UPDATED: August 14 16, 2017

Data breaches happen. Some argue they are even inevitable. Given that K-12 school districts – along with state and local governments – are increasingly relying on online tools and services to conduct business and provide services, there is no reason to believe that the K-12 education sector is or will be immune to these larger and concerning IT trends.

Yet, as bad as a data breach can be, when breaches happen it is how organizations – including schools and school vendors – respond to and communicate about them that will be remembered. While it is understandable for an organization that has suffered an unauthorized data breach to want to minimize communications about what happened and why, including even deflecting any responsibility they may have had in the disclosure of sensitive information, this is often bad advice. Indeed, experts are increasingly counseling organizations on best practices in data breach response, including encouraging organizations to train for and practice those responses.

Done well, a data breach response can help organizations to shore up cyber security policies and practices and to increase the trust that stakeholders and customers have in an organization as a steward of sensitive information. Done less well, a data breach becomes an ongoing news story that can capture the public’s attention for weeks or more, leading to speculation about what actually happened and why. An organization’s tarnished reputation can suffer even more harm, making it very difficult to re-earn the trust of stakeholders – and rightfully so.

Which brings us to Texas…and specifically the Texas Association of School Boards.

On May 22, 2017, the Texas Association of School Boards (TASB), a private, nonprofit membership organization which claims all 1,030 Texas school districts as members, discovered that they had inadvertently posted the names and social security numbers of Texas school employees publicly on the internet.

More than two months since the breach was first discovered and more than one month since TASB publicly acknowledged the breach, media are still writing original stories about the breach. Why?

Because there remain fundamental questions about what happened and why. For instance:

How many current and former Texas school employees were affected by this breach?

We don’t know.  

Who was responsible for the breach and how was it discovered?

We don’t know.

For how long was Texas school employee data publicly posted online?

We don’t know.

Have all affected current and former Texas school employee’s been notified of the breach?

We don’t know.

As of date August 12 16, 2017, news reports (including the dates they were published, the districts involved, and the numbers of employees affected by the TASB breach) are known to include:

** Updated since original blog post of August 12.

Across the 10 12 news stories/reports, an unspecified number of current and/or former employees of 36 38 different Texas school districts are now known to have been affected by this breach. Given that TASB serves all 1,030 Texas school districts and that the breach involved current and former school district employees, the potential magnitude of this breach could be very large – and much larger than reported to date. And, every new article seems to include new information about the parties affected by the breach…which is pretty much the opposite of how experts counsel organizations to respond.

This should be a cautionary tale to others in the K-12 education sector who suffer a data breach. It certainly is not a good news story about TASB or for Texas educators, but hopefully others will be able to benefit from the lessons learned about this incident and the response.

At least, that is my hope and the reason for this post.