Wednesday, March 30, 2022

What Illuminate, NYC DOE & the NY State Education Department did wrong to enable one of the largest student data breaches in US history

Late Friday, in a weekend news dump, the NYC Department of Education revealed
that the personal data of about 820,000 students, past and present, had been breached from the program known as Skedula and Pupil Path, who attended NYC public schools going back to the year 2016.  These programs were developed by NYC teachers, but are now owned by a company called Illuminate.

This was possibly the largest district breach in US history, according to Doug Levin, a data security expert who was quoted in the Daily News, (though this Pearson breach that affected multiple districts was larger.There have also been articles in the NY Post and The Record about this hugely damaging breach.

According to these articles, Illuminate says that hackers gained access to the names, birthdays, race and ethnicities, home languages and ID numbers of current and former public-school students, going back to the 2016-17 school year, including in some cases, their disability and free lunch status as well.

If you are a parent whose children was affected by the breach, or you suspect your children might have been; please here is a sample message you can send to DOE to try to find out what data Illuminate had access to for your child.  You can also reach out to us to let us know if you've heard anything from DOE or Illuminate about this, and/or email us info@studentprivacymatters.org with any questions.

This seems to have occurred during the program’s extended shutdown in January, which we wrote about then , speculated that it might have been caused by hackers and result in a data breach.  At that point, both DOE and Illuminate tried to tamp down concerns.  As the DOE spokesperson was quoted by the NY Post at the time, “We’re in close communication with Illuminate Education as they investigate and have been informed that so far there is no confirmation any of our schools’ information was accessed or taken.”

The Post added: “The company did not explain or return messages from The Post, but emailed principals Friday it is transferring the data to a “new secured environment, ” implying that the data had not previously been sufficiently secured.

I was quoted in the Post that teachers often use the system to record very sensitive information about a student’s emotional state or behavior, and to recommend counseling or other intervention services.  It is not clear at this point if those communications and records were breached as well.

Skedula was originally developed by NYC teachers, who started a company called Datacation that was later bought up  by IO Education, which in turn was purchased by Illuminate Education.  According to the NY Post,  Illuminate has received more than $16 million from DOE in the last three years for the use of these programs.  Abram Jiminez, who was hired by ex-Chancellor Carranza to lead a school improvement office, previously worked at Illuminate, and held stock in the company.  He was later forced to quit after the conflict-of-interest was exposed,  as well as other earlier scandals .

Now it turns out that not all the data held by Illuminate was properly encrypted, despite promises made by the vendor in their contractual agreements and as is required by the state student privacy law.  Pertinent language from the NYS student privacy law Education Section 2D, passed in 2014, is  excerpted below:


Many years ago, I submitted a FOIL request without success for all the privacy agreements that DOE had with vendors who had access to student personal information to see if these agreements complied with the state law.  I re-submitted the FOIL request Sept. 2020, more than a year and a half ago. 

After the breach late Friday, the DOE sent me a link to 960 pages of documents consisting of their privacy agreements with 19 vendors, including Illuminate.  Though lengthy, this is far from a comprehensive list, considering DOE contracts with literally hundreds of ed tech vendors whose products they encourage schools to use.

The Illuminate privacy agreements I received are now posted here, along with my comments.  They seem to require relatively strict security controls, including periodic risk assessments,  a mutually agreed upon risk mitigation plan, the right for DOE to review all incidence response reports, and to request an SSAE16 report from the vendor (which I believe means a security audit.)

Moreover, Illuminate also shall allow DOE, upon reasonable notice, to perform security assessments or audits of systems that handle or support Confidential Information. Such an assessment shall be conducted by an independent 3rd party agreed upon by the Vendor and the DOE.” In addition, vendors must engage an independent company to assess the security of their systems annually and produce audit logs for all systems that manage private information.

At this point, it is unclear if the vendor complied with any of these mandates, or if DOE ever asked them to do so, even after the January outage occurred.

In addition, the vendor was required to inform DOE of any suspected breach within 24 hours, instead of waiting for months, as they did in this case.

