Blumenthal: Education Dept. Must Comply With Identity Theft Law

Attorney General Richard Blumenthal asserts in an investigative report released this week that the State Department of Education (DOE) must take steps to comply with state law to protect employees from identity theft.

The report concerned a security breach within the state’s Technical High School System (THSS). Mr Blumenthal’s office investigated a complaint that in March 2006, a THSS employee disclosed the social security numbers of more than 1,200 teachers in an email sent within the school system.

In an emailed notice informing administrators of professional training opportunities for teachers, a THSS employee accidentally included a list of the names and social security numbers of 1,258 teachers. The email was sent to approximately 192 THSS employees.

Although the release was inadvertent and THSS acted quickly to address the situation, Mr Blumenthal said the DOE’s use and protection of personal information was inconsistent with state law, specifically the Personal Data Act.

Mr Blumenthal said the DOE should directly notify all employees whose personal information was compromised, and implement a data protection policy.

To date, there are no complaints of identity theft related to the THSS security breach, but Mr Blumenthal said such security breaches can remain a threat indefinitely. Sometimes identity theft may occur a year or more after the actual security breach, when victims are assumed to be complacent.

“Releasing social security numbers — powerful keys to our financial worlds — creates a threat of lasting harm,” Mr Blumenthal said. “Our Department of Education attempted to respond to this security breach promptly — but more imperative, immediate steps are required by law and common sense. Anyone at risk should be notified directly and immediately of steps available to protect against future identity theft. DOE employees so far appear to have escaped identity theft, but the threat remains once private personal information has been compromised.”

THSS attempted to take immediate protective steps after the security breach was discovered, including directing recipients of the email to redact or delete the private information, and then confirm that these directions were followed.

The THSS warned teachers about the breach through its newsletter several months after the incident, but Mr Blumenthal said this indirect notice incorrectly stated “there appears to be no breach of security.” This incorrect assertion may have implied that teachers had no cause for concern or need to monitor and protect themselves from identity theft.

Three days after the incident, the State Department of Information Technology (DOIT) removed the email from all accounts in the state’s email system. Despite this effort, it is impossible to absolutely confirm whether the email was sent outside of the state system, Mr Blumenthal said.

Also, Mr Blumenthal said the DOE’s continuing practice of using the last four digits of teachers’ social security numbers to track their continuing education credits is also inconsistent with the law.

The Personal Data Act requires all state agencies to adopt regulations describing the maintenance and use of all personal data kept by the agency. The DOE has drafted a data protection policy, but it has failed to finally approve or implement the policy — and should do so immediately.

Mr Blumenthal recommended the following steps:

*Provide teachers a written notice clearly and conspicuously advising them of steps they may take to monitor whether they have become victims of identity theft and to protect themselves from future identity theft. The notice should be provided directly to those teachers whose social security numbers were disclosed.

*Under state law, the DOE should immediately implement a comprehensive data protection policy. The policy should include the use of encryption, and eliminate the use of all or part of teachers’ social security numbers to track their compliance with continuing education requirements.