The report concerned a security breach within the state's Technical High School System (THSS). Blumenthal's office investigated a complaint that in March 2006 a THSS employee disclosed the social security numbers of over 1,200 teachers in an e-mail sent within the school system.
In an e-mailed notice informing administrators of professional training opportunities for teachers, a THSS employee accidentally included a list of the names and social security numbers of 1,258 teachers. The e-mail was sent to approximately 192 THSS employees.
Although the release was inadvertent and THSS acted quickly to address the situation, Blumenthal said the DOE's use and protection of personal information was inconsistent with state law -- specifically the Personal Data Act.
Blumenthal said the DOE should directly notify all employees whose personal information was compromised, and implement a data protection policy.
To date, there are no complaints of identity theft related to the THSS security breach, but Blumenthal said such security breaches can remain a threat indefinitely. Sometimes identity theft may occur a year or more after the actual security breach, when victims are assumed to be complacent.
"Releasing social security numbers -- powerful keys to our financial worlds -- creates a threat of lasting harm," Blumenthal said. "Our Department of Education attempted to respond to this security breach promptly -- but more imperative, immediate steps are required by law and common sense. Anyone at risk should be notified directly and immediately of steps available to protect against future identity theft. DOE employees so far appear to have escaped identity theft -- but the threat remains once private personal information has been compromised."
THSS attempted to take immediate protective steps after the security breach was discovered, including directing recipients of the e-mail to redact or delete the private information -- and then confirm that these directions were followed.
The THSS warned teachers about the breach through its newsletter several months after the incident, but Blumenthal said this indirect notice incorrectly stated that "there appears to be no breach of security." This incorrect assertion may have implied that teachers had no cause for concern or need to monitor and protect themselves from identity theft.
Three days after the incident, the State Department of Information Technology (DOIT) removed the e-mail from all accounts in the state's e-mail system. Despite this effort, it is impossible to absolutely confirm whether the e-mail was sent outside of the state system, Blumenthal said.
Also, Blumenthal said the DOE's continuing practice of using the last four digits of teachers' social security numbers to track their continuing education credits is also inconsistent with the law.
The Personal Data Act requires all state agencies to adopt regulations describing the maintenance and use of all personal data kept by the agency. The DOE has drafted a data protection policy, but it has failed to finally approve or implement the policy - and should do so immediately.
Blumenthal recommended the following steps:
- Provide teachers a written notice clearly and conspicuously advising them of steps they may take to monitor whether they have become victims of identity theft and to protect themselves from future identity theft. The notice should be provided directly to those teachers whose social security numbers were disclosed.
- Under state law, the DOE should immediately implement a comprehensive data protection policy. The policy should include the use of encryption, and eliminate the use of all or part of teachers' social security numbers to track their compliance with continuing education requirements.
