ALBANY, N.Y. (CN) – New York’s plan to turn over massive amounts of student data to a private company for online storage violates privacy laws and could expose the information to hacking, a dozen parents and guardians claim in court.
The plaintiffs, who have 19 children in public and charter schools in New York City, say they want to halt “the unnecessary and unprecedented mass disclosure of the records and personal information of millions of New York state school children.”
Lead plaintiff Mona Davids claims in Albany County Supreme Court that New York privacy law requires written consent before a government agency can disclose personal information, and that the plaintiffs did not authorize the release of data on their minor children and wards.
Named as defendants are the state Department of Education, Commissioner John B. King Jr. and the Board of Regents of the State University of New York, which sets education policy for the state.
Davids claims New York’s data-collection plan is rooted in the federal government’s Race to the Top program, which awarded competitive grants to states in 2010 based on their ideas for reforming education.
New York’s grant totaled $696.6 million.
The federal program required that grant recipients establish so-called longitudinal data systems, to follow students’ progress from preschool to high school, college and the workforce.
New York already has secure, password-protected student information management systems maintained by local districts, according to the lawsuit. Districts provide data to the state or federal government for analysis through a secure channel known as the Student Information Repository System.
New York indicated in its grant application that the existing system could generate the longitudinal data desired, and that it planned to develop a portal through which the data could be accessed by parents, teachers and others to support the federal goal of improving instruction.
But the grant application made no mention that New York intended to contract with a private firm, inBloom Inc., of Atlanta, for the portal’s infrastructure, according to the complaint.
Nor did the state disclose that it would turn over student data to a third party, or that the information would be stored “on the cloud” – on outside servers – by inBloom or its vendors, “rather than under the control of the local school districts or SED [state Education Department] itself,” according to the complaint.
InBloom, a nonprofit that grew from the consortium Shared Learning Collaborative, received initial philanthropic support from the Bill & Melinda Gates Foundation and Carnegie Corp., according to its website.
The lawsuit claims the state will send more than 400 pieces of data per student to inBloom. Some of the information is “highly sensitive” – names, home addresses, test scores, disciplinary records, race and economic status, and special education services needed.
The nature of the data exposes students to identity theft “and creates a grave risk of injury to students’ future educational and career opportunities,” according to the lawsuit.
The state’s agreement with inBloom has no data privacy and security plan, nor any protocol for managing a data breach, the parents claim. Yet it makes local school districts and the state Education Department responsible for any data loss, a provision the complaint calls “one-sided.”
Cloud storage also poses risks, the lawsuit says, citing numerous examples of breaches over recent years. It cites a report this year from the Cloud Security Alliance that found “a disturbing trend of increasing vulnerability incidents with cloud computing technologies.”
“Unless this court restrains and enjoins respondents from any further implementation of the service agreement with inBloom … the students in New York State’s public and charter schools are at risk of the disclosure, re-disclosure and misuse of their personal data,” the plaintiffs claim.
“In the absence of equitable relief, millions of students are at risk of having the most intimate details of their lives released to the public,” they contend. “There is no economic remedy that can undo that harm. The worst harm faced by SED is that it will not be able to implement inBloom. This certainly is not irreparable.”
The plaintiffs ask that the state be permanently barred from releasing any student data to inBloom and that any data already disclosed be destroyed. They also want the court to void the service agreement between the state and inBloom as contrary to New York’s personal privacy protection law.
The plaintiffs are represented by Jane Lauer Barker, with Pitta & Giblin in Manhattan.
Last Wednesday (Nov. 20) at the Capitol, the Assembly’s Education Committee held a nearly day-long hearing on the data plan, where lawmakers questioned state officials on the potential for hacking, according to the Albany Times Union.
The newspaper reported that Commissioner King acknowledged legislators’ security concerns but defended creation of the data bank as a way to standardize the student information already gathered.
He made the same point in an explanatory video posted this month on the department’s website, in which he pledged: “We’re going to do everything possible to make sure that student data privacy is protected.”
