Won’t Someone Please Think of the Children?May 24th, 2016
While high-profile data breaches by hackers and hostile nation states grab the majority of headlines these days, even the most well-intended and seemingly mundane data sharing activities can trigger security and privacy risks for thousands of innocent victims.
Poway Data Breach
Last month in Poway, California, Gabriela Dow, a member of the district’s Educational Technology Advisory Committee, made a fairly routine public records request for information from the school district. She sought information related to the day-to-day operation and technology of the school district, as well as any records bearing her own name. But what Ms. Dow actually received was quite troubling.
The school district—acting through its outside counsel, who handled the information request—turned over information regarding not only Ms. Dow, but many other individuals. She received a data dump of some 36,000 records containing the personal information of approximately 75,000 people, including the most vulnerable among us—school children. The data included children’s names, nicknames, addresses, phone numbers, hearing and vision exam results, dates of birth, language fluency, academic test results, and occupation of parents. While the disclosure of personal information is troubling in its own right, to make matters worse for the school district, this disclosure also potentially violated the federal Family Educational Rights and Privacy Act, which could put its federal funding at risk.
Cautionary Tale for Handling Sensitive Information
The cautionary tale here illustrates a couple issues that any organization should consider when handling sensitive information. First, even when operating in good faith and with the oversight and guidance of trusted professionals—such as legal counsel—there remains the need for controls to protect against the inadvertent disclosure of sensitive information. The school district likely relied on facilitation by counsel to ensure it was operating appropriately, while taking for granted the process implications of access to sensitive data, and the risk of handling the data without implementing adequate quality review checks.
Second, whether your organization is large or small, private or public sector, for profit or not-for-profit, none of that matters when it comes to handling sensitive information. Large organizations like banks or healthcare companies face substantial regulatory and legal oversight that helps protect sensitive and confidential information. Also, large commercial enterprises have a vested self interest in protecting their customers’ and employees’ information, as data breaches can have significant and lasting financial implications for their business. But with the advance of technology and the ease of dissemination of information, incidents like the Poway School District breach show that any organization—regardless of size or function—should take precautionary steps when handling sensitive personal information. These measures can be highly sophisticated technology controls, or they can simply be thoughtful oversight and good governance. Understanding the data you have and who has access to it, relying on partners who understand and appreciate the standard of care for handling sensitive data, and performing basic and routine review of your data before production to a third party—these are basic, low-tech approaches to data security. If you won’t consider them for yourself, won’t you do it for the kids?