Friday, November 21, 2014

Seattle Schools Data Breach: All the Latest

I have a huge amount of news that all came nearly at the same time. 

I am still gathering information about how you can directly complain to various agencies including OSPI, DOE and the Washington Bar Association.  I hope to get that thread info by Monday.

First, the district has created a webpage on the issue, Student Information Protection.

It has the Superintendent's latest letter to the entire SPS community which includes this:

The student information that was given to a parent by mistake includes directory information on over 7,400 students, including date of birth, grade and school assignment. The files also include student identification numbers, special education assignments, disability categories and special education transportation information. We believe this information includes substantially all of the special education students in the district.

In addition, some data on Roosevelt High School students was released. That information, for smaller numbers of students, includes discipline data, test results, service models and scholarship information. At this time, we are not aware that any information was disclosed about general education students who do not attend Roosevelt. The district continues to review all files disclosed by the law firm.

So:
-it was nearly all the Sped students in the district
-it did include some General Ed students at Roosevelt
- it states that "we have severed our relationship with the law firm in handling this case." In the DOE letter (referenced below), the district says they are going to sever their relationship in total with the law firm (who, according to published reports, has done business with the district for a decade).
- if you are a Roosevelt parent, I would ask for information on my student, whether using Sped programs or not.

Also on the webpage is their notification to the DOE on November 17th (partial):

We are still reviewing the facts of the disclosure, but based on our review thus far, it appears that the Firm failed to examine the attachments to emails it received from the District for review, and/or believed the links to the attachments in those emails had been disabled before the emails were electronically provided to the Guardian.  The attachments include many spreadsheets that contain information about various sutdents, including the Student.  As a result of the failure to review and/or disable the attachments, other students' information was inadvertently provided to the Guardian.

The above paragraph makes apparent that there is blame to be shared and still one burning question.

The district says "the Firm" failed to examine the attachments but why did the district send unredacted files at all on so many students?  That's the two-fold burning question.

The "Firm" was supposed to check if they were redacted and/or if the attachments enabled?  Because the district makes it sound like the only reason the law firm had the files was to answer the guardian. 

Who didn't read the guardian's request properly OR possibly decided to tsumani him with documents?

So:
- there were just two dates (at this point) that the law firm sent out files to the guardian of the student in question - Nov 7th and Nov 11th.

- the DOE letter says that the district had asked for the records back/destroyed from the guardian but he refused.  They went to court over this and I was told today that yes, the Court ordered the guardian to destroy the data. 

 - the district told the DOE it "has notified all families in the District of this inadvertent disclosure."  That is not what I was told by Communications nor is it what the Superintendent said at the Board meeting Wednesday.

Communications:

1. We are using email notification because getting the information out to as many parents in the fastest way possible was important.

2. We have created a web page to house the latest information and updates. We will be promoting it through all of our communication channels in order to try and reach families that don’t have email or haven’t signed up for email communication.

3. The district is reviewing the data that was released in order to identify the appropriate parents/families to follow up with through direct communications (depending on what contact information is available – could be phone, email or letter )


That sounds to me like all families may NOT have been notified. 

The Superintendent said at the Board meeting that they had sent notice to all families electronically, which again, so not mean all families have been reached. 

I have to wonder if the district is being slower than they should because it's just one person who has/had the data? Would they be moving faster if it was a hacker?  Hmm.

Newest letter from Superintendent to families:

Dear Families,
As indicated in our last two letters to parents, our outside law firm mistakenly released records on more than 7,400 Special Education students district wide and as well as records on regular education students from Roosevelt High School. 
Since that time we have taken the following actions:
  • Terminated the law firm working on this case
  • Sent a preliminary letter to you indicating the kinds of records released by mistake
  • Gone to court to recover the records from the one individual who has them
As reported in the last letter, we don’t believe that the person holding those records has given the records to anyone else. He has been ordered to destroy those records and certify to the judge that he has done so.  

Again, there is no indication the student information has been given to any other individuals. 

The district has also been working to identify the specific information released for each individual student. This will take some time to review these records, student by student.  

We are also working to prevent such errors in the future. Several departments met today to discuss steps to prevent inappropriate releases in the future. 

You can find updates and additional information as it becomes available at: http://bit.ly/StudentDataDisclosure.

I apologize again for this error. I sincerely regret the disclosure of personal and sensitive student information.
Sincerely,
Dr. Larry Nyland
Interim Superintendent

26 comments:

Anonymous said...

Students over the last week also received invitations from the "Robinson Center" at the UW for early college entrance. How the heck did the UW get student names and information to make this invitation? Seems there are many leaks out of SPS, and who knows what is being leaked. Perhaps this leak is something some parents want - it's still information going out the door without authorization.

Parent

Christina said...

I remember denying SPS permission to give out information about my student this year, and am getting repeat spam by a basketball training/camps company's Seattle location.

Anonymous said...

OK SPS is full of it. They are telling half truths. Wait and see what happens. The letter to the DOE is full of fabrications. Nice try Ron.

