his school. The suit has since been settled, according to the family’s attorney, who declined to comment on the specifics of the case.

In June of last year, the U.S. Senate Judiciary Committee concluded an investigation into complaints involving ReachOut Healthcare and four other corporate dental chains operating across 23 states. The committee found that the traumatic treatment endured by the Gagnon family was “not necessarily widespread” among ReachOut Healthcare’s affiliated dentists, but criticized the company for failing to provide adequate oversight.

The committee also recommended that Nashville, Tenn.-based Church Street Health Management be excluded from the Medicaid program after a review of treatment records found that two-thirds of the baby root canals, or pulpotomies, performed at a Phoenix clinic operated by the company were likely unnecessary. The company, now known as CSHM, has since gone through bankruptcy proceedings and taken on new management, allowing for continued participation in the Medicaid program, said Perry Hall, a senior strategist for the public relations firm Lovell Communications.

Arizona state Sen. Kimberly Yee, a Republican, said inappropriate access to student records helped fuel the abuses by mobile dentists in her state and elsewhere.

ReachOut Healthcare’s practice is to “make friends with employees on [school] campuses, particularly those in administrative or nursing offices, take them to lunch, and thereafter ask for student information databases,” Ms. Yee maintained.

In response, she sponsored a bill, signed into law last year, strengthening the procedures for reporting violations related to the release of student directory information—which typically includes name, address, and phone number—to third-party vendors. Under the federal Family Educational Rights and Privacy Act, or FERPA, schools may disclose such information so long as parents are provided the opportunity to opt out of any such releases.

Ms. Yee said her goal was to maintain “the privacy of students on campuses from outside vendors who want to obtain [directory] lists to increase their client bases.”

In an email, company spokesman Eric Tolkin wrote that “student directories are only used in approximately 2 percent of schools served by dentists affiliated with ReachOut Healthcare.”

That would still involve thousands of students: In Arizona alone, dental teams affiliated with the company provided services to more than 100,000 children in 2010 and 2011, according to Mr. Tolkin.

In part because of parent complaints about unwanted solicitations made using student directory information, a number of districts, including the 37,000-student Peoria Unified School District outside Phoenix, have severed ties with the company.

“We let them know we wouldn’t be able to continue the relationship given what seemed to be an abuse of that information,” said Danielle Airey, the Peoria district’s director of public relations.

Security Breakdown

Privacy advocates, though, offer few such specific examples of children being harmed as the direct result of having their personal information compromised.

The fallout from identity theft, for example, might not be known for years, especially when it involves children, said Mr. Reidenberg, the Fordham professor.

That’s cause for concern, he said, given the volume and scope of accidental data breaches in K-12 systems. In 2009, for example, the Philadelphia-based Public Consulting Group, a private contractor of the Tennessee Department of Education, inadvertently left the names, addresses, dates of birth, and full Social Security numbers of more than 18,000 Nashville Public Schools students available online for more than two months. Affected families were notified of the breach and given free identity-theft and online-credit monitoring, according to Nashville school officials.

Just as alarming, advocates say, is that many businesses now encourage children, families, educators, and district officials to pay for online content and services with personal information.

Unfair Practices

In its FTC complaint over the “deceptive and unfair” business practices of Highland Park, Ill.-based Scholarships.com, the Electronic Privacy Information Center, or EPIC, accused the website of encouraging its 14 million users to provide sensitive information, then using an affiliated entity of the company known as American Student Marketing, or ASM, to sell that data to third-party marketers without adequate disclosures.

The site invites users to indicate their sexual orientation, if they are clinically depressed, if they have a drug addiction, and if they have parents who are illegal immigrants, among other pieces of information. According to the complaint, ASM then sells that information to marketers.

In an email, Scholarships.com said users have the option to provide the sensitive information referenced in EPIC’s complaint, that such information is collected primarily to direct users to relevant scholarship opportunities, and that most third-party marketing comes from postsecondary institutions.

In a telephone interview, company vice president Kevin N. Ladd also suggested that using individuals’ personal information to support targeted advertising is hardly unique to Scholarships.com.

Data proponents acknowledge the growing furor around privacy concerns, but say better security practices, clearer consent procedures, and improved contracting protocols can mitigate risks without dampening data’s educational benefits.

Ms. Barnes of EPIC, though, stressed the need for a wide perspective on what those risks actually are.

“From our standpoint, the initial harm comes when the law is violated and when student consumers lose control over their data,” she said.

