Should Schools Use X (Twitter) to Confess to Losing Private Student Data?

Bad Privacy Blog by Claudiu Popa
3 min readNov 15, 2023

--

Every breach of children’s privacy is severe and has the potential to cause lasting harms.

Since the watershed year 2016 when many Canadian boards of education were financially incentivised to make the irreversible leap from on-premise information systems to cloud edtech ‘learning management systems’, a massive brain drain simultaneously took place within their IT and security departments.

Despite a reported budget far in excess of $1 billion, one of those regional school boards has ‘contained’ more than its fair share of data and reputational incidents over the years. Some of those range from omitting to seek parental consent prior to sharing 100,000+ regional families’ personal information records, to leaving children’s data unprotected online for years.

For the past month, this large public education organization has been sending parents email memos about disruptions to its internet, phone and network connectivity, making no mention of any cyber gremlins.

Last week, it was finally decided that this was a ‘cyber incident’ and waited 3 days to officially announce it after the close of business on Friday.

Was it announced to parents? Nope. Instead, it was posted exclusively on the privately-owned social media platform previously known as Twitter.

At the time of this writing, parents and students have yet to be notified about the security and whereabouts of any data or identities that might have been misappropriated.

This ongoing “network outage” now serves as a reminder that public institutions should not be in the business of:

• delaying disclosure and notification
• downplaying the incident
• placating the media

To be perfectly clear: Notification should not only occur as a last resort, once the organization is humiliated and its systems are paralyzed. Stakeholders have a need to know whenever there is at least an uncertain risk of harm from a cybersecurity incident. Resorting to cover-ups and intimidation when publicly embarrassed only serves to erode public trust and further cause reputational damage.

As part of mature incident response, the priority of school boards is to

• immediately notify and instruct potential victims on protective measures
• engage with breach coaches and experienced peers
• urgently exchange lessons learned with other institutions

*[ref: “Privacy Harms”, Solove & Citron, Apr 2022]
**[evidence of past incidents is easily googlable. opinions and image highlighting remain my own]

This post originally appeared on ClaudiuPopa.ca

--

--

Bad Privacy Blog by Claudiu Popa

Fīat jūstitia, ruat cælum. Personal musings on data protection fails, snafus & oddities, written & edited by Claudiu Popa; author, educator, booknerd.