[Dataloss] Reporting Dataloss

Chris Walsh chris at cwalsh.org
Sat May 3 22:43:19 UTC 2008 

If this happened in my school district, I would notify the  
Superintendent of Schools, and try to obtain in writing the reason for  
not notifying.  I would then follow up explaining why I thought this  
approach was mistaken.  If this was not persuasive, I would then  
attend the next school board meeting, and when the agenda item for all  
other business (or public comment) came along, I would calmly restate  
the facts in detail, and ask for Board comment.  I would also make  
sure that my remarks were reflected in the minutes (FOIA the minutes  
after the meeting if you have to, go to the next meeting, and ask that  
they be corrected if your remark is not on the record).  Often, even  
in small towns, the press attend such meetings or they are taped and  
played again and again on public affairs cable stations.

I would reserve this level of response only for government bodies, and  
only as a last resort, only if I was dead certain of the facts, and  
only if I came upon these "publicly posted" materials entirely in good  
faith.  I would not want to have to explain why issuing an HTTP GET on www.someschool.edu/getrecords?ID=xxxx 
  for numerous values of 'xxxx' is not "hacking".

Note that in many states the fact that the *entire* last name was not  
exposed would, by my reading, allow the entity not to be required to  
report this to those potentially impacted.  I hasten to add that I am  
not a lawyer.

One last note:  Read up on the family educational records and  privacy  
act (http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html).  It is  
pretty strict, and may provide you with a persuasive argument to make  
to the powers that be.


On May 3, 2008, at 11:11 AM, Aaron Allen wrote:

> Back in November 2007, I uncovered a data breach containing about  
> 7000 partial names, addresses and full SSNs of students that  
> graduated from the public school system from which I graduated in  
> 2002.  The data was publicly posted on a website of a vendor that  
> the school had used.
> So, my question to the list is what is the best way and to whom do  
> you report a data loss event that neither of the responsible parties  
> are willing to disclose?
[

More information about the Dataloss mailing list