CPS mistakenly shared the names, home addresses, phone numbers, disability status and other personal information of 4,000 students to five vendors seeking to do business with the district.

After learning of the unusual data breach, CPS officials say they took steps to remedy their actions. These include instructing the companies to dispose of the information, notifying parents of the unauthorized disclosure, and training staff about how to better protect student information.

“All [of the companies] have confirmed that they have responsibly destroyed the information,” Chief Accountability Officer John Barker wrote in a letter to parents last month.

Social Security numbers were not given out.

Data breaches like this violate federal and state student privacy laws and open the district to potential litigation; however, plaintiffs would have to prove the unauthorized disclosure caused damages. No suits have been filed.

The 4,000 affected children are a random subset of the 22,500 students who utilize CPS bus transportation.

Leonie Haimson, of the national group Student Privacy Matters, says there’s been an increase in the number of data breaches in recent years – in part because of increased federal requirements for data collection.

She says states and the federal government need to do a better job of ensuring districts are taking the right steps toward protecting private student information.

“Data should be encrypted. There needs to be better training, security audits and indemnification,” she said. “There’s been this huge push by the federal government to create the conditions under which the schools and districts have to collect more and more information and keep it in digital form […] But as we’re moving into a digital universe, the security and privacy protections have not kept up.”

Workers getting training on safeguards

In March, CPS gave the information to five vendors that had submitted proposals to provide management software for the district’s bus system. The companies were supposed to use the data set – which also included bus pick-up and drop-off locations – to test out their software.

District officials now say that the district should have given the companies a randomized list of addresses to test the companies’ software instead. Because the procurement process is still ongoing, CPS cannot identify the five companies.

“CPS takes student privacy very seriously and we deeply regret these circumstances,” officials said in a statement. “To prevent future unauthorized disclosures, the District is training staff members on student information safeguards and the importance of maintaining student privacy.”

Employees in the district’s procurement and transportation departments will be among the first to receive the training. CPS is also placing information on this breach in student files.

The steps that CPS has taken closely follow what the U.S. Department of Education recommends in cases of inadvertent data breaches. The department’s Family Policy Compliance Office gets involved only when districts don’t take steps to address the breach or if parents or students file complaints, according to a spokesman.

One parent who learned of the data breach said she’s not “completely convinced” her daughter’s information has been destroyed by the companies. “I just have to trust that the people with access to it know how to be responsible.”

Photo: Data security/shutterstock.com