IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

IT Leaders Share Concerns About Student Data Security in California

A court-ordered release of personal data from 10 million students will make data protection a challenge.

(TNS) — SAN JOSE, Calif. — With a recent court ruling ordering the release of 10 million California student records to attorneys suing the state, parents throughout California are anxious about their children's private information falling into the wrong hands.

So can they protect the data that could include everything from their child's address, Social Security number and records on mental health, discipline and test scores?

Not right now.

While concerned parents may file an objection in federal court to protest the release of their children's records, it's unclear what federal Judge Kimberly J. Mueller in Sacramento plans to do with the requests. Even if she approves them, the complexity of combing through the data means there's no guarantee that all seven huge state databases can be cleared of all information on children whose parents sought an exemption.

Mueller, a judge in the U.S. District Court for the Eastern District of California, is holding a hearing Monday inquiring into whether the California Department of Education followed her orders in posting information about the data release and how parents can file a protest. No date has been set for the data release.

It's the latest development in the acrimonious 5-year-old case, which has yet to go to trial. San Francisco Attorney Rony Sagy represents parents from Morgan Hill and elsewhere who contend the state has failed to ensure that special-needs children are receiving an appropriate education. Mueller ordered the unredacted data released after years of back-and-forth over the plaintiffs' request for records to prove their case. The judge is requiring the state to turn over data on all students in K-12 schools since January 2008.

"I can't believe that a judge would allow this to happen," said Sherri Taylor, a mother of three children in San Jose Unified School District. "My biggest concern is that as a parent I have no recourse."

IT professionals foresee a potential data catastrophe. They note that the data's release will make it a ripe target for thieves, because of its valuable content, sheer volume and destination: Sagy's office, which has not yet shown how it will secure the data.

"If this data is released, it will make its way into the wrong hands," predicted Pam Dixon of the World Privacy Forum, a San Diego-based public interest group. "The sophistication of hackers today is profound," she noted, with a lot of money to be made trading in student names, addresses and Social Security numbers.

Mueller has approved a plan for providing the databases and a briefly described security protocol.

Those precautions have underwhelmed IT specialists. The protocol loosely explains where the data could go _ to Sagy, her consultants, experts and others. "That isn't going to provide a very secure environment," said Renato Mascardo, chief technology officer for a San Francisco-based financial software company. He ticked off missing safeguards: basic definitions of information security, such as password length or encrypted traffic; prevention measures against hacking, tests for a secure environment. The protocol "lists emails as a viable form of communicating sensitive data, which is unheard of," he noted, because it's not secure.

Why do the parent groups need such a large database, and why isn't the judge insisting that sensitive information be redacted?

The plaintiffs say they seek to prove patterns and don't want personal information. "Our legal team gave many different scenarios in which actual databases would not have to be handed over," said Linda McNulty, who approached Sagy in 2008 to press the state to beef up special education oversight. She formed Morgan Hill Concerned Parents and a sister state group that together filed suit. All along, she said, the state has refused to cooperate.

In fact, earlier state education officials denied 62 of 63 plaintiff requests for data, calling them "vague, overbroad, burdensome and not proportional to the needs." Federal Magistrate Allison Claire noted that the state did not initially cite privacy concerns, nor even provide documents it didn't object to providing.

But state Department of Education spokesman Peter Tira said the state has acted to protect student privacy.

Two years ago, the judge became so exasperated with both sides that she fined each attorney $250 for not complying with her directives. She hired a "special master" to negotiate how to provide the data, and ordered the education department to pay for his services. Last year, the state provided a redacted version of its special education database; and McNulty said it was so blacked-out as to be useless.

Mueller's special master, Winston Krone of Kivu Consulting in San Francisco, who devised the data security protocol, refused to comment when reached by phone this week.

Even once the records are handed over and secured, "no matter what the security requirements are, a data breach can always happen, even with the best of intentions," said Beth Givens of the San Diego-based Privacy Rights Clearinghouse.

McNulty assures parents who call that fewer than 10 people will have access to the data.

"That's a ludicrous claim," said Dixon. The complexity of maintaining and analyzing the data will require many more people, she said.

Even the court's requirement that Sagy delete or return all data after use can't be ensured, IT professionals agree.

"Data is like toothpaste," said Danville parent and IT expert Steven Liao. "Once you squeeze it out of the bottle, people are going to put it on 10 different toothbrushes and scrub like crazy to see what they find. Then they're responsible for putting the foam back into the tube, and ensure there's no spray, not one dot, left on the mirror?

"That's impossible."

©2016 San Jose Mercury News (San Jose, Calif.), distributed by Tribune Content Agency, LLC.