Title

26 January 2011

Hackers broke into the computer system at a New Jersey school district and gained access to student records system used by 160 schools across the state.

The online hacker group 4chan was able to discover the password for the system and post it on its message board, enabling 4chan users to infiltrate the Genesis Student Information System used by the Plainfield, New Jersey, school district, according to a report by ComputerWorld. The Genesis system is used to manage student records and communicate with students and parents.

It is not clear whether any information was stolen, but the 4chan users posted screenshots showing how they were able to manipulate the school’s Genesis system. One screenshot showed lunch prices reset to $9000 per meal. Another post said that “every class is now elective, and requires only 1 credit to graduate”, according to the report.

Source: Infosecurity.com

Why PTAC?

• SALEM, Ore. -- The Oregon Department of Corrections revealed Wednesday that personal data on hundreds of its employees may have been found on a portable "thumb drive," including payroll information and Social Security numbers, but said all indications are that it was accidental and there's no indication any of the info was misused.

• The agency received word on Jan. 27 of the potential information security breach from a non-employee, member of the public. The breach involved a thumb drive that "allegedly contained personally identifiable information about DOC employees," the department said.

Source: ktvz.com

Why PTAC?

14 February 2011

Just days before Valentine’s Day, the online dating service eHarmony said its dating advice site was hacked, exposing names, emails, and passwords of the site’s users.

Source: Infosecurity.com

Why PTAC

February 17th, 2011 – Charleston, WV

A recent data breach at a research subsidiary of an area medical center prompted the state’s attorney general to shut down a compromised website and take steps to protect the nearly 4,000 patients.

The company has hired an outside risk management group to prevent future security problems..

5

Source: Modernhealthcare.com

Public Scrutiny

“Most states collected in excess of what is

needed..”

“We found that, given the detailed and sensitive

nature of the information collected, the

databases generally had weak privacy

protections.”

6

Source: law.fordham.edu

Shrinking budgets

Lack of resources for security?

Use the Privacy TA Center!!

7

Privacy TA Center Mission

The Privacy TA Center is designed to provide states with:

• A set of tools, resources, and other opportunities for states to receive assistance with privacy, security, and confidentiality of student-level longitudinal data systems.

• A means for states to share their best practices, documents, and other relevant resources in the areas of privacy, security, and confidentiality.

• A focal point for queries and responses to the privacy-related needs of State Education Agencies (SEAs), Local Education Agencies (LEAs), and Institutions of Higher Education (IHEs) in a confidential, safe environment.

• A set of resources to promote compliance with FERPA and other best practices for ensuring the confidentiality and security of personally identifiable information.

Privacy TA Team

ED Program Manager: Emily Anthony

Project Director: Baron Rodriguez

Subject Matter Experts:

Tom Szuba, Anthony Bargar, Mark Hall

Help Desk Support: Dan Boland

9

FERPA NEWS - NPRM

• Proposed amendments would strengthen enforcement provisions under FERPA to cover additional recipients of information and clarify how States can effectively develop and use data in Statewide longitudinal data systems (SLDS) authorized under the American Recovery and Reinvestment Act of 2009 (ARRA) while ensuring protection of individual privacy under FERPA.

• The contents of the NPRM will be made available to the public when it is published in the Federal Register.

FERPA NEWS - NPRM

• Submit comments in writing & by the due date, according to the method specified in the Federal Register

• Be specific (the more concrete your recommendations are, the more useful it is to inform the final rule) • “I don’t like this” isn’t an actionable comment

• YOUR COMMENTS ARE CRITICAL TO HELPING US MAKE THE FINAL FERPA CHANGES

PTAC Resources Available

12

EVENTS

Regional Meetings

• Northeast/West regional meeting – EIMAC, Washington, DC – April 18th.• Tentative Agenda

• Latest on FERPA/NPRM• Guest speakers: ED Chief Privacy Officer, and/or Melanie Muenzer• Cyber Security session • State Privacy & Security Roundtables• Best practice sessions from fellow states (ideas?)

• Midwest Regional: June/July – Chicago or Detroit

• Southern Regional: August/September – Atlanta

TYPES OF RESOURCES AVAILABLE from Privacy TA Center

• ED Experts• Chief Privacy Officer• Family Policy Compliance Office• NCES Experts • Office of General Council

Site Visits

• Voluntary!• Designed to assist states with their privacy

and security needs.• Not an audit of security or compliance.• Can provide independent, objective, third

party assistance in the areas of SLDS and Cyber Security.

• If interested, send request to PrivacyTA@ed.gov

Expert help (through Site Visits)

• Audit response assistance• Independent validation of

implementation recommendations as a result of security review.

• Security policy reviews• Governance assistance (multi-agency)• Facilitation of multi-agency

privacy/security discussions.

Website: http://nces.ed.gov/programs/ptac/

• Request assistance

• Upcoming events

• Subscribe to email list

• Recent relevant ED publications

• Privacy TA Center publications

• Best practice guidelines

• Frequently Asked Questions

• Latest FERPA news

• Other on-line recommended resources

Webinar Series

March: NCES Brief – Data Stewardship

April: NPRM Latest News

May: Threats to your data, what you should know

June: FERPA & Interagency data exchange

July/August: ???

Example of Templates/Tools (coming soon)

• Security Checklists• Sample Memorandums of Understanding

• Sample Acceptable Use Policies

19

Feedback Session

1. What kinds of resources would be helpful to you for the Privacy TA Center to provide?

2. What topics would be most useful for a regional meeting?

3. What briefings from ED would be especially helpful to you around privacy and confidentiality?

4. Other recommendations or questions?

20

Contact Info

Privacy TA Center

Website: http://nces.ed.gov/programs/ptac/

Email: PrivacyTA@ed.gov

Phone: 1-855-249-3072

Fax: 1-855-249-3073  

21