Frederick County Public Schools would develop and implement an information security program to protect student and employee data, under a new policy being considered.

The Frederick County Board of Education expressed initial support for the policy and its aligning regulations at a worksession on Wednesday.

The proposed policy is in response to a data breach that FCPS became aware of last September that compromised the names, Social Security numbers, and birth dates of about 1,000 students in the school system in 2005-06. The breach occurred before 2010, school officials said at the time.

The new policy, which the board moved to a second reading, states that the superintendent is responsible for developing a set of regulations along with a “Written Information Security Program,” or WISP, for staff to maintain using FCPS information systems.

The school system already had guidelines and practices in place for response, but the new policy and regulations are more formal and thorough.

“I think we had a moment where we realized our posture was prepared but reactive after the data breach this year,” said Liz Barrett, school board vice president. “This policy, the data security policy, is designed to emphasize comprehensive preparedness, including the responsibility of all staff for data security.”

The security program “will address data privacy, incident response planning, acceptable use of technology, and information technology security awareness training,” according to the policy.

The WISP itself was not immediately available, and Superintendent Terry Alban and Director of Technology Infrastructure Edward Gardner did not immediately respond to a request for comment on the security program. But the regulations developed by Alban and Gardner provide information that the WISP will include.

For example, the WISP includes guidelines to mitigate and communicate risks for FCPS student and staff information systems, and will meet an “acceptable minimum level of IT security controls and data privacy practices.”

The policy will also include increased training for employees on how to treat sensitive information. Employees had been trained on data privacy in the past, Barrett said, but new training will be more frequent and more intensive.

“The IT staff is rolling out new training and proactive communication and reminders to employees about their roles in data security,” Barrett said. Staff will continue to be trained in things such as encrypting email and protecting personally identifiable information, Barrett added.

In January, the board discussed bringing in a contractor to help test the district’s data security. The request for proposals would have required the contractor to perform quarterly tests of what access the public has to data and to mobile and web-based applications. It’s unclear whether an expert was ever hired or will be in the future.

Follow Allen Etzler on Twitter: @AllenWEtzler.

(3) comments


Unless the students are applying for a job or for Social Security benefits, the school doesn't need to have student's SS numbers, especially since there is no requirement that you be a citizen or be here legally to enroll.

Social Security numbers are like gold for identity theives.


I was wondering about that too, Bosco. If not required, why provide?


Every medical provider in town asks for your SS number. I tell them I'm not applying for a job or benefit'd and refuse.

Welcome to the discussion.

Keep it clean. Please avoid obscene, vulgar, lewd, racist or sexually-oriented language.
Engage ideas. This forum is for the exchange of ideas, insights and experiences, not personal attacks. Ad hominen criticisms are not allowed. Focus on ideas instead.
Don't threaten. Threats of harming another person will not be tolerated.
Be truthful. Don't knowingly lie about anyone or anything.
Be nice. No racism, sexism or any sort of -ism that is degrading to another person.
No trolls. Off-topic comments and comments that bait others are not allowed.
No spamming. This is not the place to sell miracle cures.
Say it once. No repeat or repetitive posts, please.
Help us. Use the 'Report' link on each comment to let us know of abusive posts.