Seattle Schools Data Breach: All the Latest
I have a huge amount of news that all came nearly at the same time.
I am still gathering information about how you can directly complain to various agencies including OSPI, DOE and the Washington Bar Association. I hope to get that thread info by Monday.
First, the district has created a webpage on the issue, Student Information Protection.
It has the Superintendent's latest letter to the entire SPS community which includes this:
The student information that was given to a parent by mistake includes directory information on over 7,400 students, including date of birth, grade and school assignment. The files also include student identification numbers, special education assignments, disability categories and special education transportation information. We believe this information includes substantially all of the special education students in the district.
In addition, some data on Roosevelt High School students was released. That information, for smaller numbers of students, includes discipline data, test results, service models and scholarship information. At this time, we are not aware that any information was disclosed about general education students who do not attend Roosevelt. The district continues to review all files disclosed by the law firm.
So:
-it was nearly all the Sped students in the district
-it did include some General Ed students at Roosevelt
- it states that "we have severed our relationship with the law firm in handling this case." In the DOE letter (referenced below), the district says they are going to sever their relationship in total with the law firm (who, according to published reports, has done business with the district for a decade).
- if you are a Roosevelt parent, I would ask for information on my student, whether using Sped programs or not.
Also on the webpage is their notification to the DOE on November 17th (partial):
We are still reviewing the facts of the disclosure, but based on our review thus far, it appears that the Firm failed to examine the attachments to emails it received from the District for review, and/or believed the links to the attachments in those emails had been disabled before the emails were electronically provided to the Guardian. The attachments include many spreadsheets that contain information about various sutdents, including the Student. As a result of the failure to review and/or disable the attachments, other students' information was inadvertently provided to the Guardian.
The above paragraph makes apparent that there is blame to be shared and still one burning question.
The district says "the Firm" failed to examine the attachments but why did the district send unredacted files at all on so many students? That's the two-fold burning question.
The "Firm" was supposed to check if they were redacted and/or if the attachments enabled? Because the district makes it sound like the only reason the law firm had the files was to answer the guardian.
Who didn't read the guardian's request properly OR possibly decided to tsumani him with documents?
So:
- there were just two dates (at this point) that the law firm sent out files to the guardian of the student in question - Nov 7th and Nov 11th.
- the DOE letter says that the district had asked for the records back/destroyed from the guardian but he refused. They went to court over this and I was told today that yes, the Court ordered the guardian to destroy the data.
- the district told the DOE it "has notified all families in the District of this inadvertent disclosure." That is not what I was told by Communications nor is it what the Superintendent said at the Board meeting Wednesday.
Communications:
1. We are using email notification because getting the information out to as many parents in the fastest way possible was important.
2. We have created a web page to house the latest information and updates. We will be promoting it through all of our communication channels in order to try and reach families that don’t have email or haven’t signed up for email communication.
3. The district is reviewing the data that was released in order to identify the appropriate parents/families to follow up with through direct communications (depending on what contact information is available – could be phone, email or letter )
That sounds to me like all families may NOT have been notified.
The Superintendent said at the Board meeting that they had sent notice to all families electronically, which again, so not mean all families have been reached.
I have to wonder if the district is being slower than they should because it's just one person who has/had the data? Would they be moving faster if it was a hacker? Hmm.
Newest letter from Superintendent to families:
Dear Families,
As indicated in our last two letters to parents, our outside law firm mistakenly released records on more than 7,400 Special Education students district wide and as well as records on regular education students from Roosevelt High School.
Since that time we have taken the following actions:
Again, there is no indication the student information has been given to any other individuals.
The district has also been working to identify the specific information released for each individual student. This will take some time to review these records, student by student.
We are also working to prevent such errors in the future. Several departments met today to discuss steps to prevent inappropriate releases in the future.
You can find updates and additional information as it becomes available at: http://bit.ly/
I apologize again for this error. I sincerely regret the disclosure of personal and sensitive student information.
Sincerely,
Dr. Larry Nyland
Interim Superintendent
I am still gathering information about how you can directly complain to various agencies including OSPI, DOE and the Washington Bar Association. I hope to get that thread info by Monday.
First, the district has created a webpage on the issue, Student Information Protection.
It has the Superintendent's latest letter to the entire SPS community which includes this:
The student information that was given to a parent by mistake includes directory information on over 7,400 students, including date of birth, grade and school assignment. The files also include student identification numbers, special education assignments, disability categories and special education transportation information. We believe this information includes substantially all of the special education students in the district.
In addition, some data on Roosevelt High School students was released. That information, for smaller numbers of students, includes discipline data, test results, service models and scholarship information. At this time, we are not aware that any information was disclosed about general education students who do not attend Roosevelt. The district continues to review all files disclosed by the law firm.
So:
-it was nearly all the Sped students in the district
-it did include some General Ed students at Roosevelt
- it states that "we have severed our relationship with the law firm in handling this case." In the DOE letter (referenced below), the district says they are going to sever their relationship in total with the law firm (who, according to published reports, has done business with the district for a decade).
- if you are a Roosevelt parent, I would ask for information on my student, whether using Sped programs or not.
Also on the webpage is their notification to the DOE on November 17th (partial):
We are still reviewing the facts of the disclosure, but based on our review thus far, it appears that the Firm failed to examine the attachments to emails it received from the District for review, and/or believed the links to the attachments in those emails had been disabled before the emails were electronically provided to the Guardian. The attachments include many spreadsheets that contain information about various sutdents, including the Student. As a result of the failure to review and/or disable the attachments, other students' information was inadvertently provided to the Guardian.
The above paragraph makes apparent that there is blame to be shared and still one burning question.
The district says "the Firm" failed to examine the attachments but why did the district send unredacted files at all on so many students? That's the two-fold burning question.
The "Firm" was supposed to check if they were redacted and/or if the attachments enabled? Because the district makes it sound like the only reason the law firm had the files was to answer the guardian.
Who didn't read the guardian's request properly OR possibly decided to tsumani him with documents?
So:
- there were just two dates (at this point) that the law firm sent out files to the guardian of the student in question - Nov 7th and Nov 11th.
- the DOE letter says that the district had asked for the records back/destroyed from the guardian but he refused. They went to court over this and I was told today that yes, the Court ordered the guardian to destroy the data.
- the district told the DOE it "has notified all families in the District of this inadvertent disclosure." That is not what I was told by Communications nor is it what the Superintendent said at the Board meeting Wednesday.
Communications:
1. We are using email notification because getting the information out to as many parents in the fastest way possible was important.
2. We have created a web page to house the latest information and updates. We will be promoting it through all of our communication channels in order to try and reach families that don’t have email or haven’t signed up for email communication.
3. The district is reviewing the data that was released in order to identify the appropriate parents/families to follow up with through direct communications (depending on what contact information is available – could be phone, email or letter )
That sounds to me like all families may NOT have been notified.
The Superintendent said at the Board meeting that they had sent notice to all families electronically, which again, so not mean all families have been reached.
I have to wonder if the district is being slower than they should because it's just one person who has/had the data? Would they be moving faster if it was a hacker? Hmm.
Newest letter from Superintendent to families:
Dear Families,
As indicated in our last two letters to parents, our outside law firm mistakenly released records on more than 7,400 Special Education students district wide and as well as records on regular education students from Roosevelt High School.
Since that time we have taken the following actions:
- Terminated the law firm working on this case
- Sent a preliminary letter to you indicating the kinds of records released by mistake
- Gone to court to recover the records from the one individual who has them
Again, there is no indication the student information has been given to any other individuals.
The district has also been working to identify the specific information released for each individual student. This will take some time to review these records, student by student.
We are also working to prevent such errors in the future. Several departments met today to discuss steps to prevent inappropriate releases in the future.
You can find updates and additional information as it becomes available at: http://bit.ly/
I apologize again for this error. I sincerely regret the disclosure of personal and sensitive student information.
Sincerely,
Dr. Larry Nyland
Interim Superintendent
Comments
Parent
Peeved
At the bottom of the letter is says: "In order to comply with FERPA and protect student confidentiality, SPS has not disclosed any student information to the RC. This mailing has been funded by the RC."
It also says: "using criteria established by the RC, you and your student have been selected to learn more about the program."
I am wondering who is checking the so called criteria for these many students (even if only in the selected grades)?
- mom
Is SPS trying to save postage? 52K students*$0.40/stamp = $20,800, so that's understandable. However, what about passing out a letter to students in their classrooms? Then, you only have to send letters to students who were absent that day.
"We believe this information includes substantially all of the special education students in the district." Dr. Larry Nyland
Melissa,
I checked the links provided, but still cannot tell if this data breach statement includes disabled students on Section 504 plans as well as those on IEPs. Do you know the answer to that question? Thanks.
Parent
There are many highly capable students with disabilities. Some of these children have near genius IQs
- educational professional
"Dear Outstanding Student,
Based on your excellent academic record, you have been identified as a ... student with the potential to thrive in university next fall."
I don't believe there is any data breach in this movement as I don't think the RC received any student information. (Again, as the cover letter and the envelope itself came from the SPS Advanced Learning Office).
- mom
Parent
@ melissa
What do you mean bigger and longer?
Can you be more specific? I'm meeting with a lawyer at 2pm to discuss this and other SPED issues.
We have found a benefactor willing to fund a class action law suit and are interviewing lawyers.
--Michael
Subject: A CALL TO ACTION
Importance: High
Greetings.
Last week, the Governor’s Office of the Education Ombuds released their final report and recommendations regarding the creation of a Commission to improve outcomes for students with disabilities in our public schools. If you have not reviewed the report, it is attached to this email. As advocates, parents and educators you know it is time for Washington state to take an intentional look at how we educate students with disabilities. We need the Governor to understand that this issue is important to you, to know that there is an immediate need for this work, and to know that he should support it. Feel free to write your own personal message or you can edit and use the message below. If you are a parent of a student with a disability please mention that in your message. Also… please send out to your networks!
Remember that your voice and your story are powerful advocacy tools. Please use them and join us in this effort!
Sample Message:
Dear Governor Inslee,
As a parent of a student with a disability (or advocate of students with disabilities), I am writing to ask for your support in the creation of a Blue Ribbon Special Education Commission for Washington State.
Our systems of general education and special education are not meeting the needs of students with disabilities. I have read the report from the Office of the Education Ombuds and stand behind its recommendations. I ask you to do the same. Disability does not discriminate and students with disabilities are in all areas of our education system across our great state. Any work to improve outcomes for them, will also benefit all students in our schools.
Please take leadership on this opportunity. Lend your voice, and support, to Washington’s Blue Ribbon Special Education Commission, so that when we say “All students", we truly mean “Each and Every Student” in our state.
Thank you for the work you do and for being an advocate to ensure that all of Washington’s students, including those with disabilities, have the opportunity to achieve personal and academic success.
Sincerely,
Your Name
You can send the Governor an email message at https://fortress.wa.gov/es/governor/ or you can write or call him at:
Write
Governor Jay Inslee
Office of the Governor
PO Box 40002
Olympia, WA 98054-0002
Call
(360) 902-4111
TTY/TDD users should contact the Washington Relay Service at 711 or 1-800-833-6388
Time forAction
- tam
-IMHO
Andrea Schiers is the Sr. Ast. General Counsel for SPS who was the SPS attorney responsible for the case where the disclosure happened. Curran Law Firm is her former firm. That Curran never did legal work for SPS before she got there and now does has been discussed on this blog and has been the subject of an ethics complaint.
Is that sufficient explanation for me thinking it is odd that she hired her own former firm (who is beholden to her for their new found SPS legal work) to investigate/handle this matter where she and her staff are the one who sent out the email?
So are you saying SPS has hired a law firm to investigate what has happened?
How do you know for a fact she was the counsel for this case? (I'm not challenging you but I like to be sure about these things.)
Also, the Washington State Bar Assn. does not allow complaints against law firms but if I find out who was responsible at SPS and at Preg O'Donnell& Gillett, I will let parents know who to file a complaint against.
SPS legal provides coverage by regions for Sp Ed between two attorneys. Andrea handles Roosevelt's region. I have sepcifically confirmed with people in the know (Sp Ed staffers) that she handled this case and turned it over to Curran when it was taken from PODG. The board can verify that they have been told that Curran is tasked with the case and looking into the release of records. The guardian can verify that Curran is the new firm on the case,
Parents should file the complaints against her and English, who is her supervisor. They are responsible for the paralegal who send everything to PODG.
PODG is the scape goat here. I think IMHO is right and this is standard practice for SPS legal and is way bigger than this one case.
Mr English responded :
From: English, Ron
Sent: Monday, May 19, 2014 4:31 PM
To: Banda, Jose L
Cc: SchoolBoard
Subject: Re: Conflict of interest in the legal dept.
I have forwarded this to the City Ethics Office for their action. I will note that we have spent
about $1 million annually on outside legal fees of all kinds and that I made the decision to
hire the Curran firm.
I welcome a review of our litigation management practices.
Ron English
General Counsel
Then Chris sent me this,
Hi Michael,
I discovered that Ms. Schiers did not participate in the selection of her former firm for this work. It was contracted out by the General Counsel, without consultation with her. Ms. Schiers has had no financial interests in the firm since she left.
The District’s Ethics Policy does prohibit an employee from participating in decisions that could benefit a firm or employer that he/she was employed with in the preceding year. It also prevents employees who have a financial interest with a firm from participating as well. Employees must disclose their relationship with firms when they are involved in decision making on contracting with those firms.
In this case, due to the facts, there is no conflict of interest according to the policy. Thanks for bringing this to our attention.
Chris Thomas
Investigative Counsel
Seattle Ethics and Elections Commission
(206) 615-0091
chris.thomas@seattle.gov
Who do they think they are fooling, oh ya the board!
--Michael
I'm debating showing these to KOMO4 because back on the 14th the district told KOMO4 I was lying when I said I've received other students protected information, but I don't want the district suing me so I will return them unshared.
--Michael
What the heck. He's not accountable for what he blows on beating up SpEd families.
SoSue me