There is some evidence to suggest that the breach may have occurred when the data was being transferred to an Amazon cloud from a Google cloud. See pp. 34-35, for the question and response by Illuminate on the issue of where the personally identifiable student information (PISI) was stored:

 


This evasive language suggests that at least some of the data was initially stored on an insecure Google Cloud that was not in the US; though they did not answer the question of where it was located.

The following passage implies that migrating data "in bulk" is risky; and if this is attempted, it must be approved in advance by DOE InfoSec:

 

Did DOE approve of this data transfer?  Did they ask any questions about the Google cloud, referenced above?  If DOE did not do its due diligence to follow up on any of these issues, either when the contract was signed or especially after  the January cyberattack occurred,  it is nearly as much at fault as Illuminate.

There is also evidence from this document that DOE profoundly misunderstands FERPA, the primary federal law that protects privacy .  They write the following:

 

And yet actually, FERPA regulates the behavior of districts and schools, not vendors. 

Instead, DOE is responsible for limiting access to any and all student information that Illuminate did not need to perform its contractual obligations, including the highly sensitive student disability information and Free lunch status that ended up being hacked. 

Also, the DOE should have made clear in the contract that all student data should be destroyed, not just when the contract lapsed, but annually, or at the very least, when students left the system, which clearly did not happen.

In any case, it is clear from the law and these documents that the vendor can and should be punished for delaying notification of this breach by as much as $8 million dollars, as well as have its contract immediately revoked, and further fines and possible criminal penalties imposed for lying about having encrypted the data.

Chalkbeat ran an article yesterday about what parents can do to protect their kids from identify theft at this point.  More advice here from JD Supra. Kids’ data is especially vulnerable to identity theft because they have no credit history, and current estimates are that this affects one in every 50 children, and costs families nearly $1 billion a year. Usually, districts or the vendors themselves sign up parents for free for services that are supposed to monitor identity theft– companies like Experian. Unfortunately, in order to sign up, parents have to provide them these companies more personal data, though these companies themselves experienced their own data breaches.

Sadly, there is really no recovering from the harm of having your child’s personal data spilled out on the internet.  The most important lesson to take from this tragic incident is to make sure that DOE cleans up their act in the future by taking the following precautions:

1- DOE should minimize data sharing with third party vendors – instead of encouraging schools to sign up with hundreds of these data-gobbling ed tech companies, as they have done.

2- DOE should minimize the amount of personal data shared with each of their vendors, to restrict this disclosure to ONLY what the vendor needs  to perform its contracted services, rather than give unlimited access, as seems to have happened here.  

3- In their contracts, DOE should require that their vendors should be required to immediately delete student data annually from their records and certainly once the student has graduated.

4- DOE must provide rigorous oversight to ensure that their vendors perform and provide the independent security analyses, reporting, and audits required, including proof of encryption, and if they do not, cut them off immediately, fine them to the maximum, and cut off all future contracts.

5- Finally, the State Education Department should strictly enforce all the provisions in the state law, which still has not happened, despite the fact that the law was passed in 2014.

If you are a parent whose children was affected by the breach, or you suspect your children might have been; please here is a sample message you can send to DOE to try to find out what data Illuminate had access to for your child.  You can also reach out to us at info@studentprivacymatters.org with any questions, and let let us know if you've heard anything from DOE or Illuminate about this.

 

Sunday, March 27, 2022

Latest Talk out of School: How parents can navigate the frustrating special education system in NYC public schools

 

On the latest Talk out of School podcast, aired on WBAI on Saturday, I gave a brief summary of the very eventful week just past.  

Then I interviewed to Jennifer Choi and Rachel Ford, NYC parents and co-founders of Special Support Services, about what happened to kids with special needs last year during the height of the pandemic, how parents can navigate the complex and frustrating system in NYC to better ensure that their children with disabilities receive the services they  are legally entitled to, and what suggestions they have for changing the overall NYC system, which has frustrated so many parents with long delays. 

Some resources we mentioned are below;  past episodes of Talk out of School are here.

