A statement from the Florida Virtual School Program (FLVS) revealed that a data breach involving the personal information of students occurred between May 6, 2016, and Feb. 12, 2018, but it wasn’t reported until March 9, 2018!
Yeah, right. Some news flash!
Why is it that we don’t learn about data breaches until months or even years after they happen? How are we supposed to protect ourselves?
It seems that this breach affected more than 368,000 current and former students and up to 2,000 teachers at the school. FLVS says school records included students’ names, dates of birth, school account numbers, their usernames, and passwords, plus parents’ names and emails.
FLVS is now offering free identity protection services to students, former students and others who were impacted by the incident.
Ha! Identity protection from Equifax maybe? Remember what happened to them?
Cybersecurity expert Dwayne Denny with Data Specialist Group says parents should take immediate steps to protect their children.
“So, the first thing you want to do is, if you are a parent, is contact all three of the credit reporting bureaus and tell them you want to lock down your child’s account. They can put a lock on your child’s account so that no credit can be applied using that social security number.”
The school released this statement:
“FLVS also contacted Leon County Schools and notified the Florida Department of Law Enforcement (FDLE) and the Federal Bureau of Investigation (FBI). FLVS is continuing its internal investigation and is fully cooperating with law enforcement agencies as they seek to apprehend those responsible for this crime.”
The statement also offers contact information for anyone who is concerned that their accounts were compromised:
“The offer is available to students whose information was in the FLVS database from May 2, 2016, to February 12, 2018, when this incident occurred. Qualifying students or their parents can learn more and sign up for identity protection services at this website http://www.experianidworks.com/FLVS or by calling (888) 829-6553. Students should reference engagement number DB05741.”
This is a little bit late, isn’t it?
Wouldn’t it have been nice for students and parents to have been informed about the breach back in 2016?
So, what are their rights? Should parents sue the school? Maybe they should demand their tuition back!
Guess what? We are all at the mercy of organizations that don’t take the proper steps to protect our confidential data. It sure is a scary world today.
However, the U.S. Federal Trade Commission is trying to help. They are holding businesses legally accountable for data breaches. Here’s what they promise to do:
The Federal Trade Commission (FTC or Commission) is an independent U.S. law enforcement agency charged with protecting consumers and enhancing competition across broad sectors of the economy. The FTC also has authority to enforce a variety of sector-specific laws, including the Children’s Online Privacy Protection Act, and the Telemarketing and Consumer Fraud and Abuse Prevention Act. Their broad authority allows the Commission to address a wide array of practices affecting consumers, including those that emerge with the development of new technologies.
When companies tell consumers that they will safeguard their personal information, the FTC can and does take law enforcement action to make sure that companies live up these promises.
The FTC has brought legal actions against organizations that have violated consumers’ privacy rights or misled them by failing to maintain security for sensitive consumer information. In many of these cases, the FTC has charged the defendants with violating Section 5 of the FTC Act, which bars unfair and deceptive acts and practices in or affecting commerce.
In addition to its general authority under Section 5 of the FTC Act, the FTC has authority to investigate and prosecute privacy violations and data security breaches under 33 different sets of rules, laws, and guides. The agency also enforces other federal laws relating to consumers’ privacy and security.
On March 26, 2012, the FTC issued its final report setting forth best practices for businesses to protect the privacy of American consumers and give them greater control over the collection and use of their personal data. The report expands on a preliminary staff report that proposed a framework for consumer privacy in light of new technologies that allow for rapid data collection and sharing that is often invisible to consumers. The goal is to balance the privacy interests of consumers with innovation that relies on information to develop beneficial new products and services.
Financial institutions are required to take steps to protect the privacy of consumers’ finances under a federal law called the Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act. The FTC is one of eight federal agencies that enforce provisions of Gramm-Leach Bliley, and the law covers not only banks, but also securities firms, and insurance companies, and companies providing many other types of financial products and services. Under the law, agencies enforce the Financial Privacy Rule, which governs how institutions can collect and disclose customers’ personal financial information; the Safeguards Rule, which requires all financial institutions to maintain safeguards to protect customer information; and another provision designed to prevent individuals and companies from gaining access to consumers’ personal financial information under false pretenses, a practice known as “pretexting”.
Congress and the FTC have taken special steps to ensure that children under 13 years of age don’t share their personal information on the Internet without the express approval of their parents. Congress passed the Children’s Online Privacy Protection Act in 1998, and the FTC wrote a rule implementing the law. The FTC has taken law enforcement actions against companies that failed to comply with the provisions of the law and has issued a report to Congress assessing how companies have complied with it.
So, what can you do?
It seems you can’t do much when even the credit-protection companies get hacked.
However, here’s what one concerned citizen did!
Troy Hunt is a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals. He went to Capitol Hill to share his knowledge: https://www.troyhunt.com/heres-what-im-telling-us-congress-about-data-breaches/
You can do the same:
If you or your child are a victim of a data breach, or if you’re concerned about the privacy of your data, make sure your Congressional Representatives know. If we hold businesses, schools, colleges and the credit-monitoring agencies accountable, maybe they’ll increase their cybersecurity postures, and let consumers know their data has been breached in a timely manner!