Riddle me this: Why would you purchase a program to maintain special education records, if the function for tracking files, changes to files, and log-ins would “seriously degrade the operational performance of the system, largely making the system unusable for authorized users”?
Fairfax County Public Schools (FCPS) did just that.
If you have a child who receives special education via (FCPS), you’re likely familiar with “SEA-STARS”, which is the program FCPS is always logging into to access your students’ information.
What you might not know, is that 10 years ago, FCPS disabled the function that tracks login information, record access, and changes to student data.
This past summer, a Due Process Hearing officer requested information about FCPS’ SEA-STARS program, “specifically SEA-STARS’ ability to capture and maintain logs of specific data such as login information, record access and changes to student data and FCPS retention of such log records over time.” Among other things, FCPS advised the hearing officer:
SEA-STARS is a secure Commercial off the Shelf (COTS) product that was acquired as a result of a competitive process from Edupoint Systems, Inc. (Edupoint) and utilizes the Synergy Special Education System (SES) platform developed and owned by Edupoint. . . .
The Synergy SES product does include the ability to track login information, record access, and changes to student data in a very detailed way. FCPS tested this functionality more than ten years ago and found that due to the volume of transactions and the associated overhead generated on the SEA-STARS servers, this functionality would seriously degrade the operational performance of the system, largely making the system unusable for authorized users. In addition, this functionality is not required under the Individuals with Disabilities Education Act (IDEA) or the Family Educational Rights and Privacy Act (FERPA). The decision was made that logging would not be enabled in the FCPS SEA-STARS system. There has been no change to this decision over the years, and logging has never been enabled in the FCPS SEA-STARS production environment.
So, a program FCPS has been using for ten years (Has it updated the program or are we about to see it crash, too?), comes with a tracking function, likely because the developer recognized the importance of tracking log-ins to private information, and alterations made to file.
Yet, FCPS doesn’t use it.
And, FCPS states that function isn’t required under IDEA or FERPA. . .
You know what is required by the Individuals with Disabilities Education Act?
Sec. 300.614 of IDEA requires school divisions to keep a record of access:
Each participating agency must keep a record of parties obtaining access to education records collected, maintained, or used under Part B of the Act (except access by parents and authorized employees of the participating agency), including the name of the party, the date access was given, and the purpose for which the party is authorized to use the records.
FCPS could say that only “authorized employees” have access to SEA-STARS, but what if, say, an authorized employee accidentally deleted an important file or something nefarious occurred, such as someone accessing the program who has NO AUTHORIZATION.
Given yesterday’s news that FCPS was infiltrated by a hacker—and FCPS’ years-long history of privacy breaches—it stands to reason that someone could get into SEA-STARS if her or she wanted to.
How would FCPS know?
How would anyone know if files were changed?
How would anyone know if files were deleted?
How would anyone know if manipulated files were added?
How would anyone know anything?
FCPS has long been at fault for privacy breaches (as noted by the repeat findings of noncompliance by VDOE). At what point does securing private information become more that a saying? And, at what point does FCPS invest in technology that doesn’t have to have important functions turned off in order to operate?