Personnel data for about 4 million current and former employees of the federal government has been breached over a period that seems to extend at least from late last year until April, when officials in the Obama administration noticed it, the New York Times reports.
The intrusion into the computers at the Office of Personnel Management appears to have originated in China, according to reports. That office handles government security clearances as well as federal employee records.
This is the second breach of a sensitive and important federal computer system in the last 12 months—that we know about. Late last year, the White House and State Department said their email systems had been compromised in an attack by hackers in Russia.
This is why I have gone on the record (see here and here, for example) as opposing the transmission of student data over the Internet or its storage on any file server, at least if it might be sensitive, time-sensitive, or invasive of students’ lives at school, at home, or in their communities. If the federal government, the supreme taxing authority in this land, can’t spend enough money to protect data about its own employees, how can we possibly expect corporations to spend even a fraction of that to protect what has always been private information about students?
Gov Larry Hogan, Republican of Maryland, recently signed House Bill 298, the so-called Student Data Privacy Act of 2015, into law. As introduced by Delegate Anne Kaiser, the bill would have added a few safeguards against corporations grabbing student data that should remain private. Unfortunately, the state Senate ran with the bill and turned it into a lobbyist- and corporation-friendly hack job.
Last-minute amendments left the measure “riddled with loopholes,” and as it stands, the new law “puts the interests of tech vendors above those of Maryland’s schoolchildren,” according to an editorial in the Baltimore Sun. Companies now have carte blanche to use information collected in Maryland’s schools to market their products to our children and their parents, and to disclose students’ personal information to third parties.
So, it seems we have learned nothing from recent breaches. In fact, we continue to pass laws that essentially hold the door open for people of questionable morals and even for criminals.
Just last month, as the federal government was taking a long look at data privacy, Education Week ran an article that spelled out five basic principles schools should use—whether they’re urban, suburban, or rural; small or large—to protect their students’ private information:
- Build data-privacy policies into your school culture, so that every faculty and administrative staff member is thinking about it whenever student data is involved. Promote this approach among all employees, from the newest teacher up to the superintendent.
- Be very wary of “free” technology solutions. You may end up paying with students’ data, rather than cash. (For more on this, see Ms Tufekci’s op-ed.)
- When you work with a technology company, don’t just ask for a product demonstration. Demand an executive briefing that will show you step by step and scenario by scenario exactly how data will be protected.
- Data privacy often has legal implications; make sure school or district lawyers are involved in the policy-making process.
- Take advantage of reliable online resources that clarify why data privacy is important, best-in-class privacy standards, and strategies for tailoring a school’s or district’s data-privacy policies.
That’s some practical advice, but if data is online or transmitted over the Internet and some hacker wants to get it because someone else is willing to pay good enough money for it, it’s only a matter of time before it’s hacked. How many more times does this have to happen before we understand and accept the futility of safeguarding data from criminals, whistle-blowers, incompetent I/T staff, and school personnel who mean well but just don’t understand what it takes to keep data from falling into the wrong hands in a tech-savvy and criminal world?
And for Pete’s sake, don’t post anything private on public forums like Facebook, Twitter, Instagram, Ask.fm, YouTube, or any other social media site. It’s not even illegal to gather data from those places.
Zeynep Tufekci writes an op-ed in today’s New York Times entitled “Mark Zuckerberg, Let Me Pay for Facebook,” in which she tells us, “A recent Pew Research Center poll shows that 93 percent of the public believes that ‘being in control of who can get information about them is important,’ and yet the amount of information we generate online has exploded and we seldom know where it all goes.”
Soon, I wouldn’t be surprised if test delivery platforms like Pearson’s TestNav will allow login via Facebook ID, just as every other Internet site seems to allow. Even this blog has succumbed to the truth that Facebook and its personalized ads are everywhere, and you can login to post a comment using your Facebook login if you don’t care to set up a WordPress account.