In Push For Data, Schools Expose Students To Identity TheftJoel Reidenberg in The Huffington Post, December 15, 2011
"Burdened Beginnings" is a series examining the problem of child identity theft. Other stories in the series can be found here.
In El Paso, Texas, a hacker broke into the computer network of a local school district, finding a database of about 63,000 students' Social Security numbers.
In Wake County, N.C., school officials accidentally mailed out about 5,000 postcards with students' Social Security numbers printed on the front.
And in Palatine, Ill., two laptops belonging to a state contractor were stolen from a car, divulging the Social Security numbers of nearly 8,000 special education students.
These three incidents of vital digits surrendered to the winds, among dozens in recent years, highlight what experts say is a growing vulnerability to identity theft among children. Across the country, schools have become conduits for children's pristine Social Security numbers, which are increasingly falling into the hands of credit-hungry identity thieves. The frequent data breaches have prompted calls for schools to stop collecting sensitive student data and have angered parents like Art Staehling, whose 14-year-old daughter, Jenna, was among 18,000 Nashville students who had their Social Security numbers accidentally exposed online for three months in 2009.
"They left the gate wide open," Staehling told The Huffington Post. "It's clumsiness. There's no excuse for it. If schools want that information, there should be some sort of penalty paid if they don't guard it with their lives. I haven't found a reason why they honestly need it."
Data breaches leave people six times more likely to become victims of identity theft, according to a survey this year by Javelin Research. Schools warn parents to monitor their children's credit after a data breach. But credit reports only turn up 1 percent of fraud on children's credit histories because thieves pair children's Social Security numbers with new names and birth dates, according to a study by Debix, which sells identity protection services.
The collection of students' Social Security numbers is the result of a campaign to more precisely track their progress. But privacy experts say there are less risky ways to identify students, accusing schools of needlessly exposing children to identity theft by gathering their Social Security numbers in central databases with lackluster security.
"This is making a much bigger honey pot for people with malevolent purposes to gain access to children's information," said Joel Reidenberg, a professor at Fordham University School of Law. "It's a meltdown waiting to happen."
Identity theft in schools is more than theoretical. Last July, Sheyla Diaz, 44, a former Broward County, Florida high school teacher, was sentenced to six months of house arrest for stealing the identities of former students. In 2009, Jonathan E. Kelly, who worked as a police officer for the Palm Beach County School District, was sentenced to eight years in prison for stealing the identities of former students and teachers.
Last year, more than 18,000 child identity theft complaints were reported to the Federal Trade Commission, compared with about 6,500 cases in 2003. The increase comes as the recession has left many Americans with more of a need for clean sources of credit, making the temptation to hijack a child's pristine record even greater.
But experts say figures on child identity theft are likely much higher because the crime often goes undetected for years. ID Analytics estimates more than 140,000 children are victims of identity theft each year, based on a one-year study of those enrolled in the firm's identity protection service. When child identity theft victims turn 18, they find their credit has been destroyed, preventing them from taking out loans or renting apartments.
The push for collecting student data began under the federal No Child Left Behind Act and was spurred by incentives in the 2009 stimulus package, which included about $250 million in competitive grants to help states develop student databases, according to Reidenberg.
But the U.S. Department of Education has warned schools not to use students' Social Security numbers in their databases, urging them instead to create other unique identifiers. Social Security numbers are "the single most misused piece of information by criminals perpetrating identity thefts," according to a technical brief issued last fall by the National Center for Education Statistics, the research arm of the U.S. Department of Education.
Yet the collection and use of students' Social Security numbers in K-12 schools remains "widespread," according to an audit last year by Patrick O'Carroll, the Social Security Administration's inspector general. His audit found students' Social Security numbers printed on transcripts, tests and athletic education forms.
One elementary school held a poster contest and required students to write their Social Security numbers on the back of their entries, according to the audit, which said schools were using the numbers "as a matter of convenience." Since 2005, there have been at least 40 data breaches of confidential student information at K-12 schools, O'Carroll found.
"We believe the unnecessary collection and use of Social Security numbers is a significant vulnerability for this young population," O'Carroll wrote. "Each time a student provides his or her Social Security number, the potential for a dishonest individual to unlawfully gain access to, and misuse, the number increases."
But students' Social Security numbers are useful for education policy by creating "enhanced analytical opportunities" for evaluating school curriculum, said Elizabeth Laird, a spokeswoman for the Data Quality Campaign, a nonprofit organization that encourages states to build student databases.
"The more important conversation is not whether states are collecting Social Security numbers, but how they are ensuring the privacy, security, and confidentiality of all personally identifiable information," Laird said in a statement. "We can't speak to how Social Security numbers are collected and stored at the local level," she added.
According to one survey, they are not stored very securely. Only half of K-12 schools use encryption to scramble sensitive data in case it falls into the wrong hands, according to a February survey of more than 100 IT employees at K-12 schools nationwide. Seventy-two percent cited budget constraints as the primary barrier to improving their IT security, according to the survey by Panda Security.
School districts in 26 states now ask for students' Social Security numbers. One of those states is Texas, where education officials need those numbers to connect K-12 records to higher education and workforce data, according to Debbie Ratcliffe, a spokeswoman for the Texas Education Agency.
Ratcliffe said the agency takes pains to protect sensitive student information, storing data behind firewalls and using other identifying information in most data sets. But last year, the agency asked eight Texas school districts to send confidential student information, including Social Security numbers, through the mail on unencrypted CDs for research purposes.
In March, Laredo Independent School District learned the CD it sent got lost in the mail, exposing nearly 25,000 current and former high school students to identity theft, according to the Texas Tribune. Ratcliffe told The Huffington Post that the request came from an agency employee who operated "way outside" normal protocol.
It was not the only school data breach in Texas this year.
In September, just one week after El Paso Independent School District said a hacker had breached its internal network with students' Social Security numbers, Beaumont school officials told parents that Social Security numbers belonging to an estimated 15,000 students were accidentally exposed online for nearly a year.
A few weeks later, the San Antonio Independent School District told parents that names and Social Security numbers of up to 360 students were mistakenly made visible through a Google search.
Still, the Texas Education Agency has no plans to stop asking school districts for students' Social Security numbers, Ratcliffe said.
"We have so many databases that use them that it would require quite a bit of change to make that happen," she said.
Yet concerns over child identity theft have prompted at least five states -- Nebraska, North Dakota, Washington, Maine and Wyoming -- to create policies that restrict the collection and use of Social Security numbers in K-12 schools.
North Dakota students are assigned a 10-digit ID number when they enroll that sufficiently tracks their performance, leaving no need for Social Security numbers, according to Jerry Coleman, director of school finance at the North Dakota Department of Public Instruction.
"To protect those Social Security numbers would be a hassle we don't need," Coleman said in an interview.
In Texas, like other states, parents can refuse to disclose their child's Social Security number, and the student would be assigned a different identifying number. Ratcliffe, of the Texas Education Agency, said most parents disclose their child's number anyway.
But privacy experts say, in most cases, parents should keep that information to themselves.
"When someone asks for your child's Social Security number, say no," said Aaron Titus, chief privacy officer for Identity Finder, which helps organizations protect sensitive data. "I have found about 90 percent of the time, when I push back a little bit, I get my way."