Seattle Schools Accidental Release of Student Data Update
The PI had an in-depth story today on the accidental disclosure of 7500+ student files to a guardian seeking to protect his sister's Sped rights.
In the story, it was stated that the district had filed to go to court and force the guardian to destroy the files. This was puzzling to me as at least one reader said it HAD been done last week. There is an update today from the district saying this (partial):
We received confirmation yesterday that the individual provided the court with certification that the documents have been deleted and the individual possesses no copies, electronic or otherwise. The court certification confirmed the documents were not distributed, electronically or as hard copy, to any other individual or party except for a KING 5 News reporter who was permitted to view the files on the individual’s computer. KING 5 has confirmed they did not keep copies of the data.
But the questions continue.
- Some of the times that e-mails were sent do not seem to match up. The court document states Morley sent the district/board an e-mail on Nov. 11 at 8:30 pm. E-mails are time-stamped, right? From the district's e-mail today:
The district was emailed by the individual at around midnight Nov. 11. Our legal department saw the email at noon, Nov. 12.
- the guardian has contended that he contacted the district and/or law firm when he first received a batch of files on Nov. 7th. The district has never confirmed or denied that.
- again, WHY did the district send that pdf will all those files embedded in it?
- again, the district keeps saying families have been notified. But I believe that, even for families affected, the only notification has been electronic. If the district is believing that all families in the district read the website and/or have e-mails, they would be wrong. The district told the DOE that they HAD notified all families.
I still do not believe that to be accurate.
- The lawyer for the firm, Preg O'Donnell&Gillett, is Lara Hruska. From the PI:
Lara Hruska, the Preg, O’Donnell and Gillette attorney who sent Morley the documents, contacted Morley the next day (Nov. 7th) and asked that he destroy the records.
In a sworn declaration, Hruska said Morley previously requested email and educational records related to one child. Hruska said she thought she was sending Morley only those records when she disclosed thousands of students’ personal information.
“Unbeknownst to me at the time I sent them to Mr. Morley, the attachments to the emails could be viewed by him upon receipt,” Hruska said in the declaration. “Some of these attachments inadvertently contained confidential, personally identifiable information on other students.”
One e-mail had 271 pages and another 457 pages and she never thought to herself, "That's a big pdf." Never thought to check what was there if only to protect her own firm.
Hruska said she only realized the error after Morley emailed each school board member, Nyland and several other district leaders with his concerns. The attorney called Morley and then emailed him apologizing for the error; she said she didn’t realize that the PDFs included working links.
“I would sincerely appreciate it if you would please let the numerous stakeholders you emailed regarding my mistake … know that the disclosure was due to a technological error and that you have spoken to the attorney at fault and she is remedying the situation,” Hruska said in her Nov. 12 email to Morley.
First, isn't the person in the wrong supposed to own up to the mistake? Why should Mr. Morley let those "stakeholders" know about her error?
Second, what "technological error?" Did the district's computer send a huge number of files to her office and her computer sent them to Mr. Morley? Twice? I don't think that's how it works.
Filing a complaint to higher-ups:
If you, Joe Citizen, want to file a complaint, apparently OSPI isn't taking them because the district self-disclosed the problem . However, if you are one of the affected Special Ed families, you can. Here's the link.
The Washington Bar Association does not accept complaints about law firms, just lawyers.
The Preg O'Donnell& Gillett lawyer on this case was Lara R. Hruska; she is an associate at the firm. (Interestingly she has been a teacher and a special education director. )
Here's a link to the WBA's complaint area.
I would be sure to let the WBA know that Ms. Hruska has a background in public education.
The lawyer for the district is Andrea Schiers, Senior Assistant General Counsel. (You might note that her former firm, Curran, is now the law firm handling this case.) The lead counsel for the district is Ron English.
At the Department of Education:
The mission of the Family Policy Compliance Office (FPCO) is to meet the needs of the Department's primary customers--learners of all ages--by effectively implementing two laws that seek to ensure student and parental rights in education: the Family Educational Rights and Privacy Act (FERPA) and the Protection of Pupil Rights Amendment (PPRA).
Parents and eligible students who need assistance or who wish to file a complaint under FERPA or PPRA should do so in writing to the Family Policy Compliance Office, sending pertinent information through the mail, concerning any allegations to the following address:
Family Policy Compliance Office
U.S. Department of Education
400 Maryland Avenue, SW
Washington, D.C. 20202-5920
Phone: 1-800-USA-LEARN (1-800-872-5327)
You can, of course, write to the School Board and complain.
