IT Infrastructure & Management

‘Data Leakage’

Plugging the information drain in your school district requires attention to detail.
By Michelle R. Davis — March 05, 2008 6 min read
  • Save to favorites
  • Print

Includes updates and/or revisions.

School districts store vast amounts of confidential data in their computer systems, from employee Social Security numbers to credit card numbers to student medical information. But that information doesn’t always stay private.

Such data can find its way to public places on the Internet—and often not through nefarious means. District administrators are just starting to learn that safeguards such as online firewalls might be keeping most hackers out, but that information still is leaking out of the system in other ways.

“Think about the nature of the data we have,” says William de Dufour, the director of network systems and support for the 83,000-student Austin Independent School District in Texas. “It’s not only the normal Social Security numbers from a human-resources perspective. It’s so much more.”

And districts need to worry about data leakage for more reasons than just bad public relations. They’re bound by certain federal privacy laws in key areas. The Health Information Privacy Protection Act, or HIPPA, requires that student health information collected by districts be kept private. The Family Educational Rights and Privacy Act, or FERPA, protects the confidentiality of student education records.

In addition, several states have stringent laws regarding privacy. For example, a California law, one of the strictest in the country, requires public notification if a company or state has reason to believe that private information has leaked out of a protected system.

To combat the problem of privacy breaches, some school districts have hired private companies that provide data-leakage protection. Others have developed their own methods for keeping data secure inside district computer systems.

‘The Bulk of Data Leakage’

School district data can be compromised in several different ways, says David J. Etue, the vice president of product management for the Bethesda, Md.-based Fidelis Security Systems, which provides software to schools to prevent data leakage.

“The bulk of the data leakage occurs from people inside the district not realizing they’re putting information at risk, or they’re not educated as to how to treat data securely,” he says.

TIPS on Stopping Data Leakage

Data leakage is a growing concern for school districts. Here are some tips to make sure data stays within your system:

1. Check state and local laws regarding data leakage. Some laws require public notification if private information is disclosed. Make sure you understand what needs to be kept private.

2. Educate staff members about ways data may be leaked unintentionally. Make sure to talk to employees about the proper way to e-mail private files and about what kinds of records need to be kept secure.

3. Compartmentalize data, so that even if a small portion of private data is compromised, the scope of the leak is limited.

4. Check with vendors who may deal with your school district data. Make sure they have strict security policies to ensure your information stays private.

5. Investigate leakage-prevention software to see if it is right for your district. If not, make sure data security is a high priority within your IT department.

Guidance counselors, for instance, often send e-mails with unencrypted files containing student grades and records to colleges. Or district employees might want to get some work done over the weekend, so they’ll e-mail payroll files or student data to their hotmail accounts, unaware that method of sending confidential information is not secure. A district employee might also e-mail an official district credit card number to a teacher so the teacher can buy classroom supplies. All those actions can put data at risk, Etue says.

“The person is not doing it to be malicious, but they don’t realize that information needs to be encrypted,” he says, referring to the process of making text unreadable unless translated, or decrypted by the intended recipient.

Sometimes, technological upgrades can lead to unintended consequences.

That was the case for the 10,000-student St. Mary Parish public schools in Centerville, La., where private information—including the Social Security numbers of several hundred district employees—made its way onto the Internet about a year ago and was accessed through a Yahoo! Web-page search engine.

The search engine accessed a database that was supposed to be private, but wound up on the Internet for all to see, says Kevin P. Derise, the technology manager for the St. Mary’s schools. Several years ago, Derise says, the files were being used to collect sign-in information at workshops in a public Internet area, and when the district’s computer system was upgraded, those files never went back behind a firewall.

Since then, St. Mary’s has pulled that file from the Internet and has also begun using random employee-identification numbers, rather than Social Security numbers, for everything other than the payroll system in order to cut down on the possibility of information theft. Derise says he feels comfortable with the security measures now in place, but he knows there are always going to be new ways for data to leak.

“We know we’re only as secure as today,” he says. “Who knows what tomorrow may bring?”

Kurt Shedenhelm, the chief operating officer for Palisade Systems in Ames, Iowa, says district officials are often blindsided by the amount of data leakage from their districts. Shedenhelm provides his protection services free for about a week so districts can see what may be compromised.

Palisade software not only monitors the information leaving the system, but also tracks what’s going on within the system. The software can search system e-mails for profanity, can track Web-site visits, or pinpoint where students are improperly downloading music with district computers.

A recent district assessment by Palisade found students and employees “visiting porn sites, gun sites, people using Gnutella or eDonkey to download copyrighted songs,” Shedenhelm says, despite the fact that the district had software intended to block such sites.

For more stories on this topic, see Technology Counts 2008.

