Protecting the Nest, Not the Public
The reason the Maryland State Department of Education denied my public information act request – please stop calling it a FOIA request, you are a state department, not a federal agency – is that releasing an analysis of the source of the recently discovered student data breach would violate state law. That law precludes the state from releasing a “public record that contains information about the security of an information system.”
As I said in Data Breach Update, the report could shed some light on how the state and county allowed potentially thousands of names to wind up for sale on a foreign server.
How is keeping that information from the public in the public interest?
We are talking about a breach that reportedly happened in 2005 – 2006. Are there problems identified in the report that are still problems at MSDE or FCPS today? If not, how would releasing the information, with any sensitive info redacted, be compromising the security of the state’s information systems?
In the end, isn’t the reason for denying the report kind of ironic in light of what’s potentially in the report? Or, in light of what was reported in an audit released earlier this year for a state data collecting center? Or in the 2014 audit of FCPS’ information technology practices?
They all point to some issues keeping sensitive information private and protected. Yes, yes. In this day and age of digital information flying fast and furiously through the cloud, the expectation of being hacked is common. What is not common, is for public entities to ask for personal information and then not take even the most basic of steps to protect it.
Basic stuff that most people, even the most technologically illiterate, do, like upgrading your software programs on the regular, scanning regularly for malware, and updating your antivirus protections. Or how about simply encrypting the sensitive information and not storing it on your general servers?
Throughout the stories in The Frederick Extra on this topic, you’ll read about missteps and incompetencies in the state and local arena when it comes to protecting sensitive personal information. But instead of copping to a screw up that puts potentially thousands of young people’s financial security at risk for the rest of their lives, they fight to hide their complicity and won’t own up to their mistakes.
Acknowledge your part, fix what’s broken and promise you won’t do it again, okay? Why does that never happen?
Most people would be content with that course of action. But, as Ronald Reagan said, “Bureaucracy is adept at protecting its nest.”