In the story, it was stated that the district had filed to go to court and force the guardian to destroy the files. This was puzzling to me as at least one reader said it HAD been done last week. There is an update today from the district saying this (partial):
We received confirmation yesterday that the individual provided the court with certification that the documents have been deleted and the individual possesses no copies, electronic or otherwise. The court certification confirmed the documents were not distributed, electronically or as hard copy, to any other individual or party except for a KING 5 News reporter who was permitted to view the files on the individual’s computer. KING 5 has confirmed they did not keep copies of the data.
But the questions continue.
- Some of the times that e-mails were sent do not seem to match up. The court document states Morley sent the district/board an e-mail on Nov. 11 at 8:30 pm. E-mails are time-stamped, right? From the district's e-mail today:
The district was emailed by the individual at around midnight Nov. 11. Our legal department saw the email at noon, Nov. 12.
- the guardian has contended that he contacted the district and/or law firm when he first received a batch of files on Nov. 7th. The district has never confirmed or denied that.
- again, WHY did the district send that pdf will all those files embedded in it?
- again, the district keeps saying families have been notified. But I believe that, even for families affected, the only notification has been electronic. If the district is believing that all families in the district read the website and/or have e-mails, they would be wrong. The district told the DOE that they HAD notified all families.
I still do not believe that to be accurate.
- The lawyer for the firm, Preg O'Donnell&Gillett, is Lara Hruska. From the PI:
Lara Hruska, the Preg, O’Donnell and Gillette attorney who sent Morley the documents, contacted Morley the next day (Nov. 7th) and asked that he destroy the records.
In a sworn declaration, Hruska said Morley previously requested email and educational records related to one child. Hruska said she thought she was sending Morley only those records when she disclosed thousands of students’ personal information.
“Unbeknownst to me at the time I sent them to Mr. Morley, the attachments to the emails could be viewed by him upon receipt,” Hruska said in the declaration. “Some of these attachments inadvertently contained confidential, personally identifiable information on other students.”
One e-mail had 271 pages and another 457 pages and she never thought to herself, "That's a big pdf." Never thought to check what was there if only to protect her own firm.
Hruska said she only realized the error after Morley emailed each school board member, Nyland and several other district leaders with his concerns. The attorney called Morley and then emailed him apologizing for the error; she said she didn’t realize that the PDFs included working links.
“I would sincerely appreciate it if you would please let the numerous stakeholders you emailed regarding my mistake … know that the disclosure was due to a technological error and that you have spoken to the attorney at fault and she is remedying the situation,” Hruska said in her Nov. 12 email to Morley.
First, isn't the person in the wrong supposed to own up to the mistake? Why should Mr. Morley let those "stakeholders" know about her error?
Second, what "technological error?" Did the district's computer send a huge number of files to her office and her computer sent them to Mr. Morley? Twice? I don't think that's how it works.
Filing a complaint to higher-ups:
If you, Joe Citizen, want to file a complaint, apparently OSPI isn't taking them because the district self-disclosed the problem . However, if you are one of the affected Special Ed families, you can. Here's the link.
The Washington Bar Association does not accept complaints about law firms, just lawyers.
The Preg O'Donnell& Gillett lawyer on this case was Lara R. Hruska; she is an associate at the firm. (Interestingly she has been a teacher and a special education director. )
Here's a link to the WBA's complaint area.
I would be sure to let the WBA know that Ms. Hruska has a background in public education.
The lawyer for the district is Andrea Schiers, Senior Assistant General Counsel. (You might note that her former firm, Curran, is now the law firm handling this case.) The lead counsel for the district is Ron English.
At the Department of Education:
The mission of the Family Policy Compliance Office (FPCO) is to meet the needs of the Department's primary customers--learners of all ages--by effectively implementing two laws that seek to ensure student and parental rights in education: the Family Educational Rights and Privacy Act (FERPA) and the Protection of Pupil Rights Amendment (PPRA).
Parents and eligible students who need assistance or who wish to file a complaint under FERPA or PPRA should do so in writing to the Family Policy Compliance Office, sending pertinent information through the mail, concerning any allegations to the following address:
Family Policy Compliance Office
U.S. Department of Education
400 Maryland Avenue, SW
Washington, D.C. 20202-5920
Phone: 1-800-USA-LEARN (1-800-872-5327)
You can, of course, write to the School Board and complain.
