Almost every week, news of another large-scale data breach makes headlines. Hackers are looking to steal sensitive information such as passwords or credit card and Social Security numbers from retailers and financial institutions. When this happens, consumers are urged to check their accounts, monitor their credit reports and change passwords to avoid identity theft and fraud.
As your state auditor, one of my focuses has been to help keep Missourians’ information secure by reviewing data security in government. We’ve regularly made recommendations to counties, municipalities and courts on ways to better safeguard electronic records. My office also continues to review ways to better protect electronic data within state government.
But what happens when personal information such as birthdates and Social Security numbers is stolen from a school and the potential victims of cybersecurity breaches are children? Unfortunately, there is a market for our kids’ stolen identity. The problem is made worse because the victims may not know their information was stolen or their credit was ruined until years later when they become young adults.
Last year, when registering our oldest son for school, my husband and I provided a lot of his personal information. Schools need this information to serve families, but must proactively protect it so it doesn’t fall into the wrong hands.
Surprising as it may be, Missouri parents may be completely unaware when data breaches hit their children’s schools. Current state law doesn’t require public school districts to notify parents or guardians if their personal information is compromised in a cybersecurity incident. Immediate notification would allow parents to quickly take the steps necessary to safeguard that information and minimize the chances of being a crime victim.
Even though the law doesn’t require notification, I’m happy to say there are several districts that are proactively helping families protect their children’s personal information. In the last year, I’ve traveled to schools across the state to recognize those districts that are “cyber-aware” of the dangers and are committed to keeping parents notified if there is a data breach. We need more Missouri school districts to join them, and the best way to do that is to change the law.
I’m supporting a proposal currently before the General Assembly to address this. Senate Bill 582, sponsored by state Sen. Gina Walsh, of Bellefontaine Neighbors, would require school districts to send written notification to the parents and legal guardians of affected students in the event of an electronic data breach of personal information. While this bill has gained bipartisan support from legislators who recognize the importance of keeping children’s information secure, it has not yet progressed to floor debate.
Accessing personal information that we have literally at our fingertips has become a necessary tool in modern society. That ease of accessibility, however, also presents a danger in the wrong hands. I encourage Missourians to not only take the steps to safeguard their own financial and personal information, but also to protect the information of their children.
Check with your local school district officials to see if they have implemented a notification policy in case of a data breach. If they have not, urge them to do so. And with Senate Bill 582 pending, contact your state senator and representative to see where they stand on this issue. Keeping parents informed should be a key part of every school’s plan for cybersecurity.
Nicole Galloway, CPA, is Missouri’s state auditor.