Tuesday, November 25, 2014

Seattle Schools Accidental Release of Student Data Update

The PI had an in-depth story today on the accidental disclosure of 7500+ student files to a guardian seeking to protect his sister's Sped rights. 

In the story, it was stated that the district had filed to go to court and force the guardian to destroy the files.  This was puzzling to me as at least one reader said it HAD been done last week.  There is an update today from the district saying this (partial):

We received confirmation yesterday that the individual provided the court with certification that the documents have been deleted and the individual possesses no copies, electronic or otherwise. The court certification confirmed the documents were not distributed, electronically or as hard copy, to any other individual or party except for a KING 5 News reporter who was permitted to view the files on the individual’s computer. KING 5 has confirmed they did not keep copies of the data.
But the questions continue.
- Some of the times that e-mails were sent do not seem to match up. The court document states Morley sent the district/board an e-mail on Nov. 11 at 8:30 pm. E-mails are time-stamped, right? From the district's e-mail today:

The district was emailed by the individual at around midnight Nov. 11. Our legal department saw the email at noon, Nov. 12.

- the guardian has contended that he contacted the district and/or law firm when he first received a batch of files on Nov. 7th. The district has never confirmed or denied that.

- again, WHY did the district send that pdf will all those files embedded in it? 

- again, the district keeps saying families have been notified. But I believe that, even for families affected, the only notification has been electronic. If the district is believing that all families in the district read the website and/or have e-mails, they would be wrong. The district told the DOE that they HAD notified all families.

I still do not believe that to be accurate.

- The lawyer for the firm, Preg O'Donnell&Gillett, is Lara Hruska.  From the PI:

Lara Hruska, the Preg, O’Donnell and Gillette attorney who sent Morley the documents, contacted Morley the next day (Nov. 7th) and asked that he destroy the records.

In a sworn declaration, Hruska said Morley previously requested email and educational records related to one child. Hruska said she thought she was sending Morley only those records when she disclosed thousands of students’ personal information.


“Unbeknownst to me at the time I sent them to Mr. Morley, the attachments to the emails could be viewed by him upon receipt,” Hruska said in the declaration. “Some of these attachments inadvertently contained confidential, personally identifiable information on other students.”
One e-mail had 271 pages and another 457 pages and she never thought to herself, "That's a big pdf." Never thought to check what was there if only to protect her own firm.

Hruska said she only realized the error after Morley emailed each school board member, Nyland and several other district leaders with his concerns. The attorney called Morley and then emailed him apologizing for the error; she said she didn’t realize that the PDFs included working links.

“I would sincerely appreciate it if you would please let the numerous stakeholders you emailed regarding my mistake … know that the disclosure was due to a technological error and that you have spoken to the attorney at fault and she is remedying the situation,” Hruska said in her Nov. 12 email to Morley.

First, isn't the person in the wrong supposed to own up to the mistake?  Why should Mr. Morley let those "stakeholders" know about her error? 

Second, what "technological error?" Did the district's computer send a huge number of files to her office and her computer sent them to Mr. Morley? Twice?  I don't think that's how it works.

Filing a complaint to higher-ups:

If you, Joe Citizen, want to file a complaint, apparently OSPI isn't taking them because the district self-disclosed the problem .  However, if you are one of the affected Special Ed families, you can.  Here's the link.

The Washington Bar Association does not accept complaints about law firms, just lawyers.

The Preg O'Donnell& Gillett lawyer on this case was Lara R. Hruska; she is an associate at the firm.  (Interestingly she has been a teacher and a special education director. )

Here's a link to the WBA's complaint area.

I would be sure to let the WBA know that Ms. Hruska has a background in public education.

The lawyer for the district is Andrea Schiers, Senior Assistant General Counsel.  (You might note that her former firm, Curran, is now the law firm handling this case.)  The lead counsel for the district is Ron English.

At the Department of Education:

The mission of the Family Policy Compliance Office (FPCO) is to meet the needs of the Department's primary customers--learners of all ages--by effectively implementing two laws that seek to ensure student and parental rights in education: the Family Educational Rights and Privacy Act (FERPA) and the Protection of Pupil Rights Amendment (PPRA).

