Oh ugh ugh ugh.

In early February, Berkeley County Schools in West Virginia experienced a ransomware attack.  On March 3, the district issued a notice on its website that stated their investigation determined "some data stored in Berkeley County Schools’ network may have been accessed that included employee Social Security numbers and direct deposit
information."

That notice makes no mention of any student information being involved.

But Vice Society has added Berkeley County Schools to their leak site and has dumped a LOT of personal and sensitive info on students. Some of it goes back years, too.

Read my post at
https://www.databreaches.net/highly-sensitive-files-from-berkeley-county-schools-dumped-by-ransomware-gang/

That district has a LOT of accounting to do, and a lot of changes to their data retention and protection. And of course, FERPA doesn't actually require them to notify the students or families -- only to make notations in their records that the files were disclosed without authorization.

#databreach #ransomware #EduSec #dataprotection #incidentresponse #FERPA #infosec

@douglevin @brett @allan @BleepingComputer @AlvieriD

Feds investigating Pasco schools giving student data to sheriff —The Tampa Bay Times reported in November that the school district shared information on student grades, discipline and attendance with the Sheriff’s Office, which used the data to compile a secret list of schoolchildren it believed could “fall into a life of crime.”

The federal education department is now looking into the arrangement, a spokesman said Friday. #dataprivacy #privacy #FERPA

https://www.tampabay.com/investigations/2021/04/19/feds-investigating-pasco-schools-giving-student-data-to-sheriff/

Today's FERPA questions:

Part 1:

Assume parents of students sign a media release like the one attached to this post where the release mentions specific activities but also a more general release to promote the program.

Now assume that the district is the victim of a cyberattack and the attackers dump all the school photos with the students' names and student ID numbers.

Does the release allowing pictures of the student mean that there was no FERPA breach? I would say that the release is restricted to the activities mentioned in the release and that a data dump on the internet would still be a #FERPA breach.

Agree or disagree?

Part 2. Now assume that the district's "Directory Information" exemptions include student photos unless the parent opts out. Assume the same attack and data dump.

Now is it a #FERPA breach?

#FERPA #dataprotection #students #privacy #EduSec #DirectoryInformation #databreach #cyberattack #infosec

Trove of L.A. Students’ Mental Health Records Posted to Dark Web After Cyber Hack: https://www.the74million.org/article/trove-of-l-a-students-mental-health-records-posted-to-dark-web-after-cyber-hack/

@mkeierleber is singing my tune about the need for entities to disclose when sensitive data has been leaked. There is no requirement under #FERPA to notify of that.

We need a federal law requiring notification in the event of a data dump or leak of personal and sensitive information, and not just for the education sector -- for ALL sectors.

Y'all can just wait until I rule the world, or we can keep encouraging legislators to do what should have been done years ago.

@brett @douglevin @allan @funnymonkey

#databreach #dataprotection #EduSec #Notification #incidentresponse #ransomware #cyberattack #dataleak #transparency #infosec

If you're going to "attack" a public school district, learn what FERPA permits districts to make public anyway:

https://www.databreaches.net/if-youre-going-to-attack-a-public-school-district-learn-what-ferpa-permits-districts-to-make-public-anyway/

#FERPA #EduSec #DirectoryInformation #Infosec

@douglevin @brett @funnymonkey

Did someone at ED think this would be useful? Or add important information to a public policy debate involving student data privacy? I read it as more evidence that the national (US) K-12 student data privacy regime is bankrupt. The emperor has no clothes and yet we conduct studies of how deeply the emperor's subjects are bowing to an impotent ruler.

"LEA Website Privacy Transparency Review Final Report" https://studentprivacy.ed.gov/resources/lea-website-privacy-transparency-review-final-report #edtech #FERPA #PPRA #edtech @PogoWasRight @funnymonkey

I'm starting to think of possibilities for using #mastodon in my teaching at #BrooklynCollege. Without going into detailed use-cases, a basic one would be to create an instance for a class that students join.

My initial concern in attempting such a thing is respecting #FERPA.

If anyone has links to discussions of using #mastodon in the classroom and FERPA please let me know.

#academicmastodon

{hashtagging all the tags is hard in the morning}

Student data #leaked after LA school district says it won’t pay ransom. #LAUSD made the right move w.r.t ransom, but the incompetent assholes on the LAUSD board should still be sacked for violating #FERPA (which is unenforced).

@hobson @humanetech @EU_Commission @stragu @LovesTha @lightweight To my surprise, this is actually happening. I had no idea how bad it has gotten till I read this article → https://progressive.org/public-schools-advocate/surveillance-capitalism-spreading-to-schools-hillman-esquivel-220611/ That article also states that #FERPA is not only unenforced, but it has also been weakened by the #USDoE (who does not have the authority to do that).

@hobson @humanetech @EU_Commission @stragu @lightweight The US has FERPA (though weak [if any] enforcement). #FERPA says a school can outsource but stipulates that the school must put in the contract that student data cannot be shared further on, to prevent a long outsourcing chain of data sharing. That in particular is unenforced. E.g. California schools outsource transcripts to a 3rd party who then outsources to #Cloudflare.

@humanetech @lightweight @stragu @EU_Commission @jgoerzen In the US it can be attacked from both ends, in principle. The US feds have a #FERPA law that’s supposed to protect the privacy of students nationwide. I believe schools are breaking that law by subjecting students to surveillance capitalism. The problem is the feds don’t enforce FERPA… it’s just a prop. So a top-down approach is to pressure the feds to enforce it.

Petitions tend to target 1 level of government (or sometimes a corp). I don’t think I’ve seen one that targets multiple govs or entities. Since I #boycott #changeDotOrg I don’t see many petitions. Is this a thing? E.g. is it feasible in the state of CA to petition to remove #surveillanceCapitalists from public schools & in the same petition demand the feds expand #FERPA? #askfedi

@humanetech @vfrmedia Well, actually it would be tricky to do it as a US federal petition. It could update #FERPA law, but FERPA is just for show (it’s not enforced). So really each US state needs that petition.

RT @ResearchWrigley@twitter.com

Recognizing the limitations of FERPA. No lie folks. #FERPA is functionally useless as a protection document these days.

🐦🔗: https://twitter.com/ResearchWrigley/status/1454107885697437700

@kakure @kakure @duckduckgo Any product can have bugs. My problem is that K-12 schools have video surveillance in the 1st place. In principle, it should violate #FERPA. The feds are not enforcing FERPA so it's hard to know where the failure is.