A CD holding the SSNs on 24,903 current and former high school students is missing. The incident occurred in January. It’s not known whether the information was protected with data encryption software like AlertBoot, although it looks like “standard procedures” call for it.
However, seeing how many things didn’t go right….
Education Research Center Asks for Student SSNs
As far as I can tell, this is what happened:
University of Texas at Dallas’ Education Research Center (UTD) asks Laredo Independent School District (Laredo) for students’ SSNs as part of a project
Laredo sends a CD full of SSNs to the Texas Education Agency (TEA), per protocol
UTD asks TEA for the information after SSNs don’t arrive
TEA has no idea what UTD is talking about, starts investigation to see what’s going on
Laredo provides TEA with a tracking number, finds that the CD was signed for by someone at the building where TEA is housed at
CD is missing, no one recognizes the signature
Lots of Questions Generated
The incident has sparked lots of questions regarding the CD itself as well as the circumstances surrounding the request for the information. For example, was it protocol for the information to be sent via CD?
A TEA spokeswoman claims that it’s not typical to send confidential data through the mail. She also noted that SSNs shouldn’t have been asked for in the first place, and that whatever project UTD is involved was not approved by the TEA.
A former TEA director contradicted the spokeswoman, saying that is was perfectly legitimate to send confidential data over the mail, seeing how sometimes files are too large to send electronically. As a personal observation, that last portion cannot be true. If it fit on a CD, it can definitely be sent electronically. Sure, you can’t send it as an attachment in Outlook but there are other methods. I mean, otherwise, how are people illegally downloading DVD-quality movies, right?
Regardless, it appears that sending information via mail is protocol for those involved. A UTD spokesman further corroborated the director’s assertions, noting that Laredo’s “standard policy would be for the diskette to be encrypted, so there was no concern of a security breach.” [texastribune.org]
George Beckelhymer, president of Laredo ISD’s Board of Trustees, said he was also unaware that the information had gone missing.
“I am trying to be sure we are looking in the right spot if we are looking for blame on this,” he said. “Is it really LISD’s blame? Did UTD use an inappropriate method to request the [information] and then tricked us? Does the TEA have fault that they didn’t have the proper personnel to sign legitimately?” [texastribune.org, my emphasis]
Tricked? Wow, that’s quite an accusation.
But, Mr. Beckelhymer does raise a number of interesting points. How come the TEA cannot identify who signed for the package? And why was a research institution asking for SSNs when they had not business asking for it?
The answer to the latter might lie in this:
Van Overschelde said in his experience, a university education research center would request information like Social Security numbers in order to track individual students throughout a study — anonymously. The TEA deidentifies the data before sending it on to researchers, he said.
“For example, if students in the district are getting eye glasses, and we want to know if recieving eyeglasses has an effect on their academic performance,” he said, “we need to know the subset of kids that received eyeglasses” — and deidentified social security numbers could be used to keep track of them. [texastribune.org]
If so, why ask for SSNs? Why not ask for deidentified SSNs? And, if the researchers didn’t have a method of tracking student data, how would the deidentified SSNs help them? I mean, in order to tack these pseudo-SSNs onto students, you need to identify them first.
Was Encryption Software Used or Not?
I’d say this is the key question. If the contents of the CD were protected cryptographically, then there is no harm done. All parties involved should still look into the issue to try to figure out what went wrong, where it went wrong, and how it went wrong, and shore up any deficiencies in their security practices, but the long and short of it is that the students’ SSNs are safe if encryption software was used.
Indeed, it would be enough to allow one to say the following, awful sound bite:
Beckelhymer also added that, while he doesn’t like “sharing” Social Security numbers, he doesn’t think the fact that they’re missing is “a big deal.” [texastribune.org]
He’s right. It’s not a big deal…if it’s encrypted.