Resources

Class Size Matters report shows significant declines in citywide class sizes that will increase once again if Mayor’s budget cuts are made, March 20, 2022

Class Size Matters testimony at the Council education budget hearings, March 21, 2022 

COVID Case Counts More Than Doubled in Public Schools Since Last Month, DOE Data Shows, The City, March 23, 2022

NYC education panel breaks with city to reject $82M contract,  NY Post, March 24, 2022

Personal data of 820,000 NYC students compromised in hack, NY Post, March 26, 2022

Special Support Services website

NYC DOE Special Education Standard Operating Procedures Manual   

NYC DOE IEP Translation Unit

How To Make Parent Support line P311 Work For Your Child

Jennifer Choi testimony at NYS Senate & Assembly hearings on School Governance,  March 4, 2022

Surge of complaints by parents of special education students sparks ‘crisis’, Chalkbeat, May  28, 2019 

NYC vows to address special education failures detailed in state review. But will their reforms go far enough?, Chalkbeat, July 9, 2019 

NYC Special Education Complaint Backlog Grows — Even as Some Hearing Officers Twiddle Thumbs, The City, Nov. 15, 2021

Tuesday, March 22, 2022

How another sketchy contract to be voted on tomorrow by the Panel for Educational Policy highlights the need for more financial accountability in the current system


Update Wed. night; at 8:30 PM.
Amazingly the PEP voted down this Contract, only the 2nd time in its history.  "The vote was 6 yes, 5 no votes & 3 three abstentions the resolution does not pass." Tom Allon, mayoral appointee voted no, as did the new Manhattan appointee Kaliris Salas Ramirez, the new Brooklyn appointee Tazin Azad, and the  Bronx appointee Geneal Chacon, and Tom Shepherd, the CEC appointee. Mayoral appointee Alan Ong abstained, as did the Queens appointee Deb Dillingham and Staten Island appointee. Jaclyn Tacoronte. More on this here.. 

Update later in the afternoon on March 22: since I posted this a few minutes ago, the Mayor's office announced his nine appointments.  Newly announced member (presumably to replace Joe Belluck) is Dr. Vasthi Acosta, the executive director of Amber Charter Schools. There are several reps connected with charter schools, and I am quoted in the NY Post about why this is problematic.

Tomorrow, Wed. March 23 will be the second meeting of the NYC school board under our new mayor, Mayor Eric Adams. Since Mayoral control was instituted in 2002, the board has been composed of a super-majority of Mayoral appointees. 

At that time, it was renamed the Panel for Educational Policy (PEP) by then-Mayor Bloomberg, though according to state law it is still officially called the NYC Board of Education. Among the Panel’s duties is to approve Department of Education contracts, with many inflated and wasteful contracts rubber-stamped over the last twenty years. Only once in its history has it voted down a contract: last year, when a majority of members voted in the midst of the pandemic not to approve a contract to Pearson for the test given to four-year-old students to be admitted into NYC’s controversial gifted program. 

Even though the law requires monthly meetings of the PEP, the Chancellor cancelled the January meeting.  Eight new members appointed by the Mayor participated at the February meeting, though their names and contact information are still not posted on the relevant PEP page . Instead, the names that are listed still include the eight members appointed by de Blasio, who vacated their posts at the end of December. The identities of the new appointees can be found in the minutes of the February meeting, though no contact information or biographies. 

The ninth member who was slated to be appointed by the Mayor in February was Joe Belluck, an attorney who is also the chair of the SUNY committee that authorizes charter schools. Belluck withdrew his name right before the meeting. This was presumably due to conflict-of-interest issues, given that charter schools take away valuable public school space through co-locations approved by the Panel, and now cost the DOE budget more than $2.6 billion dollars annually. (Full disclosure: my organization, Class Size Matters, put out a press release against Belluck’s appointment the day before he withdrew.) 