Parents and eligible students who need assistance or who wish to file a complaint under FERPA or PPRA should do so in writing to the Family Policy Compliance Office, sending pertinent information through the mail, concerning any allegations to the following address:

Family Policy Compliance Office
U.S. Department of Education
400 Maryland Avenue, SW
Washington, D.C. 20202-5920
Phone: 1-800-USA-LEARN (1-800-872-5327)


You can, of course, write to the School Board and complain.

13 comments:

mirmac1 said...

Board of Directors
Seattle Public Schools
MS 11-010
PO Box 34165
Seattle, WA 98124-1165

Ref: November 11, 2014 Privacy Breach of 8,000+ student records

Dear Distinguished Board of Directors:

The Special Education PTSA Board sends this letter to the Seattle Schools Board of Directors and Seattle Schools Superintendent, expressing our significant concerns with the recent privacy breach of thousands of student records.

We are in receipt of the Superintendent’s letters, e-mailed on November 13th and 15th, to some parents of students enrolled in Seattle Schools and think that the next steps listed in the letter do not go far enough to address this privacy breach nor to prevent future breaches from occurring. The fact that over 8,000 students’ private records were compromised on November 11th, and that this was only the most recent privacy breach, speaks to possible lapses in management, procedures oversight, and system failures within the Seattle Schools legal department.

The district has a documented track record of violating our students’ rights under FERPA and IDEA. These releases resulted in, and will continue to result in OSPI special education citizen complaints (SECC), including:

* SECC 12-37 resulted in a corrective action, requiring that SPS develop written guidance addressing FERPA regulations regarding confidentiality, legitimate educational interest and disclosure of personally identifiable information. District legal prepared a memorandum that referenced FERPA and Superintendent Procedure 3231SP.

* SECC 13-37 involved the intentional release of a student’s personally identifiable information and legal settlement for questionable reasons. The corrective action required SPS to review its current internal practices and its record procedures to determine whether they need revision.

* This latest breach involves a release of thousands of records including personally-identifiable information and students’ disability classification. The data was initially mischaracterized as merely “directory information” but was in fact far more.

In addition, a number of PTSA members have received personally-identifiable information of a very sensitive nature (e.g. IEPs) and did not file formal complaints. The fault does not lie on any one single individual: different departments and schools commit this type of breach on a regular basis.

The November 15th letter to families states “We have severed our relationship with the law firm in the handling of this case.” Has the relationship with this firm actually been severed, or are they just no longer handling this case? The language is unclear, and even misleading. Given the scope and repeated occurrence of privacy breaches and apparent violations of Washington’s code of conduct for licensed legal professionals, we ask that Seattle Schools actually sever all ties with this law firm if in fact this hasn’t already happened.

mirmac1 said...

More concerning is the question of why did this law firm have this information. Among other very limited exceptions, educational records may only be disclosed to “school officials” with a “legitimate educational interest” who need the information in order to fulfill their duties. It would seem that the outside law firm did not need all of these records to defend the district in the suit, unless it was intended to overwhelm the plaintiff with records. We ask for thorough examination and transformation of Seattle Schools approach to dispute resolution and its handling of special education legal issues. In 2013, the OSPI Program Review Team concluded that “the district’s procedures and practices are not reasonably designed to implement the dispute resolution requirements of IDEA 2004. In addition…there are no internal controls in place to prevent recurrence of student specific violations or systemic issues or is there evidence of control activities that effectively ensure the district directives or guidance being issued are in fact carried out.” We know of many instances where the district’s focus is on legal defense, rather than on preventing recurrence of OSPI-identified issues that harm our students and deny them a free and appropriate education.

FERPA regulations encourage institutions to self-report breaches to the Family Policy Compliance Office under the U.S. Department of Education. We appreciate Seattle Schools self-reporting the violation and requesting technical assistance. In addition to this action, and in keeping with past school board practices, we believe Seattle Schools needs to conduct a thorough investigation to see whether school board policies, procedures, and codes of conduct and ethics were followed by legal department staff. Because such an investigation would involve the district’s legal department and for reasons of public transparency, we ask that the Seattle School Board launch a full and independent investigation by an outside agency. Furthermore, in keeping with past district practice, we ask that all involved staff be placed on administrative leave, while the investigation takes place, so that a timely and effective investigation can take place.

