Florida's Auditor General Focuses On Student Data Protection
Florida is cracking down to ensure school districts, state colleges and state universities are protecting students' Social Security numbers.
In the past two years, state auditors have found that at least one-third of education employees who had access to student Social Security numbers did not need it to do their jobs. Two-thirds of Florida school districts, colleges and universities were giving too much access to these numbers, a Fresh Take Florida analysis of the audits found.
The audits with a focus on student data protection have so far been completed in counties large and small, from Palm Beach to Franklin County and 48 others in between. Florida’s Auditor General also reviewed 25 state colleges and 10 state universities during that time period.
Among those employees found to have too much access were a bus driver in Highlands County and a lunchroom manager in Hillsborough County.
State audits released from fall 2017 onward show a particular focus on whether administrators at the districts, colleges and universities were properly monitoring access.
Auditors found millions of records with Social Security numbers held by Florida educational institutions. More than 22,000 employees or contractors had access to these records. Nearly half of those employees had their access revoked after the auditors showed up to review the school districts, colleges or universities.
“School districts should maintain records to justify whether such employees need occasional or continuous access to that information and only provide the necessary access,” Deputy Auditor General Gregory Centers said.
Multiple colleges and universities also collect Social Security numbers from prospective students, but its system also keeps the numbers of students who apply and do not attend. In its response to a 2018 state audit criticizing that practice, Seminole State College of Florida’s administration said it would be too expensive to differentiate between the Social Security numbers of students who never attended and those who did.
“The more access that you make available,” Stephens said, “the greater the risk becomes.”
There’s also a risk of legal liability, according to Miami attorney and privacy expert Alfred Saikali.
“You know what the plaintiff’s lawyer is going to argue?” Saikali said. “If you're dealing in plutonium, like highly sensitive personal information... then you have an obligation to make sure that that information is protected, and that you are adopting the appropriate safeguards.”
In most states, including Florida, a breach occurs when a thief steals both a Social Security number and a person’s name. The thief can then use that data to apply for loans, credit cards and other benefits in that person’s name — usually resulting in damages to the victim’s credit score. Florida law requires organizations to notify consumers when their information has been stolen.
The penalties can be steep for the organization that allowed a thief to access sensitive data.
“When a Social Security number is breached, fines can equate to hundreds if not thousands of dollars per record,” said Robert Siciliano, chief executive of Boston-based safr.me, a company that sells services to protect consumer information.
Students are one of the age groups least likely to know when their Social Security number was breached. It often takes months or years before unpaid creditors or defrauded merchants contact the Social Security number's real-life owner demanding payments.
School districts collect the numbers for Internal Revenue Service tax deduction verification, financial aid and student authentication. If a college student doesn’t need financial aid, privacy experts say there’s no clear reason why a college should collect and keep their Social Security number.
At the district level, the issue can be particularly difficult to remedy.
Hamilton County is one of the smallest and poorest districts in Florida. In March 2018, state auditors told the Hamilton County School District to reduce access to Social Security numbers. The same access problems, however, remained in Hamilton County in an audit released last month.
Hamilton officials are now looking into changing the access to current and former students’ sensitive information.
Schools are generally not as sensitive to personal privacy threats as some other business sectors that are more highly regulated, such as banks or hospitals.
“Other industries such as the financial industry, medical industry — they've been all about data privacy, because those industries have been targets for so many years,” said Carrie Kerskie, chief executive of Griffon Force, a Naples company that helps identity theft victims recover from fraud incidents. “Now, it's carrying over into education.”
When a breach occurs, companies and public entities can be sued for negligence in failing to adopt proper security measures. Plaintiffs can ask to have the defendant pay for their credit monitoring and time spent helping to respond to any identity theft.
“They've tried to recover money for mental anguish, as a result of having them worrying about what's going on with (their credit record),” Saikali said.
Sovereign immunity makes legal remedies more complex, as it limits the amount of money that plaintiffs can recover in certain cases, such as a student being affected by an employee leaking or stealing millions of Social Security numbers.
Data breaches in the education sector have occurred nationally and in Florida.
In 2016, the University of Central Florida had 63,000 Social Security numbers compromised. Its system contained the Social Security numbers and names of former and current UCF students and employees, and five of them filed suit. The university settled the suit by promising to spend $1 million more each year to better protect the information.
A settlement is also expected soon in a 2017 case from the Miami-Dade School District, where two students found their Social Security numbers, test scores and personal information posted online, along with that of hundreds of other students.
Students and parents can find peace of mind by placing a credit freeze on their credit report. The freeze prevents new loans from being opened under a student’s name without their knowledge. A credit freeze is free no matter the person’s age.
Florida law also allows students and parents to decline to provide their Social Security number when a school requests it.
This story was produced by Fresh Take Florida, a news service of the University of Florida College of Journalism and Communications.