The Washoe County School Board of Trustees yesterday approved an audit that showed the district has been unable to follow a number of recommendations to improve its Information Technology security.
The board’s approval of the updated audit came on the same day that a new data issue had occurred — one the district said was in violation of federal law.
An email was sent to parents of WCSD students today. It read:
“Yesterday, you may have received a text message from Coral Academy through their SchoolMessenger system. This message was sent in error, and we apologize for the mistake.
“This was caused by a programming error in the process we use to provide data to Coral Academy’s parent/guardian communication tool, SchoolMessenger.
“Unfortunately, additional data was provided to SchoolMessenger, including some directory information as well as student ID and gender for WCSD students.
“SchoolMessenger has verified that this data did not leave their possession and was immediately and permanently deleted from their systems as soon as the error was identified.
“We are notifying you of this error because the distribution of this information to someone other than the student (age 18 or over) or the parents without your written consent constitutes a violation of the Family Educational Rights and Privacy Act (FERPA).
“The Washoe County School District reported this violation to the Family Policy and Compliance Office on September 11, 2019.”
The district also does not adequate staff or funding to make the IT improvements noted in a 2016 audit.
“Increased staffing alone will not ensure that we continue to meet the current IT demands, or provide new services and functionality,” the audit explained. “There are hardware and software tools that the district would need to invest in to ensure that we cannot only, at a minimum, maintain our current level of service, but at the same time provide additional functionality and safety for all of our users. This is especially true when we consider IT security issues.”
“Further funding is required to secure a regular frequency of vulnerability scanning.”
Recommendations from the 2016 audit included hiring more staff to handle increased service requests, better device and network monitoring, and disaster recovery. But most recommendations were only partially met, and three were not implemented at all.
“The Department is drafting a ‘Comprehensive District Information and Cyber Security Plan,’ which will address items such as device configuration, incident handling and recovery, monitoring, and contingency,” the audit noted as part of its update last month. “Although plans are in progress, the Department represents staffing remains insufficient to create and implement plans at the level of detail required.”
The report also showed that in March of this year, the district conducted a scan for vulnerabilities and found 14 issues.
“Further funding is required to secure a regular frequency of vulnerability scanning,” the audit recommended.
District Refuses To Answer Questions
District officials stonewalled and denied responding to questions about a data breach it announced at the end of July. That incident involved a vendor whose information, including student names and birthdates, was compromised. It impacted more than 100,000 students who attended WCSD between 2001 and 2016.
“We make careful and considered decisions on how best to meet District responsibilities to our students … with limited resources,” said district spokesperson Vickie Campbell. “A large part of achieving these goals is achieved by entering into contracts for services it would be impossible or cost-prohibitive to provide or create ourselves.”
The district declared an IT service contract confidential. This was after new interim Superintendent Kristen McNeil promised a new era of transparency when former Superintendent Traci Davis was fired. (Davis filed suit in response; read it here.)
Public commenters at school board meetings regularly chastise the district for what they claim are violations of student privacy for using third-party education apps, one of which is owned by a Chinese company. An exchange during public comment last year led to the district hiring a consultant to identify security problems.
“Nevada law does not require the District to answer questions as part of a public records response.”
Optiv Security was paid $13,000 for its services and a report, but the district refused to disclose any information.
It denied a public records order for company’s report, citing a 1990 court ruling. Tax-payer-funded materials are generally considered public records.
“To the extent your request asks questions, as you know, Nevada law does not require the District to answer questions as part of a public records response,” said district paralegal, Breanne Read. “The Communication Department, at its discretion, may address your questions.”
PR staff also refused to provide more information.
“The District does not feel that it is in the best interest of our students, families, and staff to release information to the public that contains details on our security vulnerabilities,” Campbell said last month.
Read the audit
Bob Conrad is publisher, editor and co-founder of This Is Reno. He has served in communications positions for various state agencies and earned a doctorate in educational leadership from the University of Nevada, Reno in 2011. In addition to managing This Is Reno, he holds a part-time appointment for the Mineral County University of Nevada Extension office.