Comments
Seattle Public Schools
MS 11-010
PO Box 34165
Seattle, WA 98124-1165
Ref: November 11, 2014 Privacy Breach of 8,000+ student records
Dear Distinguished Board of Directors:
The Special Education PTSA Board sends this letter to the Seattle Schools Board of Directors and Seattle Schools Superintendent, expressing our significant concerns with the recent privacy breach of thousands of student records.
We are in receipt of the Superintendent’s letters, e-mailed on November 13th and 15th, to some parents of students enrolled in Seattle Schools and think that the next steps listed in the letter do not go far enough to address this privacy breach nor to prevent future breaches from occurring. The fact that over 8,000 students’ private records were compromised on November 11th, and that this was only the most recent privacy breach, speaks to possible lapses in management, procedures oversight, and system failures within the Seattle Schools legal department.
The district has a documented track record of violating our students’ rights under FERPA and IDEA. These releases resulted in, and will continue to result in OSPI special education citizen complaints (SECC), including:
* SECC 12-37 resulted in a corrective action, requiring that SPS develop written guidance addressing FERPA regulations regarding confidentiality, legitimate educational interest and disclosure of personally identifiable information. District legal prepared a memorandum that referenced FERPA and Superintendent Procedure 3231SP.
* SECC 13-37 involved the intentional release of a student’s personally identifiable information and legal settlement for questionable reasons. The corrective action required SPS to review its current internal practices and its record procedures to determine whether they need revision.
* This latest breach involves a release of thousands of records including personally-identifiable information and students’ disability classification. The data was initially mischaracterized as merely “directory information” but was in fact far more.
In addition, a number of PTSA members have received personally-identifiable information of a very sensitive nature (e.g. IEPs) and did not file formal complaints. The fault does not lie on any one single individual: different departments and schools commit this type of breach on a regular basis.
The November 15th letter to families states “We have severed our relationship with the law firm in the handling of this case.” Has the relationship with this firm actually been severed, or are they just no longer handling this case? The language is unclear, and even misleading. Given the scope and repeated occurrence of privacy breaches and apparent violations of Washington’s code of conduct for licensed legal professionals, we ask that Seattle Schools actually sever all ties with this law firm if in fact this hasn’t already happened.
FERPA regulations encourage institutions to self-report breaches to the Family Policy Compliance Office under the U.S. Department of Education. We appreciate Seattle Schools self-reporting the violation and requesting technical assistance. In addition to this action, and in keeping with past school board practices, we believe Seattle Schools needs to conduct a thorough investigation to see whether school board policies, procedures, and codes of conduct and ethics were followed by legal department staff. Because such an investigation would involve the district’s legal department and for reasons of public transparency, we ask that the Seattle School Board launch a full and independent investigation by an outside agency. Furthermore, in keeping with past district practice, we ask that all involved staff be placed on administrative leave, while the investigation takes place, so that a timely and effective investigation can take place.
To ensure notification of the families of all 8,000 students whose privacy was breached, we ask the school district to send out letters via USPS mail to guarantee that each family is reached and translated letters are available for the 1,500+ families whose primary language is not English. We request that each family be informed of exactly what FERPA protected information about their student(s) was disclosed in this breach. Additionally, we believe the expense of this communication should be borne by the law firm that made the disclosure, not Seattle Public Schools.
The extreme and serious nature of this breach necessitates immediate and decisive actions by Seattle Schools Board of Directors in order to appropriately remediate this breach and to prevent further erosion of public trust. The Special Education PTSA is requesting:
1. If it has not done so already, Seattle Schools should immediately sever ties with the outside legal firm.
2. Initiate an independent investigation, with a focus on a) any other contracted law firms that may have access to records; and b) district practice with respect to sharing this information.
3. Put involved staff on administrative leave, or in a position where they not have access or control of student data.
4. Mail detailed letters to the families of each and every student that was impacted, informing them of the specific student data disclosed.
5. Examine and change how Seattle Schools approaches dispute resolution and special education legal cases; the focus should be on the child.
The Special Education PTSA looks forward to hearing back from the Board of Directors on our requests.
Sincerely,
Jennifer Adair, President
Eileen Yardley, Vice President
Cecilia McCormick, Treasurer
Michael Minard, Secretary
CC: Interim Superintendent Nyland
I want to say hi to all my peeps at SPS SpEd administration and SPS legal who are actively reading this blog to find out the latest SPS screw ups. Yes we know your are watching!
oweius marching
oweius marching
I'm not accusing anybody of lying, more trying to underscore how vulnerable electronic data is.
And was it really deleted at the law firm? How does the district know?
Edward Snowden
zb
UGH!
N by NW
Seen It
Christine leftmyfoot