To ensure notification of the families of all 8,000 students whose privacy was breached, we ask the school district to send out letters via USPS mail to guarantee that each family is reached and translated letters are available for the 1,500+ families whose primary language is not English. We request that each family be informed of exactly what FERPA protected information about their student(s) was disclosed in this breach. Additionally, we believe the expense of this communication should be borne by the law firm that made the disclosure, not Seattle Public Schools.

The extreme and serious nature of this breach necessitates immediate and decisive actions by Seattle Schools Board of Directors in order to appropriately remediate this breach and to prevent further erosion of public trust. The Special Education PTSA is requesting:

1. If it has not done so already, Seattle Schools should immediately sever ties with the outside legal firm.

2. Initiate an independent investigation, with a focus on a) any other contracted law firms that may have access to records; and b) district practice with respect to sharing this information.

3. Put involved staff on administrative leave, or in a position where they not have access or control of student data.

4. Mail detailed letters to the families of each and every student that was impacted, informing them of the specific student data disclosed.

5. Examine and change how Seattle Schools approaches dispute resolution and special education legal cases; the focus should be on the child.

The Special Education PTSA looks forward to hearing back from the Board of Directors on our requests.

Sincerely,

Jennifer Adair, President
Eileen Yardley, Vice President
Cecilia McCormick, Treasurer
Michael Minard, Secretary

CC: Interim Superintendent Nyland

app dad said...

thank you to all those who worked on the letter and mw for keeping an eye on this. not at all impressed with Englsih on this as it stinks of CYA.

Charlie Mas said...

CYA is Mr. English's job. He is the District's lawyer, not the students' lawyer. Rule #1 for all lawyers is work exclusively in your clients' interest. In an adversarial legal system such as ours, that means to work against everybody else's interest. That's his job. Hate the game, not the player.

Anonymous said...

There are many errors in the PIs story, but I'm glad this still has legs. Some other interesting developments are in the works that can't be shared at this time.

I want to say hi to all my peeps at SPS SpEd administration and SPS legal who are actively reading this blog to find out the latest SPS screw ups. Yes we know your are watching!

oweius marching

Anonymous said...

Nice letter Mirmac1. Hey, are you still allowed in the building?

oweius marching

John said...

The certification just confirms that the individual says nothing was distributed. I'm a network admin, and I can tell you there's no way of knowing for sure where data might end up. Wouldn't surprise me one bit if it's still sitting in some forgotten backup or cache right now.

I'm not accusing anybody of lying, more trying to underscore how vulnerable electronic data is.

Melissa Westbrook said...

John, and this is precisely what I tell people - in the end, is data really deleted? No.

And was it really deleted at the law firm? How does the district know?

Anonymous said...

It's not deleted, I used wireshark and grabbed it. Who wants to buy a copy?

Edward Snowden

Anonymous said...

I do believe that electronic data is inherently insecure. I feel like we haven't, as a society, decided how to reconcile the insecurity (and convenience) with real privacy. We can make this a bit difficult to get (i.e. you need the password to access your child's grades), but if the information really needs to remain secure, I think anything sent by email is insecure. I also think that sharing information can be very useful (say, different teachers sharing information). So, these issues always make my head spin and I end up with no answers.

zb

Anonymous said...

Received advanced learning notification via e-mail today ... for the WRONG student. Wonder who got my kiddo's notification?

UGH!

N by NW

Anonymous said...

Ron English knew about this problem well before this hit the newsstands- over a month. But just like the Silas Potter deal, he did nothing about it, until it showed up in the newspaper. And just like with the Potter matter, he pointed fingers at everyone else He is selective about choosing which outside lawyers he picks- the ones that know who is paying them. Now, another one of his favorite firms is bad, bad, because they did something he knew they had done before and took no action on. No dirt on his hands. His CYA only extends to his own A, not the boards', the district's, or the kids'. He is not doing his job as the District's lawyer. A good lawyer is a fixer and preventative. A good lawyer knows that hiding problems only makes them really bad when they finally blow up. But I have to give him credit, he is really adept at the hiding and laying blame elsewhere strategy. And it works.

Seen It

Anonymous said...

So, what is going on with the data breach? Did the board respond to the letter? I'm on the fence on what to do with all the documents.

Christine leftmyfoot