Roland E. Moore, the chief information officer for the 166,000-student Orange County, Fla., public schools, based in Orlando, says he has used the Fidelis system for eight months and it has helped him identify areas of concern about data leakage.

“I’ve noticed less in the way of people using profanity, which we have rules against, but more in the things you might not expect,” he says. “For example, people sending files out to companies that we have business with, or sending files with personal information embedded. That’s what we’re seeing more of.”

Vendor vs. Homegrown System

Data-leakage-prevention software typically can be set either to block outgoing information that should not be leaving the district system, or send a warning to an IT official if it looks as if something that might pose a problem is being sent outside the system. “You really have no control over your borders as to what goes out if you don’t do something like this,” Moore says, referring to systems that monitor the flow of information in organizations.

But experts say it’s not always necessary, or practical, to hire a private company to keep data safe in a district. Fidelis’ data-leakage-prevention package can cost from $40,000 to $500,000, depending on the size of the system, Etue says.

In Austin, de Dufour says his department has taken a proactive, homegrown approach to stopping data leakage. The IT staff has made a point, he said, of “creating an architecture that compartmentalizes the data available for leakage.”

That means data is stored separately and can’t be accessed by one particular route. So even if a file of credit card numbers is accessed by a hacker, that person would need to find an alternate way into the system to tap into data holding Social Security numbers. And a third way into the system would be needed to access student files, for example.

The district also targeted an area of risk: data leakage through vendors. The district now makes potential vendors sign a data-sharing agreement and go through a security audit, which quizzes them on how they ensure the district’s data stays safe and what cryptological methods are in place to protect information, de Dufour says.

De Dufour also has an employee on his team whose job is to think about data security on all fronts. “His focus is to make sure security is a serious concern,” de Dufour says. “I wouldn’t trust an outside entity to come in and do this.”

Related Tags:

Michelle R. Davis is the senior writer for Education Week’s Digital Directions.
A version of this article appeared in the June 09, 2008 edition of Digital Directions as ‘Data Leakage’

Events

This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Sponsor
Student Achievement Webinar
How To Tackle The Biggest Hurdles To Effective Tutoring
Learn how districts overcome the three biggest challenges to implementing high-impact tutoring with fidelity: time, talent, and funding.
Content provided by Saga Education
This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Sponsor
Student Well-Being Webinar
Reframing Behavior: Neuroscience-Based Practices for Positive Support
Reframing Behavior helps teachers see the “why” of behavior through a neuroscience lens and provides practices that fit into a school day.
Content provided by Crisis Prevention Institute
This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Sponsor
Mathematics Webinar
Math for All: Strategies for Inclusive Instruction and Student Success
Looking for ways to make math matter for all your students? Gain strategies that help them make the connection as well as the grade.
Content provided by NMSI

EdWeek Top School Jobs

Teacher Jobs
Search over ten thousand teaching jobs nationwide — elementary, middle, high school and more.
View Jobs
Principal Jobs
Find hundreds of jobs for principals, assistant principals, and other school leadership roles.
View Jobs
Administrator Jobs
Over a thousand district-level jobs: superintendents, directors, more.
View Jobs
Support Staff Jobs
Search thousands of jobs, from paraprofessionals to counselors and more.
View Jobs

Read Next

IT Infrastructure & Management Leader To Learn From Through Wars, Tornadoes, and Cyberattacks, He's a Guardian of Student Privacy
Jun Kim, the technology director in Moore, Okla., works to make the most of innovations—without endangering student data.
11 min read
Jun Kim, Director of Technology for Moore Public Schools, center, leads a data privacy review meeting on Dec. 13, 2023 in Moore, Okla.
Jun Kim, director of technology for the Moore public schools in Moore, Okla., leads a data privacy review for staff.
Brett Deering for Education Week
IT Infrastructure & Management One Solution to Maintaining 1-to-1 Devices? Pay Students to Repair Them
Hiring students to help with the repair process is one way school districts are ensuring the sustainability of their 1-to-1 programs.
4 min read
Sawyer Wendt, a student intern for the Altoona school district’s IT department, repairs a Chromebook.
Sawyer Wendt, who's been a student intern for the Altoona district's tech department since junior year, is now studying IT software development in college.
Courtesy of Jevin Stangel, IT technician for the Altoona school district
IT Infrastructure & Management Schools Get Relief on Chromebook Replacements. Google Extends Device Support to 10 Years
Schools have typically had to replace Chromebooks every three to five years.
4 min read
Photo of teacher working with student on laptop computer.
iStock / Getty Images Plus
IT Infrastructure & Management What We Know About District Tech Leaders, in Charts
Male chief technology officers in K-12 tend to come from technological backgrounds while most female tech leaders are former teachers.
1 min read
Illustration concept of leadership, using wooden cut-out figures and arrows.
Liz Yap/Education Week via Canva