Peeved

Anonymous said...

The Invitation Letter from the Robinson Center (RC) is in fact coming from our own Advanced Learning Office and signed by Stephen B Martin, Supervisor.
At the bottom of the letter is says: "In order to comply with FERPA and protect student confidentiality, SPS has not disclosed any student information to the RC. This mailing has been funded by the RC."
It also says: "using criteria established by the RC, you and your student have been selected to learn more about the program."

I am wondering who is checking the so called criteria for these many students (even if only in the selected grades)?

- mom

mirmac1 said...

Directory information is all that is needed to send those emails. The directory info I"ve seen to date has name, contact info, and grade.

cmj said...

Why is the district sending out the letters via email instead of by snail mail? They have mailing addresses for all students (even, presumably, for homeless students). I wouldn't expect them to have email addresses for all parents. Not all parents use e-mail or have Internet access.

Is SPS trying to save postage? 52K students*$0.40/stamp = $20,800, so that's understandable. However, what about passing out a letter to students in their classrooms? Then, you only have to send letters to students who were absent that day.

cmj said...

Make that 8000 students and $3200, not $52000 students. It wouldn't be tenable to hand out letters to students in class, since teachers would have to single SPED (and some non-SPED) students out in front of their peers.

apparent said...


"We believe this information includes substantially all of the special education students in the district." Dr. Larry Nyland

Melissa,

I checked the links provided, but still cannot tell if this data breach statement includes disabled students on Section 504 plans as well as those on IEPs. Do you know the answer to that question? Thanks.

Anonymous said...

The letter I saw about the UW Robinson Center is definitely not from Advanced Learning, it from the director of the Robinson Center, Nancy Hertzog and Curtis Hisayasu. They claim to have reviewed the students academic record and invited them to apply. No notice of FERPA, nothing. And not an advanced learning student at all. Actually, it's a Sped student. Is it possible that the district breach is so huge.... they are simply sending it out everywhere?

Parent

mirmac1 said...

Parent,

There are many highly capable students with disabilities. Some of these children have near genius IQs

Anonymous said...

Directory information (names and addresses) can be released under FERPA as long as the student or parent didn't opt out. I suspect that the Robinson Center gave SPS criteria (grade level and test scores) to filter by and requested directory info for the students meeting those criteria. There would be no release of individuals' scores. Students who meet the criteria but had restricted directory release shouldn't be getting a letter, but the rest would, regardless of whether they were enrolled in advanced learning or any other program. Since this request was for offering an educational opportunity, I believe it would be permissible under FERPA.

- educational professional

Anonymous said...

Sorry for the confusion: The Invitation Letter from the Robinson Center came from the SPS Advanced Learning Office as I wrote it before. It contained another letter from the Robinson Center and was signed by Nancy Hertzog and Curtis Hisayasu. But this letter was a general letter that they wrote to every student who met their criteria.
"Dear Outstanding Student,
Based on your excellent academic record, you have been identified as a ... student with the potential to thrive in university next fall."
I don't believe there is any data breach in this movement as I don't think the RC received any student information. (Again, as the cover letter and the envelope itself came from the SPS Advanced Learning Office).

- mom

Melissa Westbrook said...

It seems that this may be bigger and longer (in timeframe) than the district has indicated in its letter to the DOE. I have several e-mails that indicate the opposite and I am attempting to find out more.

Anonymous said...

Mirmac, yes I know that there are 2e students. In this case, the student is not in advanced learning. But the point is, their data is being shared without their consent.

Parent

Anonymous said...


@ melissa

What do you mean bigger and longer?

Can you be more specific? I'm meeting with a lawyer at 2pm to discuss this and other SPED issues.

We have found a benefactor willing to fund a class action law suit and are interviewing lawyers.

--Michael

Anonymous said...

ent: Tuesday, November 18, 2014 4:35 PM
Subject: A CALL TO ACTION
Importance: High

Greetings.

Last week, the Governor’s Office of the Education Ombuds released their final report and recommendations regarding the creation of a Commission to improve outcomes for students with disabilities in our public schools. If you have not reviewed the report, it is attached to this email. As advocates, parents and educators you know it is time for Washington state to take an intentional look at how we educate students with disabilities. We need the Governor to understand that this issue is important to you, to know that there is an immediate need for this work, and to know that he should support it. Feel free to write your own personal message or you can edit and use the message below. If you are a parent of a student with a disability please mention that in your message. Also… please send out to your networks!

Remember that your voice and your story are powerful advocacy tools. Please use them and join us in this effort!

Sample Message:


Dear Governor Inslee,

As a parent of a student with a disability (or advocate of students with disabilities), I am writing to ask for your support in the creation of a Blue Ribbon Special Education Commission for Washington State.

Our systems of general education and special education are not meeting the needs of students with disabilities. I have read the report from the Office of the Education Ombuds and stand behind its recommendations. I ask you to do the same. Disability does not discriminate and students with disabilities are in all areas of our education system across our great state. Any work to improve outcomes for them, will also benefit all students in our schools.

