FCPS Data Breach Cover-Up
By now you’ve undoubtedly read that Frederick County Public Schools (FCPS) suffered a data breach. About 1,000 student’s names, Social Security numbers, and dates of birth were posted on a foreign website.
Let me opine, since respected journalists Katherine Heerbrandt of The Frederick Extra, and Jeremy Bauer-Wolff, of The Frederick News-Post, are bound by journalistic rules of neutrality and facts. I am not thusly hemmed in. I can elaborate on the facts, with opinion based on personal experiences.
FCPS is careful to use the word “breach,” because they don’t know this wasn’t an “insider” theft. Rumor is, this is not a first for our school system. FCPS won’t make that information public because, well, “image.” The less you know, the better they look.
The 1,000 known identities are not likely the totality of the breach. The seller says they are but a sampling for sale. In for a penny, in for a pound? I’ll bet the entire class of 2010 is part of the “breach.”
A growing concern of the Frederick community is the cavalier attitude FCPS is taking. Board of Education President Brad Young: “… one has to wondered [sic] why someone felt they should leak information to Katherine and scare people with 10-year-old information…” Here we have the president of the Board of Education attempting take the focus off FCPS.
FCPS has known about this breach since September. The data in question has been on the Dark Web for years. FCPS’s hiding behind “we can’t inform the public until the investigation is over” isn’t quite true.
School officials are hiding behind Maryland Code “10-1305,” a move they are fond of. FCPS loves to say “the law prevents us from doing thus and such,” or “the law requires.” I’ve witnessed this manipulation first hand when that’s not what the law actually says; if there even “is” a law.
Maryland Annotated Code “10” is “State Government.” “1305” is the section within the state government code.
What does “1305” say?
More importantly, what it doesn’t say is the part that concerns the 1,000 former students. It does “not” say FCPS “cannot” notify anyone involved until “after” the investigation is complete. What it “does” say is that FCPS “must” notify parties involved if the data breached could be misused. The law is discretionary on “notification” and defining “harm.” This means that if FCPS didn’t think anyone would be harmed, it had no duty to notify the parties involved.
What the public can infer from our school system’s history is that the general “public” was never going to be notified of the breach. The law does not require it. That’s why FCPS has been so inept at addressing it now. It didn’t have talking points, nor a plan, in place. You and I were never going to be notified – unless we were directly compromised.
The “2010 Data Breach” would have become one of those “rumors” we would talk about when the next system-wide catastrophe happens.
I believe the public has a right to know when these things occur. These situations, and their handling, is how we judge the competence of those we elect along with who our elected people hire to run the day-to-day operations.
Superintendent Dr. Terry Alban has a pattern of incompetence, manipulation and abuse of office. I continue to call for her resignation. If members of our Board of Education don’t understand why she is bad for FCPS, perhaps they should resign along with her.