Wednesday, February 17, 2016

Privacy alert: All parents need to act immedately

I just sent the letter below to the CSBA, urging them to intervene in a legal case in federal courts.  In a nutshell, a judge has just decreed that the California Department of Education must release the records of EVERY STUDENT in the State to the "Morgan Hill Concerned Parents Association".

Here are a couple of articles that describe the legal dispute:
(San Diego Tribune Article)
(Mercury News Article)

In my considered opinion, these folks are underselling the risk of data breaches.  (See my letter, below)

Here's the notice posted on the Calif Dept of Education Website (CDE Website)
This link includes a form to fill out so that you can opt out of disclosure.  This means your student's information would NOT be disclosed to this third party- but you must file the form promptly. The data will be released on April 1, 2016.

Here's my letter to the CSBA:

Vernon, Keith-

I'm writing to add to what I can only assume is a chorus of voices urging the CSBA and local school districts to take action on Morgan Hill Concerned Parents Association, et al. v. California Department of Education, USDC-Eastern District of California, Case No. 2:11-cv-03471-KJM-AC

This case is perhaps the worst judicial over-reach I've ever witnessed.  Compelling the State to turn of all student data for the entire state to a group of private individuals is nothing short of outrageous.  I used to think that FERPA, the Butler Act, and a host of other laws prohibit this sort of nonsense.  I'm sure you're much more familiar with the legal nuances, so I won't try to engineer your legal argument.  Suffice it to say this cannot be permitted to stand.

I serves on the LASD Board of Trustees, including a term as board president, and I chaired the litigation committee through much of our fight with the Bullis Charter School.  During the course of that litigation, we actually showed cause and obtained their list of students-- and that took a mountain of legal paperwork.  Even in that specific instance, where we could show the likelihood of a pattern of wrongdoing to a judge, we still granted the most onerous (Attorney eyes only) protective orders conceivable.  This case appears to grant MHCP full access without much more than a passing thought about what might happen to a database of every single student in the State of California.  

In my day job, I run a credit card processing business.  We hold over 180M credit cards, and we have considerable expertise in data protection and hacking attempts.  If you think credit cards are a tempting target, I can tell you from deep experience that identity information such as what it proposed here is a far more tempting target for hackers.  The identity information on a couple million school kids would fetch a huge price on the black market, as it would enable criminals to obtain credit for years before it is detected by the victims.  Fortune 100 corporations spend hundreds of millions of dollars annually trying to protect consumer data-- and they fail.  (Home Depot, Target, Neiman Marcus, and many others).  What on earth makes us think that a group of "concerned parents" has the technical sophistication to protect the entire student list for the state of California?

If I were on the Board today, I would actually urge non-compliance until a stay can be issued, and until this ridiculous order can be overturned.  Meanwhile, I urge the CSBA to immediately intervene in this proceeding and do whatever it takes to ensure the confidentiality of all student records.  If there is a legitimate issue under this case, compel the CDE to deal with it by providing summary data- not by granting access to the identity of every student in the state.

Thank you for your prompt attention to this matter.  If there's any further information I can provide, please let me know.

Douglas J Smith