Love this data about identity theft and K-12 schools…folks, we are failing on this and we need to do something about it.
Data breaches leave people six times more likely to become victims of identity theft, according to a survey this year by Javelin Research. Schools warn parents to monitor their children’s credit after a data breach. But credit reports only turn up 1 percent of fraud on children’s credit histories because thieves pair children’s Social Security numbers with new names and birth dates, according to a study by Debix, which sells identity protection services…more than 18,000 child identity theft complaints were reported to the Federal Trade Commission, compared with about 6,500 cases in 2003.
Only half of K-12 schools use encryption to scramble sensitive data in case it falls into the wrong hands, according to a February survey of more than 100 IT employees at K-12 schools nationwide. School districts in 26 states now ask for students’ Social Security numbers. One of those states is Texas, where education officials need those numbers to connect K-12 records to higher education and workforce data, according to Debbie Ratcliffe, a spokeswoman for the Texas Education Agency.
Ratcliffe said the agency takes pains to protect sensitive student information, storing data behind firewalls and using other identifying information in most data sets. But last year, the agency asked eight Texas school districts to send confidential student information, including Social Security numbers, through the mail on unencrypted CDs for research purposes. (Source: http://www.huffingtonpost.com/2011/12/15/students-identity-theft_n_1140119.html)
Why am I bringing this up? Earlier this week, a colleague shared this question:
How does your District share confidential documents via email? We are looking at ways to potentially email SpEd, Finance, HR data etc.
Ideally we’d like to find a way to attach secure documents within Google Apps.
I promptly shared a proposal a colleague and I had put together and that goes for review next week. That information elicited this response:
Can you not upload the documents to Drive and then share with the intended audience?
My response included the following epistle typed on my mobile phone:
Yes, however data remains unencrypted and now is stored that way in the cloud. Some prefer data to be encrypted before it leaves your computer so that in case of a breach, you are protected by safe harbor…in that case, you dont have to report loss of unencrypted data.
Encrypted = safe harbor
Unencrypted = pay for identity theft protection, public scandal
Boxcryptor.com is an interesting cross device tool to use that is designed for encryption implementation in cloud storage, including Drive, box.net, Dropbox, etc. It wont work for emailing files but adds security when storing confidential data in cloud. Free for personal use, available on android, iOS, win, mac.
My preference is encrypt confidential data before storing it in the cloud when possible. AESCRYPT.COM is an easy cross platform way to do that…linux, mac, windows…not chromebook
For chromebook, i use Mailvelope app. Works great to encrypt on screen content, although it uses public/private key encryption which can be confusing for newbies.
Neither boxcryptor or mailvelope would work well in a larger org IMHO. Solid personal tools, though.
Of course, I’ve mentioned these tools before here at Around the Corner. The response to this message was:
Somehow I don’t expect to see this in my lifetime, but doesn’t this point to the shortcomings of using attachments to emails as a way of disseminating sensitive information? I must admit I am personally finding it very hard to kick the habit of nearly thirty years, but attaching files to then send to different places would seem crazy if it were invented today…
And here’s my long response:
The question of Family Educational Rights and Privacy Act (FERPA) compliance was raised during most sessions. Session attendees appeared to be comfortable with the typical subsequent discussion pointing out that FERPA compliance is more a task of user behavior rather than infrastructure, and that the features within Google Apps allow FERPA compliance. (Source: http://edtechlife.com/?p=2236)
K-12 educators and support staff are largely unaware of the threats and vulnerabilities associated with the information systems they use. For example, private student data can be stolen, lost, and/or exposed to the public. This threat is especially pertinent as educators and support staff are obligated to protect sensitive information such as Student Test Numbers under the Family Educational Rights and Privacy Act, or FERPA, which is one of the nation’s strongest privacy protection laws. These individuals need opportunities to learn about the threats and countermeasures associated with information protection. (Source: Purdue University – Data Security in K-12)