The new schools Chancellor David Banks, also appointed by the Mayor, has repeatedly said he wants to save money by cutting waste and the bureaucracy. At tomorrow’s meeting, among the many contracts they will be voting upon tomorrow is one for a company called 22nd Century Technologies, at $16.5 million per year, renewable for five years at a total of $82.5 million. The contract is listed as “Recruiting and Staffing Services for Temporary Professionals.” This company, the contract proposal says, will be paid to hire “consultants in a wide range of disciplines across DOE schools, central offices, and/or NYCDOE Borough/Citywide offices” and will be “responsible for identifying, processing upon selection, and managing the consultants it recruits and those referred by the DOE.” The company will charge “markup fees of 17.35% and 22.50% for DOE-referred and vendor-recruited consultants, respectively.” 

There is little detail about what these consultants will actually be doing, except for that they will be “used in a wide variety of areas including special education, curriculum design and development, all of which are needed to ensure the successful execution of several temporary DOE projects or needs. “ The mention of curriculum design may relate to the Mosaic curriculum, which initially being developed by “a team of administrators and teachers … during their off hours”, according to the Daily News, but whose roll-out has been delayed. Of the $16.5 million being paid to this company, the document says nearly half will go to “supporting work that is legally mandated specialized expertise” and “supporting stimulus projects” – which I assume means federal stimulus funds, without identifying what this expertise or these projects involve. 

The reason for hiring consultants, the document claims, is that “because consultants are better suited to complete short-term tasks for schools and/or offices, instead of using full-time DOE employees.” Even if the use of consultants is advisable in this case, there is no reason why the DOE should not hire consultants directly, but instead must pay another company to hire and manage them, with a markup of 22.50% and/or 17.35%, the latter if DOE officials recruit these consultants themselves. In any case, we can expect that the mayoral appointees will rubber-stamp this contract as they have in the past, with few if any questions asked, and no discussion of larger issues. 

The DOE has lost millions in fraudulent contracts since Mayoral control was instituted in 2002. Just some of them are recounted in my City Council testimony from 2011. What this testimony doesn’t include is what happened four years later. In 2015, along with then-Public Advocate Tish James and CM Danny Dromm, we blew the whistle on a proposed $1.1 billion five year contract, renewable at $2 billion, that was supposed to be awarded Custom Computer Specialists, a computer wiring company that had been involved in a kickback scheme just a few years before. The PEP approved this contract anyway, with a vote of 10-1, but as a result of the ensuing scandal, City Hall kicked it back, and the contract was rebid and awarded to several different companies at a far reduced price of $472 million, with savings to the city of between $163 million and $627 million. 

Another result of the CCS scandal was that DOE promised from then on to publicly to post all prospective contract requests for authorization at least 30 days in advance, to allow for more scrutiny by Panel members as well as to allow for improved independent oversight. As Juan Gonzalez wrote about this result in the Daily News: “Tweed will even post information on all bids on its website 30 days before the scheduled vote by the panel, and has committed to do the same with other contracts.” Yet the DOE stopped doing this in April 2020 – nearly two years ago. 

According to a New York state education law passed in 2005, all school board members must receive at least six hours of training in financial oversight, accountability, and fiduciary responsibilities. There is an exception in the law for NYC, but only if as the chancellor annually certifies to the commissioner in writing that the training they provide “meets or exceeds the requirements of this section.” Yet PEP members have told me privately and been quoted in the media to say that they have received only minimal training in financial oversight – and much less than the six hours that the law requires. 

 I recently filed a Freedom of Information request to the State Education Department for a copy of the annual certification from the NYC Chancellor, attesting that the training provided PEP members was compliant with the law, for the years 2019, 2020 and 2021. I received a response from NYSED that they had received no such certification. 

This is one of the reasons in my recent testimony before the State Legislature on Mayoral control, I strongly recommended that the governance law in NYC be amended to require that the City Comptroller’s office take over this important responsibility. The DOE has gotten in trouble before when hiring companies to manage consultants – in the case of the Ross Lanham scandal, in which Custom Computer Specialists was also involved and millions were fraudulently charged to DOE for a different computer wiring scheme, as detailed in a report from the office of Special Investigator and in the indictment by then- US Attorney Preet Bharara. This scandal apart from the money stolen cost NYC more than $100 million in federal E-rate funds. 

This may not happen in this case. But if the Chancellor is concerned about cutting down on waste and bureaucracy, this is a strange way to go about doing it.