Contributing Writer Michelle R. Davis contributed to this article.
A version of this article appeared in the January 22, 2014 edition of Education Week as Personal Danger of Data Breaches Prompts Action


Commenting has been disabled on edweek.org effective Sept. 8. Please visit our FAQ section for more details. To get in touch with us visit our contact page, follow us on social media, or submit a Letter to the Editor.


Events

This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Sponsor
Teaching Webinar
What’s Next for Teaching and Learning? Key Trends for the New School Year
The past 18 months changed the face of education forever, leaving teachers, students, and families to adapt to unprecedented challenges in teaching and learning. As we enter the third school year affected by the pandemic—and
Content provided by Instructure
This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Sponsor
Curriculum Webinar
How Data and Digital Curriculum Can Drive Personalized Instruction
As we return from an abnormal year, it’s an educator’s top priority to make sure the lessons learned under adversity positively impact students during the new school year. Digital curriculum has emerged from the pandemic
Content provided by Kiddom
This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Sponsor
Equity & Diversity Webinar
Leadership for Racial Equity in Schools and Beyond
While the COVID-19 pandemic continues to reveal systemic racial disparities in educational opportunity, there are revelations to which we can and must respond. Through conscientious efforts, using an intentional focus on race, school leaders can
Content provided by Corwin

EdWeek Top School Jobs

Teacher Jobs
Search over ten thousand teaching jobs nationwide — elementary, middle, high school and more.
View Jobs
Principal Jobs
Find hundreds of jobs for principals, assistant principals, and other school leadership roles.
View Jobs
Administrator Jobs
Over a thousand district-level jobs: superintendents, directors, more.
View Jobs
Support Staff Jobs
Search thousands of jobs, from paraprofessionals to counselors and more.
View Jobs

Read Next

Law & Courts Families Sue Rhode Island's Governor to Overturn His School Mask Mandate
The families say mask-wearing threatens to cause serious and long-lasting damage on their children's physical and emotional well-being.
Linda Borg, The Providence Journal
2 min read
Students line up to have their temperature taken as they return for the first time as their school, The Learning Community, reopens to in-person learning after it closed for the pandemic a year ago, in Central Falls, R.I., on March 29, 2021.
Students line up to have their temperature taken as they return for the first time as their school, The Learning Community, reopens to in-person learning after it closed for the pandemic a year ago, in Central Falls, R.I., on March 29, 2021.
David Goldman/AP
Law & Courts Federal Judge Denies Parents' Suit to Block Florida's Ban on School Mask Mandates
The parents argued that their children, due to health conditions, were at particular risk if any of their peers attend school without masks.
David Goodhue, Miami Herald
3 min read
Florida Governor Ron DeSantis speaks at the opening of a monoclonal antibody site in Pembroke Pines, Fla., on Aug. 18, 2021. The on-again, off-again ban imposed by Republican Gov. Ron DeSantis to prevent mandating masks for Florida school students is back in force. The 1st District Court of Appeal ruled Friday, Sept. 10, that a Tallahassee judge should not have lifted an automatic stay two days ago that halted enforcement of the mask mandate ban.
Florida Governor Ron DeSantis speaks at the opening of a monoclonal antibody site in Pembroke Pines, Fla., on Aug. 18, 2021. The on-again, off-again ban imposed by Republican Gov. Ron DeSantis to prevent mandating masks for Florida school students is back in force. The 1st District Court of Appeal ruled Friday, Sept. 10, that a Tallahassee judge should not have lifted an automatic stay two days ago that halted enforcement of the mask mandate ban.
Marta Lavandier/AP
Law & Courts Texas Attorney General Sues More School Districts That Require Masks
The Texas attorney general's office anticipates filing more lawsuits against districts flouting the governor’s order. Will Dallas be next?
Talia Richman, The Dallas Morning News
4 min read
Texas Attorney General Ken Paxton speaks at the Austin Police Association in Austin, Texas, on Sept. 10, 2020.
Texas Attorney General Ken Paxton speaks at the Austin Police Association in Austin, Texas, on Sept. 10, 2020.
Jay Janner/Austin American-Statesman via AP
Law & Courts Can They Do That? Questions Swirl Around COVID-19 School Vaccine Mandates
With at least one large school district adopting a COVID-19 vaccine mandate, here is a look at the legal landscape for such a requirement.
5 min read
Image of a band-aid being placed on the arm.
iStock/Getty