In a letter sent to Montclair Superintendent of Schools, Dr. Penny MacCormack on Wednesday, June 4, The Office of Fiscal Accountability and Compliance (OFAC) of New Jersey states it has “completed its investigation into a potential data security breach,” and found, among other things that “The initial “release”of the assessments that allowed posting to a site accessible to the general public could only be accomplished by an individual/s possessing a district issued user name and password.”
Other relevant findings deal with computer security issues and operation issues.
OFAC states its review was not structured to identify the individual/s responsible for providing unrestricted access to student assessments, however recommends that, should the parties responsible be identified, that the district consider disciplinary action.
In January, the Board voted to suspend its investigation when the state’s Office of Fiscal Accountability and Compliance (OFAC) began its own investigation. At the June 2 meeting, the Board voted to terminate its investigation.
Here is the OFAC letter in its entirety:
Dear Dr. Maccormack:
SUBJECT: Montclair Public Schools Data Security Breach – OFAC Case #INV-1 06-13
The Office of Fiscal Accountability and Compliance (OFAC) completed an investigation into a potential data security breach. The investigation was prompted by concerns that unknown person/s/ accessed a password protected teacher portal. The OFAC investigation was structured to ensure that student records are secured in accordance with the provisions of applicable statute and code.
The OFAC examination was limited i n scope to determine if the confidential student data was maintained in accordance with statutory requirements under N.J.S.A. l 8A:36- l 9 et seq. and N.J.A.C. 6A:32- 7 et seq. The OFAC review was not structured to identify the individual/s/ responsible for providing unrestricted access to student assessments.
The review was conducted on diverse dates from December 19, 2013, through May 30, 2014. The review included an examination of district e-mails, policy and procedure, comparing it to applicable state statutes and regulations. Interviews were conducted with district staff responsible for technology infrastructure, operations and security. The OFAC also consulted with staff from the private company engaged by the district to analyze district technology services.
The completed investigation did not identify any material violations of applicable statue and code associated with the proper maintenance and safeguarding of student records. The comprehensive review did identify areas of concern that were previously discussed with you and arc attached to this letter as Exhibit “A.”
Since the district has or is taking appropriate steps to address the concerns and to ensure the overall integrity of district technology infrastructure, the OFAC will terminate the investigation and mark the file closed.
1. Observation: The agreement between Montclair Township and the school district is not memorialized in written form.
Recommendation: Both entities should execute an appropriate agreement defining the responsibilities of each party.
2. Observation: The district currently does not maintain a user audit trail to identify individuals’ access activity.
Recommendation: The district should research what options are available for auditing user accounts to determine if increased monitoring is needed.
3. Observation: District computer operations were under the control of a single individual who declined to share access codes or document programs that impacted computer operations.
Recommendation: The district should establish redundancy as per established standards to ensure continued operations in the event the primary individual is incapacitated.
4. Observation: The OFAC was informed that school district and town e-mails are comingled when archived.
Recommendation: The district should require that school district e-mails be segregated to allow for appropriate retrieval as necessary.
5. Observation: Based on the best information made available to the OFAC, the initial “release” of the assessments that allowed posting to a site accessible to the general public could only be accomplished by an individual/s possessing a district issued user name and password.
Recommendation: If the party or parties responsible are identified, the district should consider appropriate disciplinary action.
Board President David Deutsch shared OFAC’s finding today with the board along with the following letter:
Dear Members of the Board of Education,
This week, we received the official letter from the Office of Fiscal Accountability and Compliance (“OFAC”) in which it shares its findings regarding last fall’s unauthorized release of certain assessments. Later today, both this letter and the OFAC letter will be posted on the district’s website.
The OFAC letter shares two important conclusions. First, “…the initial “release” of the assessments that allowed posting to a site accessible to the general public could only be accomplished by an individual/s/ possessing a district issued user name and password.” Second, OFAC notes several material deficiencies in the district’s legal, operational and personnel-related protocols with respect to its computer infrastructure.
As we have formally ended our own investigation, there is little to say on the first conclusion. However, regarding the second conclusion, the Board’s investigation uncovered the same weaknesses in its computer systems that OFAC confirmed and I believe the discovery of these weaknesses were the most significant of the many issues brought to light by the release of the assessments.
Accordingly, I am pleased to note that Dr. MacCormack and her staff, based on their own evaluation, have already implemented the bulk of the OFAC recommendations to improve the district’s computer infrastructure.
Deustsch told Barista Kids that the findings of the weaknesses in the computer system are perhaps the most significant and he is very pleased at how Dr. MacCormack and her staff have quickly moved to remedy the issues.