New info on the NYC student data breach — with some critical follow-up questions

Recently, Chalkbeat reported on a data  breach that affected over 1000 NYC students and teachers.  Chalkbeat followed up with another story that suggests this breach was caused by an insecure storage of student and teacher data on a Google drive, first discovered in January 2021 by high school students at Brooklyn Tech.  Though these students reported this  insecure leakage to an administrator at their school immediately, it was ignored until they found in March 2021 that the problem had grown worse, and  emailed three DOE officials to alert them.

I was asked to look into this matter  by NYC parent leaders, and followed up with an email to Joe Baranello, the chief privacy officer of DOE.  I asked him for copies of the letters sent to parents and staff whose data was breached, and for more information about how these breaches occurred and what data elements were accessed.

To his credit, he responded within a few days with more details and provided four breach notification letters as attachments .

All four letters were dated July 30, 2021.  Letters #1 and #2 were addressed to parents about an unspecified March 2021 breach; the second letter included reference to specific data elements that were accessed, with that information redacted.  Letter #3 was addressed to parents whose children’s data was accessed in an earlier August 2020 breach.  Letter #4  was addressed  to teachers about the March 2021 breach.  In all cases, these letters inexplicably claim that this data was seen by only a single NYC student.

Joe’s email, which follows, included more information about the specific data elements that were breached.  Below his message are several follow-up questions to him.  If and when I get replies, I will add  to update this post.  If you or your child were affected, please let us know at [email protected] .  Thanks!

___

From: Baranello Joseph <[email protected]>
Sent: Monday, August 16, 2021 11:15 AM
To: [email protected]
Cc: Siciliano Lauren <[email protected]>; Sharma Anuraag <[email protected]>; Nathan Judy <[email protected]>; Gantz Toni <[email protected]>
Subject: RE: Data leak affects about 3,000 NYC students and 100 employees, officials confirm – Chalkbeat New York

Hello Leonie,

Thank you for your inquiry. We have attached the template letters that were used for these notifications, which provide additional information on what occurred and what was viewed. Impacted individuals would have received the letter applicable to them. The information implicated varied by individual. To that end, the templates include variable fields that were populated based on the specific information implicated for each person. Approximately 3,000 students and 100 staff were impacted. The variable fields are listed below, and which were involved varied widely from student to student.

No social security numbers of students or parents were involved to our knowledge (the DOE does not collect parent or student SSNs for routine inclusion in its databases).  For 5 employees, full SSNs were included.

We are committed to protecting the privacy of our staff and school communities, and a DOE student should not have been able to view these files. We have no indication that anyone’s information was further shared or misused at this time, and the DOE implemented aggressive measures to prevent this from happening again. Out of an abundance of caution we are offering free credit monitoring service to impacted individuals.

Student data:

  • Student Academic
  • Student Biographic
  • Student Health
  • Student Name
  • Student ID
  • Student Date of Birth
  • Special Education
  • Parent Information

Employee data:

  • Name
  • Social Security Number
  • Social Security Number (Last 4 digits only)
  • Date of Birth
  • Employee ID

The following specific documents were viewed for fewer than ten students per document type:

  • Individualized Education Program
  • Emergency Contact Card
  • Government ID
  • Special Education Remote Learning Plan
  • Section 504 Plan
  • Birth Certificate

Sincerely,

Joseph A. Baranello
Deputy Counsel & Chief Privacy Officer
New York City Department of Education

____

From: [email protected] <[email protected]>
Sent: Monday, August 16, 2021 5:06 PM
To: ‘Baranello Joseph’ <[email protected]>
Cc: ‘Siciliano Lauren’ <[email protected]>; ‘Sharma Anuraag’ <[email protected]>; ‘Nathan Judy’ <[email protected]>; ‘Gantz Toni’ <[email protected]>; Leonie Haimson <[email protected]>
Subject: RE: Data leak affects about 3,000 NYC students and 100 employees

Dear Joe:  Thank you for sharing the letters that were sent to parents and school staff about these breaches.  I have several follow-up questions:

Question 1:   In letter #3, dated July 30, 2021, DOE informed parents of the following: “In August 2020, a DOE student reported that they viewed various electronic files that contained education records and personal information about you and/or your child. The DOE immediately took steps to address it.”

Why such a long delay in notification for this breach, especially as the NY State regulations for NYS Ed Law 2-d specifically require breach notification as early as possible  and in no case more than 60 calendar days after its discovery? “  

Question 2 – This Chalkbeat article reports that a group of Brooklyn Tech students accessed personal data in January 2021 and March 2021;  why is there no notification to parents of the January 2021 breach? 

“The students unintentionally discovered they had access to these documents in January. They noticed that the Google Drive folder where they uploaded their class assignments during remote learning contained documents uploaded by students and staff at schools across the city. Those documents included second graders’ classwork, a parent-teacher conference sign up sheet, and college recommendation letters, said a Brooklyn Tech High School student who asked to remain anonymous.”

Question 3 – Why the delay in notification for the March 2021 breach referenced above,  in letters #1 and #2, especially as DOE learned about it shortly thereafter, according to the Chalkbeat article?  Again, the July 30 letter is more than 60 calendar days after the date of discovery, despite the notification requirements in the regs. 

Question 4 – Why do all four letters refer to only one student accessing this data, when the Chalkbeat article refers to a group of students accessing much personal data in January and March? 

Question 5- Has the DOE looked into the possibility that not only this group of high school students, but other individuals as well may have accessed personal data for thousands more students/teachers, given how easily this data was found?  What further investigations are being done?

Question 6 – Clearly the data was not encrypted if students were so easily able to access it.  Are you aware that the State privacy law and regs require that the sharing of personal data with any third party such as Google requires the encryption of all personal data in motion and in rest?  Does DOE intend to comply with this requirement of the law in the future?

Question 7 – Why is the New York City Department of Education sending letters to parents from a P.O. Box in Suwanee, GA?

Question 8 – Why does  the DOE tell parents in these letters that if they “want to discuss this matter or have any questions” about these breaches, they need  to create an account with  a private company called IDX, rather than the contact someone at DOE itself – especially the law required districts to appoint a Chief Privacy Officer to be the contact person for parents’  questions and concerns regarding privacy?

Moreover, the link provided in the letter requires  parents to create an account with this company that that in turn obligates them to accept onerous Terms of Service that “will indemnify, defend, and hold harmless IDX, our subsidiaries and affiliates, and each of our respective officers, directors, agents, partners and employees (individually and collectively, the “IDX Parties”) from and against any loss, liability, claim, demand, damages, expenses or costs (“Claims”) arising out of or related to (a) your access to or use of our Services or Website”?

Moreover, IDX also limits any claims of damages to binding arbitration, and in its Privacy Policy, claims it can  use their customers’ information for many purposes, including sharing with credit bureaus and/or “With vendors, consultants, and other service providers who need access to such information to carry out work on our behalf, including marketing our products and services.”

Again, thank you for your work for NYC children, and for providing these letters to me.

Hoping for a timely response,

Leonie Haimson
Co-chair, Parent Coalition for Student Privacy
www.studentprivacymatters.org
[email protected]