The Frederick County public school system has taken steps to protect students from future data hacks following the revelation that a breach more than five years ago resulted in the theft of personal information of about 1,000 former students. The school district has taken three steps so far: It has stopped collecting students’ Social Security numbers, which is consistent with a position advocated by the Electronic Privacy Information Center, a public interest research group that monitors privacy issues; it is participating in an audit conducted by the county’s Interagency Internal Audit Authority; and it has hired a cybersecurity expert to review the school’s data system.

The school district also extended an offer — from one year to two years — to provide free identity and credit monitoring services for the students in the midst of a petition drive calling on it to offer seven years of ID protection. The school district is also facing a threat by a Republican state lawmaker to sponsor a bill to require organizations that have been breached to provide five years of free monitoring. District 4 Delegate David E. Vogt III said he would introduce the legislation after saying he felt “stonewalled” by school officials in his efforts to get information about the data breach. The petition, which was begun on Dec. 18 by a former student, had amassed 587 signatures by Tuesday.

The ID protection, which will be provided by New York-based consultant Kroll, will cost the school district $15.60 per person, along with a $500 startup fee. The district paid $60,000 last year after an online malfunction in its internal data system resulted in employees’ tax forms being available for viewing by other employees.

One of the best steps the school district did was to discontinue collecting Social Security numbers. The widespread use of Social Security numbers — they are used for tax records, credit information, school records and medical records — makes consumers and others easy targets for identity theft. A number of states, including Maryland, have passed legislation to restrict the use of Social Security numbers.

The impact of having one’s personal information stolen can last far longer than the 24 months the school system is offering. That’s likely why students, faculty and staff members at the University of Maryland were provided five years of free ID protection after personal information was stolen in an attack on the university’s system two years ago in what has been called one of the largest data breaches to occur at a U.S. university. That breach also happened soon after the university had invested heavily in a security overhaul of its computer systems.

When the Board of Education meets next month to discuss appraising its policy on data breach security, it also ought to consider formally expanding the length of time it is willing to cover ID protection and credit monitoring for the Frederick County students whose personal information was stolen. Offering one year of ID protection has been largely discredited by cybersecurity experts as ineffective. While offering coverage for two years is an improvement, we think the offer extended by the University of Maryland should become official policy, if not law, in these matters. One year is good. Two years is better. We believe five years is best.

(16) comments

annamiller

Well, not every student will agree to share this information. I think that most of them will refuse this option! I don't understand what's happening with education system... Just look at how many students are dissatisfied with the state of things! Some of them just don't see any sense in education, they just need to get their diploma but miss classes, don't pay particular attention to quality home assignments, apply for college essay writing services and somehow are considered to be students! I truly hope that a new government will fix at least some part of all problems gathered in the education sector! Otherwise, a new wave of protests can come from students.

dbjanda1

Armillary...I appreciate your response but now we're dealing with reality and not possibility of stolen data...If your name, family member or friend was on the list would you be so casual....My problem is who does FCPS want to pay for a problem that doesn't or hasn't existed for so long with NO Complaints ???...Now it's important to react out of emotion rather than practically with YOUR tax dollars without knowing why it can't happen again...It ours and your money to spend without responsibility, let's get some answers some questions before spending a dollar, I hope you agree ????

dbjanda1

If the affected former students haven't had any identity problems over these past years, why is there an assumption they will now ???...Any money to a private identity firm for these students that don't need protection seems to be a payout for those negotiating the contract kids...As they ALWAYS SAY FOLLOW THE MONEY !!!!!!!!

armillary

dbjanda1, I think it's safe to assume that all our identity data has been hacked from one place or another and is available for identity thieves to use. The only thing that protects any one of us is that we are each one fish in a very large sea of data. It's only random chance that our data is not used, but given time the probability increases.

Observer10

A Go Fund Me account to purchase the 20,000 names would reward the thief and encourage others to steal information. As for providing five years of identity protection, that should be directed at the State since MSDE was the website that was hacked, not FCPS.

armillary

By your logic, we shouldn't fund fire and rescue services because it only encourages arson and unsafe driving.

DickD

When did the school system start using S. S. in their operating system and why did they think it was necessary? A really bad judgement by someone in the school system. They deserve at least five years and they should still be liable for any bad results at a later time, caused by this cyber security.

It bothers me that doctor offices require this too and there is only one reason, which is to check out whether you pay your bills or not. If we are going to pass a bill, include all uses of S. S. that are not required by law. Make it enforceable with a large fine, like $1,000 per instance.

bosco

Dick, I refuse to give my Social Security number to any medical provider. I tell them they don't need it since I'm not applying for a job or benefits with them. I then ask them to assign me a personal identity number of their choosing - which they don't want to do. Full name and birthdate is all they need.

Never been denied care because I refuse to give them my SS number.

Works for me.

DickD

Might try it myself, Bosco, thanks.

phydeaux994

I would think that your account number would be all they need. Of course in the case of some 65+ folks, your Medicare account number is your SS number.

Tanstaafl

Consumer Reports has come down hard on doctors, etc. requiring social security numbers, used solely for bill collecting. If necessary, just to cut argument short, write
xxx-xx-1234. Medical data is hacked all the time. The FMH, MedStar and connected entities were accessed just recently. Med Insurance firms are much worse. Any HIPAA
is a joke.

bosco

What were they doing with all of those Social Security numbers anyway? You don't need to prove citizenship to register in FCPS.

armillary

The free, thousand name 'teaser' list posted by hackers willing to sell a twenty thousand name list is likely the tip of the iceberg. FCPS is shamed in to taking responsibility for the thousand, but takes and ostrich-like approach to the rest of the list. Perhaps we need a GoFundMe for the whole list?

duffy5x

Millions of people had their information stolen from the OPM site. More information taken and 2 years credit monitoring was all that was given.

Matt Sharkey

We need to expect more than what the Obama administration offered us. These are our children. This is prime territory for a class action lawsuit

Matt Sharkey

The superintendant's statements were alarmingly minimizing. How does she still have a job?

Welcome to the discussion.

Keep it clean. No vulgar, racist, sexist or sexually-oriented language.
Engage ideas. This forum is for the exchange of ideas, not personal attacks or ad hominem criticisms.
TURN OFF CAPS LOCK.
Be civil. Don't threaten. Don't lie. Don't bait. Don't degrade others.
No trolling. Stay on topic.
No spamming. This is not the place to sell miracle cures.
No deceptive names. Apparently misleading usernames are not allowed.
Say it once. No repetitive posts, please.
Help us. Use the 'Report' link for abusive posts.

Thank you for reading!

Already a member?

Login Now
Click Here!

Currently a News-Post subscriber?

Activate your membership at no additional charge.
Click Here!

Need more information?

Learn about the benefits of membership.
Click Here!

Ready to join?

Choose the membership plan that fits your needs.
Click Here!