The Frederick County public school system has taken steps to protect students from future data hacks following the revelation that a breach more than five years ago resulted in the theft of personal information of about 1,000 former students. The school district has taken three steps so far: It has stopped collecting students’ Social Security numbers, which is consistent with a position advocated by the Electronic Privacy Information Center, a public interest research group that monitors privacy issues; it is participating in an audit conducted by the county’s Interagency Internal Audit Authority; and it has hired a cybersecurity expert to review the school’s data system.
The school district also extended an offer — from one year to two years — to provide free identity and credit monitoring services for the students in the midst of a petition drive calling on it to offer seven years of ID protection. The school district is also facing a threat by a Republican state lawmaker to sponsor a bill to require organizations that have been breached to provide five years of free monitoring. District 4 Delegate David E. Vogt III said he would introduce the legislation after saying he felt “stonewalled” by school officials in his efforts to get information about the data breach. The petition, which was begun on Dec. 18 by a former student, had amassed 587 signatures by Tuesday.
The ID protection, which will be provided by New York-based consultant Kroll, will cost the school district $15.60 per person, along with a $500 startup fee. The district paid $60,000 last year after an online malfunction in its internal data system resulted in employees’ tax forms being available for viewing by other employees.
One of the best steps the school district did was to discontinue collecting Social Security numbers. The widespread use of Social Security numbers — they are used for tax records, credit information, school records and medical records — makes consumers and others easy targets for identity theft. A number of states, including Maryland, have passed legislation to restrict the use of Social Security numbers.
The impact of having one’s personal information stolen can last far longer than the 24 months the school system is offering. That’s likely why students, faculty and staff members at the University of Maryland were provided five years of free ID protection after personal information was stolen in an attack on the university’s system two years ago in what has been called one of the largest data breaches to occur at a U.S. university. That breach also happened soon after the university had invested heavily in a security overhaul of its computer systems.
When the Board of Education meets next month to discuss appraising its policy on data breach security, it also ought to consider formally expanding the length of time it is willing to cover ID protection and credit monitoring for the Frederick County students whose personal information was stolen. Offering one year of ID protection has been largely discredited by cybersecurity experts as ineffective. While offering coverage for two years is an improvement, we think the offer extended by the University of Maryland should become official policy, if not law, in these matters. One year is good. Two years is better. We believe five years is best.