Midland ISD Creates Plan to Prevent Another Data Breach 2/8/14
CBS 7 News
February 8, 2014
The following is a letter from Midland ISD Superintendent Dr. Ryder Warren:
As most Midlanders who follow the MRT and our local TV/radio stations are aware, this was a tough week for the school district and for many of our community members. A situation arose in which a theft of a laptop computer caused the loss of personal information for thousands of current and former students.
First and foremost, I personally apologize for this situation. The state and federal governments require so much information to be given to MISD, and we are charged to protect that data. One of my staff members was the victim of theft, but we have to do a better job of protecting the data against the possibilities of theft like this one in which we are dealing.
Secondly, I am compelled to explain how MISD will deal with the issue at hand and describe what steps will be taken to negate the possibilities of this being repeated. This plan will be presented to the members of the MISD Board of Trustees for their input and guidance, and then we will initiate all parts of the plan. The initial points of this plan are as follows:
Point 1: To support the affected parents, caregivers, and students, the district will publish specific, step-by-step instructions on how to track their children’s credit history. Some of the comments we’ve taken this week allude to the fact that the credit websites are not as user friendly as need be, so we are going to break down all requirements of these websites and post the “how to” directions on the MISD website to better assist caregivers and students on how to track their data.
Point 2: I will recommend to the MISD Board of Trustees a financial package to help place protective measures on children’s data if needed. My recommendation will consist of MISD partnering with CSID to provide a one-year subscription to “Breach Protector,” which is a credit monitoring and identity theft restoration coverage. According to the letter we will send our caregivers and former students, CSID is an independent company that specializes in protecting and restoring its subscribers’ credit and identity, if those have been compromised.
Point 3: MISD is going to completely analyze (and change where needed) both the content and the application of our data protection procedures to target all MISD employees regarding the responsibilities we all carry in the protection of student and employee data.
This task will require several different steps. Examples of these steps include the following: (1) Initial needs assessment to identify procedural concerns; (2) Policy/procedure revisions to address known concerns; (3) District-wide training of staff; (4) Implementing technology security measures; and (5) Further revision of policies/procedures if necessary.
As an administrative team, we have already researched several ideas regarding these protective steps.
Just a few of the examples we’ve discussed for these initial recommendations consist of all MISD staff being retrained on current processes and new training to occur for new procedures by Friday, February 21, 2014. We feel our regulations, procedures, equipment, and expectations must be reemphasized for safeguarding student and employee data.
We are also looking at our procedures for specific hardware and equipment requirements. Because of their positions, hundreds of MISD employees need different levels of access to student data, but the uses of off-site laptops must be assessed. Also, not allowing the use of external storage devices (external hard drives and flash drives) for copying and storing sensitive data, such as student or personnel records, will be addressed. Finally, the district is planning to assure that all district laptop hard drives will be encrypted by computer policy.
Point 4: I will be recommending to our school board members that MISD contracts with an external security firm to conduct a full audit of all of our data and equipment protocols. We conduct financial and curriculum studies every year to make sure we are up to standards in both financial practices and our instructional programs, but we have to assure we are also securing data and equipment as best we can, so getting an outside, expert opinion will be of much value to the district as we move forward.
Our commitment to parents, caregivers, and students of our community is that we will absolutely take more steps to safeguard our children, and we will learn much from this experience. Thank you for your support of our schools and for your support of our kids.