Sunday, March 6, 2022

Why Friday's hearings on Mayoral control were the best in twenty years -- and what was said about the need for smaller classes & more fiscal oversight


I’ve testified at countless mayoral control hearings since it was instituted nearly 20 years ago. Yesterday’s joint Senate and Assembly hearings far surpassed any of them.  You can watch the video here. Sorry to say there were very few news stories about it, because most of the education reporters were covering the Mayor's announcement about lifting the mask mandate in schools.  It was their loss, since the questioning by legislators was sharp and had a new seriousness about it, and the testimony from parent leaders was passionate and incisive.

In recent years, the opposition to Mayoral control has grown, here in the city and nationwide.  As I point out in my testimony, the system has never been popular among average voters.  But the evident dysfunctionality of the system and the way it allows autocracy to override the wishes of parents and the needs of children, no matter who is Mayor, is now more widely recognized.  Many districts such as Detroit and Newark that once suffered under mayoral control or worse, state control, have returned to an elected school, and Chicago will soon do so.  

This was the first time in my experience that influential legislators seem really intent about making improvements to the law.  Sen. John Liu, chair of the NYC Education Senate committee, and Sen. Shelley Mayer, chair of the NY State Senate Education Committee, along with Assemblymembers Harvey Epstein and Jo Anne Simon, closely questioned Chancellor Banks  about what changes could be made that would ensure that parents have a real voice in the system.  Yet he seemed strangely unprepared for their pointed questions.


After a brief appearance by Mayor Adams, who was driving in his car but didn't have time to answer any questions, Chancellor Banks said that the DOE had brought down school Covid positivity rates  from
16% at the beginning of January, to below 1% now, which he claimed was a "direct result of Mayoral Accountability."  

Yet as was widely reported, Omicron exploded in our schools with tens of thousands of students becoming infected in January, with DOE's safety protocols recognized to be  largely ineffective.  The Omicron surge rose and fell on its own in our schools, as it did nearly everywhere else in the city and indeed the nation, and this had nothing to do with any new measures put in place by the Adams administration. Indeed, as I pointed out in a tweet, the schools in Los Angeles have put in place far more effective Covid vaccine and testing protocols, and their schools are governed by an elected school board.

Banks also claimed he would be a far different kind of Chancellor than those who preceded him, because he himself had gone through the public school system.  Unmentioned was that Joel Klein attended NYC public schools as well, and we know how little respect he showed parent and community views and priorities.

Banks promised that he intended to closely collaborate with the parent-led Community Education Councils.  But when AM Epstein asked him what he thought of any of the numerous specific improvements to the Mayoral control that the CECs have proposed in many resolutions, Banks admitted he hadn’t read them.

Senator Shelley Mayer followed up by asking whether he would agree to any specific changes to the law to ensure parent input is taken seriously.  Banks then turned to Deputy Chancellor Weisberg to ask "Dan do we agree with any changes?" Weisberg, who was himself high in the DOE leadership structure for six years under Chancellor Klein, said no.

There was also much discussion on the failure of the DOE to put any effort into reducing class size during the twenty years of mayoral control -- even though this is a critical reform proven to help students learn, especially students of color.  Smaller classes are also the top priority of NYC K12 parents every year on the DOE's own parent surveys.


The topic of class size was first introduced  by Sen. Robert Jackson, the original plaintiff in the Campaign for Fiscal Equity lawsuit, which after many years of advocacy, is finally bringing more than $1.3 billion in additional state funds to NYC schools. Yet the administration plans to invest none of these funds in lowering class size, though the city's excessive class sizes were a central issue in the lawsuit and the court's decision that our students were deprived of their right to a sound, basic education.  The topic of class size was also mentioned by AM Jo Anne Simon and some other legislators. 

Sen. Jackson repeatedly threatened that he would hold back state funding if the DOE refuses to lower class size, as outlined in the his bill S6296A, and the same as Assembly bill, A7447A, sponsored by AM Simon. Jackson also implied that his support for continuing mayoral control was at risk due to DOE negligence on the issue-- and that in any case, he would not support an extension of more than two years.

