Student information needs to be better protected, be it via data encryption software or something else. It just doesn’t make sense to keep things the way they are. It just doesn’t.
Criminals are Targeting Student Information
I came across another ID theft ring story where student info was exclusively used for committing fraud, and, to be honest, I finally snapped. How many such stories do we have to come across before something is done?
According to wreg.com, two women in Memphis, TN were arrested for identity theft trafficking. The two are accused of stealing names, dates of birth, and SSNs of more than 350 Memphis City School (MCS) students (although, the term “accused” gives them more leeway than they deserve: the “stuff” was on the counter when police broke into their house). It is currently unknown how they obtained the information, but we do know the two women applied for fraudulent tax returns, scoring hundreds of thousands of dollars.
Special Agent in Charge Rick Harlow suggested that parents keep an eye on their children’s credit reports; HOWEVER, this may not be the best advice. According to an investigation by the Today Show on NBC, checking your kids’ credit reports on a regular basis will prompt credit bureaus to create reports on the children, increasing the risk of something going wrong (see embedded video in the networkworld.com article. The article and video is an eye-opener on the subject of children’s ID theft and worth a read).
There have been many other cases involving students’ IDs, of course. A short list of instances covered by this blog:
The breaches involve CDs, external hard disks, USB sticks, etc, proving that data breaches come in all sizes and forms. There are more, of course — it’s just that I haven’t covered them all, and of those that I have covered, I’ve declined to include university data breaches. In all the cases that I’ve read where K-12 students are involved, none of the schools has ever admitted that the target of a theft could have been the students’ data.
It’s always, “hey, the thieves were probably targeting the laptop” or USB flash drive, or whatever. If that’s the case, how did the above two get and use student information exclusively?
No Legal Obligation
Is there are a requirement to encrypt student data? The answer is no, as I’ve already explained in a past post regarding K-12 schools and HIPAA: for a public school, the ruling law is FERPA, not HIPAA. In fact, to those who are interested in the HIPAA aspects when it comes to K-12, the Joint Guidance on the Application of FERPA and HIPAA to Student Records has this to say:
At the elementary or secondary school level, students’ immunization and other health records that are maintained by a school district or individual school, including a school-operated health clinic, that receives funds under any program administered by the U.S. Department of Education are “education records” subject to FERPA, including health and medical records maintained by a school nurse who is employed by or under contract with a school or school district.
Some schools may receive a grant from a foundation or government agency to hire a nurse. Notwithstanding the source of the funding, if the nurse is hired as a school official (or contractor), the records maintained by the nurse or clinic are “education records” subject to FERPA.
Student records involve more than health information, though. So, what does FERPA have to say about student record encryption? To date, not much. It will point out, for example, that sending information via unencrypted email is not recommended:
The US Department of Education has determined that, in general, communication between faculty and students over e-mail “is considered to be an insecure means of transmitting protected information under FERPA” unless some form of encryption is used… [email from US Department of Education to BYU, per http://humanities.byu.edu/static/documents/org/27.pdf ] (Thanks Google!)
So, the DOE definitely has qualms about protected information (a terminology that is most peculiar. It doesn’t mean the information is actually protected, it means that it needs to be protected) falling into the wrong hands. At the same time, it doesn’t make the use of encryption software a key resolve, unlike HIPAA/HITECH (or at least, if the DOE has something under FERPA regarding encryption, I haven’t been able to find it so far).
Of course, that doesn’t prevent educational institutions from actually using encryption to protect student records. A Google search of “FERPA encryption” results in numerous entries, some of them linked to policies regarding student information encryption. However, you’ll soon notice that these are at the university level — which is understandable considering the criticism the US colleges received in the past five years or so, as one institution after another was forced to declare a data breach (and in some cases, more than once).
But, K-12 needs encryption, too. It’s obvious that criminals are targeting their data — especially because it could be years before anyone realizes anything is amiss — and when solutions like AlertBoot encryption are readily available, it doesn’t make sense not to use it.
Thankfully, it looks like the Department of Education might address the issue:
The NPRM [Notice of Proposed Rule Making] emphasizes that the State or local educational authority or an agency headed by an official listed in § 99.31(a)(3) is responsible for using reasonable methods to ensure that any entity designated as its authorized representative complies with FERPA. The NPRM seeks input on how reasonable methods should be defined. The Department intends to issue guidance on the best practices for written agreements, reasonable methods, and other related matters.
Of course, there are a lot of proposals within the NPRM that are controversial, depending on one’s viewpoint; however, in this particular case, I’d imagine that “encryption” would be met by many as a reasonable method of protecting student records?
Related Articles and Sites: