What the Seattle Public Schools’ Data Breach Teaches us about Cyber Security

what the seattle public schools data breach teaches us about cyber security

On Veterans Day, 2014, the Seattle Public Schools got the bad news: one of SPS’s law firms had accidentally emailed 8,000 student records – name, date of birth, test scores, state ID number, address, phone number, discipline information – to the wrong person.

To make matters worse, that person had contacted the local news channel KING 5 and allowed a reporter to view the files on the computer.

The data in the database was sensitive – but just having your name on the list at all was sensitive in and of itself, because the 8,000 students were all recipients of Special Education services.

SPS managed to convince the recipient of the data to destroy the files and not share them with anyone else, so for the most part, serious damage was contained.  However, much time and energy was spent to get this right.  After the incident, there were multiple news stories, not just from KING 5.  The SPS’s Superintendent’s office sent out no fewer than seven formal messages with updates, and ultimately mailed letters to the US Department of Education and to each family affected.

The details of this breach can be found here on the Seattle Public Schools website:   http://www.seattleschools.org/cms/One.aspx?portalId=627&pageId=20702

Data breaches are serious events for schools of all sizes.  And even with the best security systems protecting school computers, people make mistakes.   The SPS was lucky that the e-mail only went to one person, and that they could work with that person to make sure that the data did not travel any farther.  However, many situations are less fortuitous.  If sensitive data is lost for good, the expenses come in many forms, such as:

– Legal advice to make sure the response is consistent with state and federal notification laws and regulations

– Public relations advice to handle media enquiries and issue formal updates

– Forensic computer consultants to recreate the data and determine whom the breach affected

– Costs to print and mail notifications to victims

– Identity theft monitoring and credit monitoring for the victims

These items are costly, but the good news is that most school systems carry “Cyber Liability” insurance covering data breach events.  A Cyber Policy typically includes “first party” coverages for pre-selected consultants which will direct the response, keep the school out of legal trouble, and save a great deal of headache.

More information on Cyber Insurance can be found at http://propelins.wpengine.com/insurance/cybersmart.php