When asked what were their plans in terms of class size, Banks again deferred to Weisberg, who said that class sizes had already decreased this year, partly because of enrollment decline - which is true. Though I hadn’t commented on the issue in my written testimony, when I had a chance to testify in the afternoon, I pointed out that if the city's proposed budget cuts to schools are adopted, amounting to nearly one billion dollars over three years, class sizes will quickly increase to their former levels. 


In response to Jackson's questions, both UFT President Michael Mulgrew and CSA President Mark Cannizzaro agreed that lowering class size was critical; Cannizzaro added that to do so, the Fair Student Formula (FSF) that  is the main source of every school's funding must be altered, since it  is aligned to large classes. 

In my oral testimony, I pointed out how the FSF Task Force created by the City Council in 2018 had never released their report, because its members pushed for revising the formula to allow for smaller classes, but the Mayor's office under de Blasio had stifled their concerns, by refusing to allow the issue to be mentioned in the report.

Another problem that both Mayor Adams and Chancellor Banks encountered is a glaring contradiction in their rhetoric .  Both repeated their now-familiar refrain about how terrible our schools are, especially for Black and brown kids. But of course, if true, this failure persists after twenty years of mayoral control - the very system that they claim is necessary to solve the problem. 

Banks tried to get around this evident contradiction, by testifying that all the deficiencies exhibited by our schools are the result of the system that earlier prevailed, more than twenty years ago: "We are still dealing with the remnants of the past world before Mayoral Accountability was adopted.  Corruption, patronage, and inequity ruled the day, and our students suffered greatly.  That is evident in some of the glaring disparate outcomes we still see, especially for communities of color."

Yet this argument didn't seem to be particularly convincing to the legislators.  In fact, in the first five hours or so of the hearings, while I was still watching, only one of them expressed strong support for continuing the current system for another four years, Senator Luis Sepulveda from the Bronx.  A four year extension is what Gov. Hochul has proposed and of course Adams and Banks would prefer:  The attitude of the other legislators seemed to range from slight skepticism to clear opposition,  at least during the portion of the hearings that I was able to observe.


Moreover, the parent leaders who spoke were nearly unanimous in their criticism of the way in which mayoral control had allowed their voices to be ignored and the needs of their community's public schools to be trampled upon, by both Bloomberg and de Blasio.  Their testimonies were tremendously compelling,  and in their combined impact, overwhelming.  I hope you watch them here. There was only one parent among the scores who spoke during the first five hours who said she supported the current system to any degree: Yiatin Chu, the co-chair of PLACE,  and even her co-chair, Lucas Liu, appeared to disagree. 

My brief oral comments are at about 4 hours and 46 minutes into the video, and focused on two issues: class size and fiscal accountability.  In my written testimony, I detailed and supported many of the changes proposed by the Education Council Consortium and the CECs, including a reconfiguration of the Panel for Education Policy so that the mayor no longer appoints a majority of members, and a requirement that the DOE should be made subject to local laws passed by the City Council.  Currently, unlike every other city agency, the City Council can pass laws regarding education only in the area of requiring more DOE reporting, not in any policy area.  I also spoke about the need for stronger fiscal oversight by the   Panel for Education Policy, who every month routinely rubber stamp many wasteful contracts worth hundreds of millions of dollars, with insufficient scrutiny and sometimes even those awarded to vendors who had previously been shown to be corrupt. 

To address these glaring problems, I proposed that the NYC Comptroller be able to appoint a non-voting PEP member, who could provide expert counsel on contracting and other financial matters .  I also proposed that the Comptroller be responsible for training the PEP members in financial oversight, accountability, and fiduciary responsibilities.  According to state law, all Board of Education members are supposed to receive at least six hours of such training; and yet PEP members have publicly said that the training they receive is insufficient and minimal at best.

The state law does include a provision that the DOE is exempt from these requirements, but only if the Chancellor certifies annually in writing to the State Education Department that the training that PEP members receive is at least as rigorous as the law requires.  Yet after I FOILed the State for these written certifications, NYSED said they hadn't received any in at least the last three years.