NY Confidential

NY Confidential

March 3, 2014

During the December holiday shopping rush, retail giant Target made headlines for all the wrong reasons. In a massive data breach, hackers stole credit card numbers and personal information from millions of the store’s shoppers. Its customers were struck with panic about their recent purchases, while others wondered if they would be safe in the future. 

The episode served as a cautionary tale about what can happen when highly personal data is collected—and not just in the private sector. With education a top issue for many New Yorkers, Target’s predicament only heightened concerns about the state Education Department’s intention to transfer student data to a third-party cloud system. 

The move of the data to inBloom—a Bill & Melinda Gates Foundation-funded nonprofit that aims to help school districts store crucial data and make it accessible to teachers, administrators, parents and students—has drawn the ire of some state lawmakers and parents. While the state and the company both say the data would be safe while it is moved and once it is stored, some fear a Target-style breach. 

The state has started transferring data to the new system, but as a result of technical difficulties it has delayed finishing its upload until April. That interruption has given lawmakers more time to push for further postponements of the upload of data—which would include student names, addresses, grades and test scores—at a time when confidence in the leadership of Education Commissioner John King appears to be at an all-time low. 

“We don’t question the intentions of the state concerning the use of this information. But the concern that we all have is based upon what we see given today’s technological world that we live in: That if you collect information, eventually someone is going to steal it,” state Sen. Andrew Lanza said last month at a Senate Education Committee hearing. “That’s just the reality that we’ve got to live with.” 

Lanza said he believes that storing less student information is better, and other lawmakers wonder why a new data storage system needs to be created in the first place. 

The answer, according to state officials, is to address the disparity in technology among districts across the state. King said at the January hearing that affluent districts are already using third-party providers to store data and make it accessible to teachers, students and parents through online portals. In some cases, the data is stored on district servers. In other cases, it is stored at regional information centers or locations outside the state. 

The commissioner said that some districts have had data portals in full swing for years, but the purpose of creating the statewide data store is to bring poorer districts up to speed. 

While animosity has been directed at inBloom just as much as at the state, a company spokesman said it is up to the state and districts to choose what data is stored, and inBloom is simply the vehicle for storage. 

“To be clear, we have zero involvement in choosing what is collected,” spokesman Adam Gaber said in an email. “inBloom simply gives each district its own protected storage area, with the ability to organize information based on a set of education data elements called the Common Education Data Standards, which was developed by the U.S. Department of Education, with input from local education agencies, vendors and teachers.” 

inBloom has repeatedly said that it does not sell student data or share it with other parties, although critics have cited its ties to the online retailer Amazon, which manages its cloud service. The company says that student data on its system has never been breached. 

Gaber said that inBloom uses Amazon Web Services, an arm separate from the retail store, as its cloud service provider. Amazon Web Services was selected because it is one of a handful of companies that are fully certified through the Federal Risk and Authorization Management Program, a federal government procurement program that sets safety standards for cloud service providers. 

Some experts argue that cloud-based systems may simply be the best option. Matthew Rhoades, director of the cyberspace and security program at the Truman National Security Project, a Washington, D.C.-based national safety think tank, said cloud-based systems generally require a higher level of sophistication to break into. And the systems are catching on with major companies such as Google, he added. 

Regardless of what encryption and security measures a company like inBloom offers, Rhoades said there are still other standards and protocols that can be put in place to secure data. 

Of course, as Lanza noted, the tech world is never 100 percent secure, regardless of the system and the sophistication of its security. 

“We can’t completely secure ourselves without completely unplugging,” Rhoades said, adding that the Edward Snowden NSA leak illustrates how even top-level encryption can be breached. 

While unplugging may not be a viable option, lawmakers seem intent on pressing for more information about inBloom and asking for alternative solutions. 

At the January hearing, while addressing inBloom and the Common Core—issues King says have become conflated, though they are separate— state Sen. Jack Martins issued a stern warning to King that the Education Department must take seriously concerns that have arisen across the state about both. 

“Make the changes that need to be made, so that this can be implemented successfully,” he said. “Do not, and I’m asking you, please, do not force this body and our colleagues on the other side of the building to come up with a legislative solution in a way that we perhaps don’t want to.” 

Matthew Hamilton