TO: Members of the Springfield Public School Board
RE: Student Data Privacy
I read the August 6 Springfield News-Leader article, One Year In, Springfield Superintendent Talks About Embracing Change (http://www.news-leader.com/story/news/education/2015/08/06/one-year-springfield-superintendent-talks-embracing-change/31239699/
), which described Superintendent Jungman ‘s Ignite technology initiative as “. . . a plan to equip every teacher with a hybrid tablet this school year and provide every student, grades 3-12, with a tablet or laptop within three years.” I would like to share with the Springfield Public School board excerpts of concerns I expressed to the Missouri State Board of Education regarding the lack of safeguards on student data, in the context of a statement made by the largest publisher of education materials in the world, PEARSON PLC. These comments are directly related to the agenda to have all students’ instruction and assessment provided in an online venue.
In PEARSON’s December 31, 2014 filing with the U.S. Security Exchange Commission, PEARSON identified data breach of students’ personally identifiable information as a potential risk:
Across our businesses we hold large volumes of personal data including that of
employees, customers, students and citizens
. Despite our implementation of security measures, individuals may try to gain unauthorized access to our data in order to misappropriate such information for potentially fraudulent purposes. Any perceived or actual unauthorized disclosure of personally-identifiable information, whether through breach of our network by an unauthorized party, employee theft, misuse or error or otherwise, could harm our reputation, impair our ability to attract and retain our customers, or subject us to claims or litigation arising from damages suffered by individuals, and thereby harm our business and operating results. Failure to adequately protect personal data could lead to penalties, significant remediation costs, reputational damage, potential cancellation of some existing contracts and inability to compete for future business
. In addition, we could incur significant costs in complying with the relevant laws and regulations regarding the unauthorized disclosure of personal information
As increasing amounts of personally identifiable information are collected by corporations such as PEARSON that are unaccountable to the public other than contractually, unsuspecting “students and citizens” are increasingly vulnerable to “potentially fraudulent purposes” such as identity theft by hackers from within, as well as, outside of the corporate system. Of particular note is PEARSON’s concern that, “. . . we could incur significant costs in complying with the relevant laws and regulations regarding the unauthorized disclosure of personal information.”
Revelation of facts about the recent massive data breach at the U.S. Office of Personnel Management suggests the looming potential for a similar scenario in settings affected by contracts of Missouri’s State Board of Education with PEARSON. Note the following:
OPM government data breach directly and indirectly impacted 21.5 million people.
That is, an estimated 7% of Americans were impacted.
The attackers were able to compromise the agency using a contractor’s credentials.
By contracting with . . . [online education providers, board members] are compelling . . . [students] to surrender their personally identifiable information to an entity that, by its own statement, prioritizes concerns about significant remediation costs, reputational damage, and future business over student safety.
In 2014 and 2015, Missouri parents and child advocates experienced first-hand the resistance of corporations to the passage of strong student data protection legislation in. Though the proposed senate and house bills were limited in scope, pertaining only to students in Pre-K-12 settings, the same concerns of corporations for limiting liabilities associated with compliance with relevant data protection laws and regulations applies to all education settings. . . .
Given the passage of the Missouri Electronic Data Protection Amendment 9 by 75% of the 729,752 Missourians who voted in the August 2014 election (http://ballotpedia.org/Missouri_Electronic_Data_Protection,_Amendment_9_(August_2014
), it is fair to assume that Missourians are more concerned about their electronic privacy than corporations’ business plans and profit goals. As members of . . . [Springfield’s] Board of Education, it is incumbent on you to protect the public affected by your decisions as you carry out your duties. Data protection of . . . [Springfield’s students] can only be accomplished if data are retained at a local level where it can be better protected and isolated, thereby, reducing opportunity for breaches. At the very least, contracts with any [education] vendor should stipulate those conditions.