DESE audit finds unnecessary collection of student Social Security numbers
JEFFERSON CITY - Missouri State Auditor Nicole Galloway released a cybersecurity audit of the Missouri Student Information System used by the Department of Elementary and Secondary Education (DESE). The audit found DESE unnecessarily collected and retained personally identifiable information, including Social Security numbers, from school districts across the state.
"When student's Social Security numbers are exposed in a data breach, they are five times as likely to be a victim of identity theft," Galloway said. "We must take proactive measures to decrease the risk that personal information could be compromised. As a result of this audit, DESE has agreed to collect only the information that is absolutely necessary, destroy unneeded sensitive data from their system, and maintain that information safely and securely."
DESE's system includes records for about 900,000 current Missouri students and an additional 520,000 students that have graduated from Missouri's public and charter K-12 schools since the system was instituted in 2008. The system collects and stores individual student information, including names, addresses, academic records, and Social Security numbers.
The audit also identified the following issues:
* Multiple DESE personnel shared user names and passwords. If unauthorized or inappropriate changes occur with shared accounts, it's difficult, if not impossible, to identify the individual responsible.
* DESE does not have a comprehensive data breach response policy to allow a quick and effective response to a potential data breach. A data breach policy lays out goals and processes for responding to a breach and creates mechanisms for reporting, remediation and feedback in a chaotic situation. The risk of potential harm caused by the data breach could be increased without a formal data breach policy.
* DESE has not updated its business continuity plan since 2004, even though the plan itself stipulates it should be reviewed annually. Continuity planning provides an efficient, structured approach to aide in a quick recovery during a disaster or other unexpected event.
In DESE's response, which is included in the audit report, the department agreed to immediately begin working to address all findings noted in the report.
"Cybersecurity is not a status that can be achieved," Galloway said. "It's an ongoing process of learning, adapting and remaining vigilant about protecting Missourians from cyber threats."
The complete report is available at http://www.auditor.mo.gov/AuditReports/AudRpt2.aspx?id=59