Page High Employee Accidentally Shares Student Data

[Erica Absetz <erica () riskbasedsecurity com>]

http://www.gcsnc.com/education/components/whatsnew/default.php?sectiondetailid=306641&viewType=detail&id=52454

Guilford County Schools (GCS) recently learned that a school employee
mistakenly emailed an electronic file containing personal information
for about 456 rising Page High seniors*.

The information was inadvertently sent to a Page High student's
guardian on Tuesday, July 2. The next day, the individual who received
it recognized there was an issue and contacted the employee. The
employee immediately asked the guardian to delete the file and told
school officials what happened.

The information included student names, addresses, telephone numbers,
course enrollments, grades, district-assigned identification numbers
and other data points found on student transcripts. The information
did not include students' Social Security numbers.

GCS immediately started an investigation and worked to secure the data
files, which had been copied in an electronic or portable document
format (PDF). The investigation, which continued through the Fourth of
July holiday and weekend, has confirmed that the information was
shared with just one non-GCS person, and that the file sharing was not
intentional.

"We work very hard in GCS to protect student privacy and data, and we
are very sorry that this has occurred," said Maurice O. Green,
superintendent, noting that GCS plans to review and strengthen the
district's data sharing protocols, training and communications.
"Fortunately, this error was caught quickly so the exposure is
limited. We are deeply appreciative to the individual receiving the
email for recognizing the error and for notifying us so quickly."

Authorized personnel may keep a printed copy of student transcripts,
or use an electronic file copy (PDF) of the data to answer questions,
register students and complete course schedules when the secure,
online access to the student database is not available. These files
are used primarily during the summer, as one school year closes out
and the online student data system is unavailable while it is updated
for the coming year. The employee who sent the data was an authorized
user.

"The employee who sent the file was emailing the guardian in response
to unrelated questions and somehow accidentally attached the data
file," said Patrice Faison, Page High principal. "The employee feels
terrible about this, and we have apologized to our parents for the
error and any concern it may have caused."

GCS and Page High have taken multiple steps to share information about
the error. The school sent a voicemail message to families of rising
twelfth-graders, and will also mail letters to the custodial
parents/legal guardians of each affected student. General information
also was shared by voicemail and email with parents, staff and
community members.

In addition to the actions taken by Page High personnel, GCS has
posted information on its website (www.gcsnc.com ), GCSTV and district
social media outlets. GCS is reviewing its data-sharing practices to
determine whether there are other measures that should be taken to
prevent a similar incident from occurring in the future.

GCS set up a special phone line and email address for Page High
parents, particularly those of rising seniors*. The phone number is
336-332-0810 and staff will be available until 8 p.m. tonight and from
8 a.m. to 6 p.m. tomorrow. The email address is pagerecords () gcsnc com
. The district also created a special website with more information
about the issue, including a sample transcript:
www.gcsnc.com/pagehighdata.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss-discuss

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.