The state of Maryland will not a release a detailed report, or other related records, on a recently discovered data breach, in which personal information of former Frederick County Public Schools students was stolen.
Roughly 1,000 names, dates of birth and Social Security numbers of former Frederick County students were taken in a data breach that officials said happened before 2010.
As a part of the investigation of the breach, an agency that works with the U.S. Department of Homeland Security created a report that officials said is specific to the breach and contains details about it.
School district spokesman Michael Doerrer has said “it’s likely” that the breach occurred with the Maryland State Department of Education, which has rebutted the district’s statement, saying it’s inconclusive where the breach occurred.
The Frederick News-Post filed a Public Information Act request with the Maryland State Department of Education in mid-December, and was denied a copy of that report from the Multi-State Information Sharing and Analysis Center on Dec. 21.
The News-Post also asked the state for documents on data breaches of the state department’s systems extending back 15 years, and has been denied those.
A reporter specified in the request that the state department could redact sensitive information to provide the documents.
After the denial letter from the state, a reporter contacted the state’s public access ombudsman, Lisa A. Kershner, who helps mediate between records requesters and public agencies.
Kershner cannot compel an agency to release a record, only speak with the relevant parties to determine if a record or parts of a record could potentially be revealed.
Kershner spoke with state education department spokesman Bill Reinhard, who directed her to William H. Fields, a state assistant attorney general who works on behalf of the department.
In an email to Kershner, Fields wrote that the education department must deny a records request for anything pertaining to security of an information system, such as The News-Post’s.
Under Maryland law, for some records, public offices may deny a request, but don’t have to.
This is not the case with requests related to information systems, which agencies must deny, Fields wrote in his email.
“Any report regarding a breach or attempted breach of a computer system will contain information about the security of the information system,” Fields wrote to Kershner. “The report would likely contain both information on how the breach occurred and how breaches may be prevented in the future. The Maryland General Assembly chose to bar disclosure of this information, likely because the members did not want to provide a how-to manual on breaching Maryland’s information systems.”
Fields also wrote in his email that the Department of Homeland Security has restricted the report from being disclosed.
“DHS has limited disclosure of each page of the report to agency employees, clients, and customers who need to know the information to protect themselves or prevent further harm,” he wrote.
Reached by phone, Fields declined to comment further.
The News-Post also filed a records request with the school system for records related to data breaches on Dec. 14. The district has not yet responded to this request, and Doerrer has declined to provide a copy of the report.
A requester can also file a lawsuit in a Maryland circuit court to try to secure a record that has been denied.
The school district will offer two years of free credit and identity monitoring to victims of the breach, who officials have said attended Frederick County schools between November 2005 and November 2006. The consulting firm Kroll will handle the monitoring, the school district has said.
Delegate David E. Vogt III, R-District 4, has said he intends to file legislation to force the school system to offer five years of free credit monitoring.
The stolen information was posted on at least one website, and remained on that site as of Thursday.