1.Please
read
and sign our letter, already signed by several members of the Chancellor’s
Data Privacy Working Group as well as several education advocacy organizations and NYC Council Members, in
opposition to the weakening of DOE’s student privacy protections in their
proposed amendments to Chancellor’s regulation A-820.
If you would like to sign on, please fill
out this form.
These revisions would allow DOE to disclose a vast array of highly sensitive
student data to any individual or business they please, including students’ and
parents’ names, email addresses, cell
phones, home addresses, photos, and more, as long as they believe it would
benefit the DOE or the students involved, with only a highly unreliable parent
opt out method to prevent this. The
weakening of this regulation is up for a vote at the May
28 Panel for Educational Policy meeting, after the initial vote on this
measure was delayed in October because of parent and advocate concerns and over 3,000 emails sent to the Chancellor and PEP members.
2. Evidence of the irresponsible
practices of the DOE when it comes to protecting student privacy is further revealed
by recent developments in the PowerSchool breach.
According to a May 7 announcement
on the PowerSchool website and numerous
news accounts, extortionists have now contacted schools and districts
affected by the original PowerSchool Student Information System breach that
occurred in December, threatening the further
exposure of student data unless they are
paid a ransom.
The original breach exposed the personal information of an
estimated 60 million children, parents, and school staff across the US and in
Canada, including an indeterminate number of current and former NYC students
and teachers at four NYC high schools: Fordham HS for the Arts, Westchester
Square Academy, Long Island City High School, and Lower East Side Prep.
It is unknown at this time whether any of these NYC schools
have been directly contacted by the cyber criminals, as has occurred in the
case of schools elsewhere, and DOE has still not posted anything about this new
threat on its webpage entitled “Data
Security Incidents”, where it is supposed to provide this sort of
information.
Still to this day, DOE officials refuse to publicize the names of
the four schools that had their student data stolen back in December, or to
reveal publicly that former students at these schools likely had their
information breached as well.
The DOE was also months
late in informing parents at these schools that their children’s data had been
breached, and even now, refuses to provide any guidance to the many NYC schools
that they should stop using the 16 other
invasive PowerSchool programs that collect a wide range of personal student and
teacher data, even though it’s been shown that the company did not employ even the
most basic security measures to prevent hacking. PowerSchool is now being sued
by more than 20 different states, districts, and class action lawsuits as a
result.
The DOE’s lackadaisical attitude towards protecting student
data is especially relevant right now, as mentioned above, as proposals to weaken their Chancellor’s regulation, A-820
are on the agenda to be voted on by the PEP at the end of the month.
The only significant concession DOE has made in the latest
round of revisions to this regulation is to require a written agreement with
the third parties with whom they want to share all this sensitive student data ,
but as we have seen in the PowerSchool breach, as well as many others, including
the Illuminate breach that exposed the data of more than a million NYC current
and former students, their written agreements have done little to stop the illegal disclosures and commercial
exploitation of student data because of insufficient oversight and enforcement.
More details on the earlier PowerSchool breach and the recent
ransomware attacks are below.
Background
The original hack of the PowerSchool School Information
Systems (SIS) began on December 19 and ended on December 28. On January 6, PowerSchool informed hundreds
of districts and schools systems nationwide and in Canada that personal data
stored in their student information systems had been accessed; later they
admitted that they paid ransom to the criminals in exchange for their promise to
destroy the data.
Most
districts throughout New York state and elsewhere alerted parents to the
threat, in early to mid-January, and shortly thereafter advised them how to sign
up for free identity theft insurance and credit monitoring offered by
PowerSchool. It is well known that student
data is very valuable for purposes of identity theft, as most children do not
already have a credit rating.
Yet DOE said nothing to parents about this at the four
affected schools, and in fact, when reporters asked in January if any NYC
schools were affected, DOE told them no.
It was not until February 3 that I learned in an email from the
NY State Education Department Chief Privacy Officer Louise de Candia that four
NYC schools did indeed have their student data hacked, and she gave me the
schools’ names. I forwarded this
information to the Daily News reporter, Cayla Bamberger, who wrote an article
about the breach on February 6 (free link here). I
also posted more details about the breach
on my blog.
But amazingly, even then the DOE refused to confirm the
names of the affected schools to reporters, or to post their names on their
website, even though the State
Education Department specifically advised districts to do so, in order to alert
former students to the risk to their privacy and safety. They wrote:
Like the Illuminate Education data breach that occurred
in late 2021/early 2022, former students may be affected by this breach.
