The Public Disclosure Conundrum

If a tree falls in the forest and there is no one there to hear it, does it make a sound?

The K-12 Cyber Incident Map only reports on K-12 cybersecurity incidents that have been publicly disclosed. While that may seen somewhat self-evident, we do occasionally learn of incidents that have not (yet) been brought to light in their school communities. While those undisclosed incidents may influence our understanding of the threats and challenges facing school districts, they are not reported in our statistics.

An open question remains as to what proportion publicly-disclosed incidents are of the total number of actual incidents experienced by school districts. While one could argue over the appropriate threshold for an incident to qualify as significant, based on anecdotal evidence there could easily be 10-20 times more incidents being experienced by school districts than are ever reported on the K-12 Cyber Incident Map.

Presuming a school cybersecurity incident has occurred, what may lead it to being publicly-disclosed in the first place? After all, a public disclosure of an incident could be percieved as a failing of a school district, as something that may lead to uncomfortable questions about school district management and the care of duty they exhibit for the sensitive data in their data systems.

First, the school district itself must be aware that an incident occurred. Indeed, it is reasonable to assume that schools experience some proportion of incidents that are not identified for long periods of time (or ever). Especially in cases of unauthorized access to data, data breaches, and manipulation of data – e.g., to grades, school absences, and/or lunch balances – those intrusions may only be detected if IT security staff have the time, tools, and motivation to do so.

Second, the school district may act on a legal obligation to disclose an incident. There is no baseline federal requirement for the disclosure of school cybersecurity incidents. State laws generally address disclosure requirements of only one specific type of incident: data breaches. However, state data breach disclosure mandates may not cover public entities (like school districts), may not require public disclosure (vs. reporting to a state agency, such as a state attorney general or state department of education), and/or may exempt certain disclosures of personally identifiable information, depending on its classification (e.g., as directory information under FERPA) or the number of individuals involved in the breach. Finally, some disclosures may be required by open meetings laws governing school board meetings, e.g., for the approval of contracts for cyber incident remediation or the payment of ransomware extortion fees. In such cases, district leadership may still be able to avail themselves of bureaucractic mechanisms to obscure the scope and severity of incidents in public forums.

Third, journalists who cover education may research and write articles about school cyber incidents, which they become aware of via social media, security researchers, or tips from other school community members. In such cases, journalists are serving a critical function of keeping their audiences informed about news and events that affect them. For all of the value journalists bring, however, school employees and students/families cannot and should not have to rely on journalists to be kept apprised of school cybersecurity incidents in a timely manner.

The not atypical story of Mansfield City (OH) Public Schools (“I-Team: Mansfield school computers hacked, but parents not informed“) is illustrative:

MANSFIELD, Ohio (WJW) — The FOX 8 I-Team has uncovered a big secret kept from parents in the Mansfield City School District. Hackers got into the school computer system months ago, but parents say they are just now hearing about it from the I-Team.

Monday, we showed up at the office of the School District’s lawyer. Andrew Burton greeted us with, “I don’t know why you’re here.”

We told him we went to see him to have a conversation about the hacking. We had gotten nowhere on the phone last week with the district.

Burton referred to, “The hacking…or whatever.” He then refused to explain exactly what the hackers had done and how the district responded.

He answered questions on the phone with phrases including, “I’m not at liberty to discuss that,” and, “I can’t answer that question directly.”

Yet, when we then saw him in person, he quickly scrambled away from our camera. Burton said, “My client will have a statement. I have nothing else to say to you.”

Parents we spoke with outside Malabar Intermediate School told us the district had not announced anything about any hacking, and they found that alarming.

“It’s concerning. I have to hear from a news reporter. I wish the district would have notified us,” said parent Leona Smith.

The I-Team then requested internal school district records. The district sent us nearly 700 pages, mostly duplicates of small portions of emails. They refer to a “cyber incident,” “security breach,” a “computer compromised,” and more.

But, mostly we reviewed page after page of heavily blacked out documents. More secrecy.

Behind all of that, we noticed the district hired a computer security company involved in “incident response.” A website shows that company services offered include “ransomware negotiation and payment.”

A check shows the district paid that firm $10,000. But, we’re told, the district insurance company paid all other costs related to this.

Parents wonder if the hackers found out anything about their families?

The Mansfield Superintendent also is not commenting.

The district’s lawyer also pointed out in an email that the school system only has to follow the law to provide records, not information.

To taxpayers, that’s a slap in the face, especially after the way the district gave us records heavily blacked out.

Only after this initial report did the district issue a statement:

No Title
No Description

While there may be legitimate reasons to briefly delay the public disclosure of incidents – or to exempt certain types of information from such disclosures – the only interests served in never disclosing such an incident is that of current school district leadership. It is hard to not feel sympathetic in this case for the families and school employees of Mansfield City Schools.

Absent meaningful disclosure:

How can school employees, students, and their families take steps to protect their identities, credit records, and access to online services and accounts if they aren’t informed of a breach? How can they be made aware that they may be targeted by more realistic seeming phishing attacks since their data was exposed?
How can school board members ensure adequate investments are being made to secure school IT systems? How can they responsibly enact policies and processes to help manage the cyber risks facing the school district?
How can local, state, and federal policymakers take action to support school districts in managing cyber risks, especially in cases when school district IT systems are interconnected with other governmental systems?

If a tree falls in the forest and there is no one there to hear it, it still makes a sound. School cybersecurity incidents that go unreported still affect school communities. We can pretend otherwise, but secrecy is not in the public interest and only delays building the public will necessary to providing the resources and enacting the policies that will ultimately be needed to help schools to better manage cybersecurity risk.

The K-12 Cybersecurity Resource Center

No Title

Similar posts

FBI/CISA/MS-ISAC Warn Schools on Cyber Threats

Wall Street Journal: Why Schools Are Getting Hacked

FBI Warns Schools on Ransomware, RDP Vulnerabilities