FOR RELEASE:

DiNapoli: School Districts Should Take Further Steps to Protect Private Data

The increased use of mobile computing devices by school districts has put confidential student and school staff data at greater risk for theft and misuse, according to an audit released today by State Comptroller Thomas P. DiNapoli.

During a comprehensive review of information technology security policies in 12 school districts, DiNapoli’s auditors found district-owned mobile computing devices, such as laptops, smart phones and tablets, were rarely encrypted and contained more than 100 instances of individual personal, private and sensitive information (PPSI) that was not properly secured.

The data included Social Security numbers; driver’s license numbers; student names and grades; personal identifying information, such as name, address, phone numbers, email, and/or date of birth; student school identification numbers; and student locker combinations. Auditors could not determine if this information was compromised.

“Parents and staff rely on school officials to ensure that their personal information is properly safeguarded and used only for legitimate purposes,” said DiNapoli. “Unfortunately, security policies have not kept up with technology and the risks to vital data getting into the wrong hands have increased dramatically. Steps should be immediately taken to secure this sensitive information.”

From January 1, 2010 through May 4, 2012, auditors reviewed the policies and procedures to protect PPSI in select school districts. DiNapoli’s auditors found that the majority of the districts did not have adequate security policies and procedures in place, increasing the risk that PPSI could be accessed and misused by unauthorized persons.

The school districts examined were: Bath Central School District; Cato-Meridian Central School District; East Rochester Union Free School District; Geneseo Central School District; Gorham-Middlesex Central School District; Horseheads Central School District; Odessa-Montour Central School District; Penfield Central School District; South Seneca Central School District; Victor Central School District; Weedsport Central School District; and Wheatland-Chili Central School District.

Audit findings include:

• Eleven of the 12 districts reviewed did not have formal written policies and procedures requiring the encryption of PPSI residing on mobile devices;
• Eight of the 12 districts did not have formal written policies or procedures governing remote access;
• Eight of the 12 districts either lacked any policies and procedures for protecting PPSI in email communications, or had policies and procedures with vague language that provided inadequate direction for safe emailing practices;
• Eleven of the 12 districts did not have policies and procedures to restrict email access to the district’s network resources by non-district devices;
• Six of the 12 districts did not have data breach policies and procedures that informed staff about procedures to follow in the event of a data breach; and
• None of the 12 school districts have a written district-wide data classification scheme, or have inventoried the PPSI in their possession. As a result, the districts do not know the extent to which PPSI resides in the electronic equipment district employees and students are using on a regular basis.

The Comptroller recommended district officials:

• Adopt formal written policies and procedures to ensure a sound IT environment and to protect sensitive information in mobile computing devices. The policies and procedures should include a breach notification policy and procedures that provide directions to employees on actions to take in the event of a data breach.
• Develop written policies and procedures that outline the proper access, use, and protection of private information on MCDs.
• Complete a classification and inventory of information the district maintains to assign the appropriate security level to each type of data, and then conduct an inventory of personal private information stored on all their electronic equipment to account for the confidential data maintained. The district should update the classification and inventory list on an ongoing basis, as appropriate, to reflect any changes.

District officials generally agreed with the audit’s findings and recommendations. Because of the sensitive nature of certain findings, they were not included in the report but were communicated confidentially to each district’s officials so they could take corrective action.

For a copy of the report visit: http://www.osc.state.ny.us/localgov/audits/swr/2012/securityppsi/global.pdf