Therefore, we recommend that educational agencies put a notification on their
web page to capture as wide an audience as possible.
Further delay and inadequate notification of affected
families and students
Only following the Daily News article did principals send a
message to parents at these four schools, saying that they were still looking
into whether their children’s data had been breached.
Not until March 7, more than two months after the initial
reports, did DOE apparently confirm internally that NYC students, former
students, and staff had their data stolen by hackers, even though back in
January there were simple instructions on Reddit,
and elsewhere on how schools and districts should check their SIS log files to
confirm which students and teachers were affected, and what data had been stolen.
It was not until three weeks after that, the week of April
1, that the DOE mailed notification letters to affected students and staff, and
not until April 3 was the following message posted on the DOE website:
“Approximately 3,437 students and 317 staff were affected
by the PowerSchool SIS data security incident. … All students who
were affected by this incident had the following information disclosed: name,
student ID number, date of birth, grade level, expected graduation year,
enrollment information, and home address. Some students also had
race/ethnicity, gender, classroom assignment, parent name, parent email, home
phone number, emergency contact name and phone, and medical contact information
disclosed. All staff who were affected by this incident had their
file number/employee ID disclosed.”
Still this statement was far from complete, as the DOE
continued to refuse to disclose the names of the affected schools on the
website, or that former students also had their data breached. This was confirmed to me by the DOE chief
privacy officer Dennis Doyle after I asked him about it. Though he said he didn’t know how many former
students were affected, “it’s possible the impacted data goes as far back as
the 2021-22 school year.” By looking at
the demographic snapshot just for Long Island City HS, that means that another
1,321 students who were enrolled that year but have since graduated or dropped
out may also have their data hacked.
The NY student privacy law Ed
Law 2D regulations require that parents be informed as soon as possible
about a breach of personal student data and in no case, more than 60 calendar
days after its discovery:
“Educational agencies shall notify affected parents,
eligible students, teachers and/or principals in the most expedient way
possible and without unreasonable delay, but no more than 60 calendar days
after the discovery of a breach.”
Of course, 60 days is too long in
any case; State Ed originally proposed 45 days in their regulations, but some districts
apparently complained this was too short a time frame. NY state has now amended its general
business law to require all businesses to notify affected individuals of breaches within 30
days, though it’s not clear if schools and district apply.
In any case, given that districts were informed of the PowerSchool
breach on January 7, that would make the deadline in state law for notification
March 8, 2025 – and yet parents in NYC were not sent letters confirming their
kids’ data was breached until three weeks later.
Unfortunately, the DOE has said nothing publicly about these
recent ransomware attacks, though there
is an update on their website dated May 8, the day after PowerSchool
and numerous media accounts, including
NBC news, reported on these new threats to student privacy. Instead, the
DOE only informed parents on that date that the deadline to sign up for
PowerSchool’s offer of free identity theft insurance had been extended
to July 31; and then added “There is no evidence of continued
unauthorized access”, even as parents throughout the country were being
warned otherwise.
For example, schools in North Carolina received extortion
emails on May 7, according to the state Department of Education’s public bulletin, posted the same day, alerting the public
that these criminals appeared to have students' and staffers’ names, contact
information, birthdays, medical information, parental information, and in some
cases even their Social Security numbers.
The North Carolina State Superintendent produced a sample
template that districts were asked to send to parents, warning them
not to respond if contacted by these threat actors, and not to open any suspicious links or emails
related to this incident, or engage with
anyone claiming to have this data.”
About the more recent ransomware threats, there are three
possible scenarios according
to this article: that the original hackers did not delete the data back in
January as they promised PowerSchool after receiving payment; or they had
already sold or released the data to another group before deleting it. There is a third possibility: that these
latest demands are empty threats, but as PowerSchool reported, the samples of personal
data sent to schools as warnings in May match the data previously stolen in
December.
DOE’s continued lack of oversight, transparency and
enforcement when it comes to student privacy
All this sadly might have been prevented if DOE had taken
the necessary precautions. The privacy addendum
that PowerSchool provided to DOE several years ago, and still posted on
the DOE website should have provided sufficient warning. It said that the company will:
“Review data
security and privacy policy and practices to ensure they are in conformance
with all applicable federal, state, and local laws & the terms of this DSPP
[Data Security Privacy Plan].… In the event Processor’s policy and practices are not in conformance,
Processor will implement commercially reasonable efforts to ensure such
compliance.”
In other words, PowerSchool proclaimed that they would
comply with federal and state privacy laws -- and their own contract with DOE
– only if they felt it was “commercially reasonable” and would not unduly
affect their bottom line.