Please take leadership on this opportunity. Lend your voice, and support, to Washington’s Blue Ribbon Special Education Commission, so that when we say “All students", we truly mean “Each and Every Student” in our state.

Thank you for the work you do and for being an advocate to ensure that all of Washington’s students, including those with disabilities, have the opportunity to achieve personal and academic success.

Sincerely,

Your Name





You can send the Governor an email message at https://fortress.wa.gov/es/governor/ or you can write or call him at:

Write
Governor Jay Inslee
Office of the Governor
PO Box 40002
Olympia, WA 98054-0002

Call
(360) 902-4111
TTY/TDD users should contact the Washington Relay Service at 711 or 1-800-833-6388

Time forAction

Anonymous said...

All Roosevelt parents/guardians should be concerned about this breach and should be asking explicit questions of SPS. The school district is downplaying this matter with its choice of words. And yes, this is not the first time irrelevant information on other students has been released to a parent/guardian seeking discovery from SPS.

- tam


Anonymous said...

Here is my question, how long has the SPS legal office been sending out documents like this? How many other outside law firms have gotten records like this, and how many unknowingly did the exact same thing not knowing they got live links when they requested documents in PDF?

-IMHO

Wondering said...
This comment has been removed by a blog administrator.
Melissa Westbrook said...

Do not post names that are not familiar and/or explained to all. Being cryptic so that you can lash out at someone is a no go here.

Wondering said...

Melissa,

Andrea Schiers is the Sr. Ast. General Counsel for SPS who was the SPS attorney responsible for the case where the disclosure happened. Curran Law Firm is her former firm. That Curran never did legal work for SPS before she got there and now does has been discussed on this blog and has been the subject of an ethics complaint.

Is that sufficient explanation for me thinking it is odd that she hired her own former firm (who is beholden to her for their new found SPS legal work) to investigate/handle this matter where she and her staff are the one who sent out the email?

Melissa Westbrook said...

Wondering,I didn't know all that.

So are you saying SPS has hired a law firm to investigate what has happened?

How do you know for a fact she was the counsel for this case? (I'm not challenging you but I like to be sure about these things.)

Also, the Washington State Bar Assn. does not allow complaints against law firms but if I find out who was responsible at SPS and at Preg O'Donnell& Gillett, I will let parents know who to file a complaint against.

Anonymous said...

Melissa,

SPS legal provides coverage by regions for Sp Ed between two attorneys. Andrea handles Roosevelt's region. I have sepcifically confirmed with people in the know (Sp Ed staffers) that she handled this case and turned it over to Curran when it was taken from PODG. The board can verify that they have been told that Curran is tasked with the case and looking into the release of records. The guardian can verify that Curran is the new firm on the case,

Parents should file the complaints against her and English, who is her supervisor. They are responsible for the paralegal who send everything to PODG.

PODG is the scape goat here. I think IMHO is right and this is standard practice for SPS legal and is way bigger than this one case.

Anonymous said...

I filed a conflict of interest complaint with the city ethics officer over Ms. Schiers sending cases over to Curran Law firm. Ms. Shiers was hired by Ron English from Curran Law and started referring cases to Curran in violation of SPS Policy.

Mr English responded :

From: English, Ron
Sent: Monday, May 19, 2014 4:31 PM
To: Banda, Jose L
Cc: SchoolBoard
Subject: Re: Conflict of interest in the legal dept.
I have forwarded this to the City Ethics Office for their action. I will note that we have spent
about $1 million annually on outside legal fees of all kinds and that I made the decision to
hire the Curran firm.
I welcome a review of our litigation management practices.
Ron English
General Counsel

Then Chris sent me this,

Hi Michael,


I discovered that Ms. Schiers did not participate in the selection of her former firm for this work. It was contracted out by the General Counsel, without consultation with her. Ms. Schiers has had no financial interests in the firm since she left.



The District’s Ethics Policy does prohibit an employee from participating in decisions that could benefit a firm or employer that he/she was employed with in the preceding year. It also prevents employees who have a financial interest with a firm from participating as well. Employees must disclose their relationship with firms when they are involved in decision making on contracting with those firms.



In this case, due to the facts, there is no conflict of interest according to the policy. Thanks for bringing this to our attention.



Chris Thomas

Investigative Counsel

Seattle Ethics and Elections Commission

(206) 615-0091

chris.thomas@seattle.gov

Who do they think they are fooling, oh ya the board!

--Michael

Anonymous said...

Spent the day digging through a few hundred documents sent to me by the district in relation to several cases. So far I have found 7 FERPA violations. I will turn these documents over to SPS within the next 30 days. I still have several boxes to go thru, so these probably a few more I will find.

I'm debating showing these to KOMO4 because back on the 14th the district told KOMO4 I was lying when I said I've received other students protected information, but I don't want the district suing me so I will return them unshared.

--Michael

Anonymous said...

If SPS were to sue everyone who has received other students' PII, they will have to quadruple English's budget.

What the heck. He's not accountable for what he blows on beating up SpEd families.

SoSue me