School District Explains Response to Potential Exposure of Personal Information of Staff and Students During Cyberattack Incident
Students and alumni of the Riverhead School District are not being offered credit monitoring and identity theft protection services in connection with the Dec. 3 cyberattack and data breach because only their names , addresses and dates of birth were “potentially accessed by an unauthorized person,” according to a statement from the district.
The exposure of this information during a data breach does not trigger a legal obligation to notify affected individuals under state law. Although the district has decided to notify students and alumni of the potential exposure, it has determined that “credit monitoring and identity theft protection services are not warranted.”
The district does, however, offer credit monitoring and identity theft protection services to current and former staff members. Its investigation of the data breach determined that the social security numbers of current and former staff members were potentially accessed during the data breach, in addition to their names and addresses.
The exposure of this information triggered a notification requirement under state data breach notification laws, the district said. An offer of credit monitoring and identity protection services was “warranted,” the statement said.
As part of a statement of work from cybersecurity firm Identity Theft Guard Solutions (IDX), signed by the district superintendent on February 28 and approved by the school board on March 8, IDX will provide unique credit bureau oversight , “CyberScan” Dark Web Monitoring, $1,000,000 Reimbursement Insurance and Fully Managed Identity Recovery, for one year at $10.99 per registered adult.
IDX also offered to provide the same services, without credit bureau monitoring, for miners at $7.99 per registered miner.
The consultant’s statement of work stated that he would prepare and send via USPS First Class Mail a notification letter to approximately 19,500 people at a cost of $20,959.50.
The district did not disclose how many employees and former employees were affected by the breach and were offered identity theft protection and monitoring services.
The district’s statement provided today was in response to a March 28 inquiry requesting information about why students and alumni were not offered identity protection services.
RiverheadLOCAL requested additional information after staff, former staff, students and former students began receiving notification letters from IDX.
Superintendent Augustine Tornatore replied in an email on March 29 that he had contacted the “cyber attorney” hired by the district after the incident and was awaiting a response.
Today, Assistant Superintendent of Curriculum and Instruction Christine Tona provided the statement, which she says was made at the Superintendent’s request.
The full statement provided by the district today appears below.
“After the discovery of the data incident, we engaged the services of experts in the field to determine what happened and what information was potentially compromised as a result of this incident. Following the Forensic investigation, it was determined that the data accessed by an unauthorized person potentially included the names, addresses and social security numbers of current and former Riverhead staff members.This information triggered a notification requirement to all current and former staff members affected under national data breach notification laws and an offer of credit monitoring was warranted based on the potentially compromised information.However, with respect to current and former students, the forensic investigation determined that the data potentially accessible by an unauthorized person was limited to their names, addresses es and dates of birth. Although this information does not trigger legal notification to individuals under FERPA or state data breach notification laws, with the exception of North Dakota and Washington State, we have notified students current and former potentially impacted cautiously and under the Riverhead umbrella. internal policies, which provide stricter notification guidelines in the event of data incidents. Based on information about potentially impacted students, credit monitoring and identity theft protection services are not warranted in this incident.
The survival of local journalism depends on your support.
We are a small family business. You rely on us to stay informed, and we rely on you to make our work possible. Just a few dollars can help us continue to provide this important service to our community.
Support RiverheadLOCAL today.