I also pointed out that DOE allows schools to use 17 privacy-invasive PowerSchool programs that collect a huge amount of sensitive teacher and student data, and asked for a meeting to discuss the many other ways in
which the DOE consistently fails to properly vet their privacy agreements or to
follow up with their vendors to ensure they are adhering to these agreements. Here is a copy of one of the slides I sent him.
Similar problems with lack of careful vetting and oversight occurred earlier with the Illuminate
breach,
as
I wrote at the time, whose posted privacy addendum hinted that the data was
not properly encrypted.
And while the DOE contract with Illuminate said they were entitled to security audits, it is unclear if they ever asked for one.
In any case, I never got the meeting with Dennis I had requested nor did I receive any response to my warnings
about PowerSchool.
Even earlier, according to a January 2022 expose
in The Markup, Naviance was found to have allowed colleges to place ads
within its platform, disguised as objective recommendations, including ads that
targeted only white students. – a practice that is clearly illegal under NY
State law.
In May 2024, a multi-state parent
class action lawsuit was filed in California alleging that PowerSchool disclosed
personal student data, including highly sensitive health and disciplinary
records to its third-party "partners" for commercial purposes,
illegal in California, New York and many other
states. Among other data points, the lawsuit pointed out that
Naviance collects student citizenship status, which is especially sensitive data these
days given the threat of immigrant deportation. More about this lawsuit here. Yet this news did not deter Bain
Capital from acquiring PowerSchool in October 2024 for $5.6 billion.
Following the December 2024 breach, many states and
districts have now sued PowerSchool for failing to implement the most basic security
measures to protect against breaches, including multi-factor authentication. These lawsuits are demanding damages, and the court to require the company to strengthen its
overall security systems, undertake a third-party security audit, and appoint
an independent party to monitor progress. Some of these lawsuits,
including one filed in the Eastern District of New York, have been now consolidated
into a single court case in California.
Many parents have joined separate class action lawsuits, organized by
private law firms as well.
Two weeks ago, I wrote Dennis Doyle once again, and asked him
the following question:
“What oversight
does DOE maintain to ensure that PowerSchool and vendors in general to hold to
the security protections in their contracts, especially given the weak language
in its privacy addendum? This breach revealed that PowerSchool failed to
use the most basic security measures, like multi-factor authentication, leading
to least
23 lawsuits, including many states with far less protective privacy
laws than NY. Clearly, they did not employ data minimization or deletion, as
the law requires, given that the data of former students was breached.”
This was his brief response: “ Our vendors undergo a
security review conducted by DIIT and, for those storing data in the cloud, a
cloud review conducted by OTI.”
No acknowledgement was made of the obvious fact that these
security reviews failed to identify the profound weaknesses in PowerSchool’s
cybersecurity practices,
or any of the other breaches that showed the lack of required measures to secure student data.
I also asked Dennis if he intends “to ask PowerSchool to
revise their privacy addendum to fully comply with Ed Law 2D, and/or to take
any other actions to discourage schools to use the other 16 PowerSchool
products posted on your website that DOE has made available to schools, many of
them with access to extremely sensitive teacher and student data?”
He responded this way: “ As I stated earlier, our
data-processing agreement with PowerSchool requires them to fully comply with
Ed Law 2-d, notwithstanding any response to the contrary in the supplemental
questionnaire.” Our
full exchange is posted here.
This is irresponsible in my view. DOE should have advised schools following the
breach to cease using any of the 17 products supplied to schools by PowerSchool
that collect highly sensitive teacher and student data, and should have immediately
notified parents at the affected schools of the threat to their family’s privacy,
as other districts in the state and nation did. DOE should also have also posted on their website more information
about this breach, including the names of the affected schools and warned former students at these schools that their
data may have been accessed as well.
In any case, DOE should
do this now, given the renewed ransomware threats, and put out a press release to
ensure that all parents, students, and former students at these schools sign up
for the identity
theft insurance and credit monitoring services offered by PowerSchool, as
well as alerting them not to respond to cybercriminals if approached.
Whether the DOE itself could be in legal jeopardy by failing to inform parents in a timely manner of the breach
and waiting months to alert them to the steps they should take to
prevent further disclosures, and/or the manner in which they ignored red
flags in their PowerSchool privacy agreement, are questions that only an
experienced attorney could answer.
In any case, please read our
letter in opposition to the further weakening of the DOE
privacy policies, and consider signing it.