December 14, 2012
DiNapoli: School Districts Should Take Further Steps to Protect Private Data
During a comprehensive review of information technology security policies in 12 school districts, DiNapoli’s auditors found district-owned mobile computing devices, such as laptops, smart phones and tablets, were rarely encrypted and contained more than 100 instances of individual personal, private and sensitive information (PPSI) that was not properly secured.
The data included Social Security numbers; driver’s license numbers; student names and grades; personal identifying information, such as name, address, phone numbers, email, and/or date of birth; student school identification numbers; and student locker combinations. Auditors could not determine if this information was compromised.
“Parents and staff rely on school officials to ensure that their personal information is properly safeguarded and used only for legitimate purposes,” said DiNapoli. “Unfortunately, security policies have not kept up with technology and the risks to vital data getting into the wrong hands have increased dramatically. Steps should be immediately taken to secure this sensitive information.”
From January 1, 2010 through May 4, 2012, auditors reviewed the policies and procedures to protect PPSI in select school districts. DiNapoli’s auditors found that the majority of the districts did not have adequate security policies and procedures in place, increasing the risk that PPSI could be accessed and misused by unauthorized persons.
The school districts examined were: Bath Central School District; Cato-Meridian Central School District; East Rochester Union Free School District; Geneseo Central School District; Gorham-Middlesex Central School District; Horseheads Central School District; Odessa-Montour Central School District; Penfield Central School District; South Seneca Central School District; Victor Central School District; Weedsport Central School District; and Wheatland-Chili Central School District.
Audit findings include:
The Comptroller recommended district officials:
District officials generally agreed with the audit’s findings and recommendations. Because of the sensitive nature of certain findings, they were not included in the report but were communicated confidentially to each district’s officials so they could take corrective action.
For a copy of the report visit: http://www.osc.state.ny.us/localgov/audits/swr/2012/securityppsi/global.pdf