Q&A Regarding NOTICE OF SECURITY BREACH

Williamson County Schools

Questions About The Breach

 Q:        What happened?

A:         In August of 2007, an employee of Williamson County Schools uploaded a file containing student data to a website he created, www.tnweb.org.  This website was unrelated to Williamson County Schools, and the information was not labeled as student data nor was it accessible from the menu of the website.  Within 30 days the mistake was discovered by a non-profit consumer group called the Liberty Coalition that notified the employee of the exposure of the information.  The employee and the Liberty Coalition immediately took steps to remove the website and the data from the internet.  The employee did NOT notify Williamson County Schools.  Since there was no reference to Williamson County Schools in any of the information, the Liberty Coalition did not know to notify us. On June 26, 2008, we discovered the possibility of this breach and began our investigation.

Q:        What information was exposed on the internet?

A:         The student information consisted of names, dates of birth, test data and social security numbers of students who took the second grade TCAP achievement test and students who took the ACT test during the 2006-07 school year, which is typically juniors and some seniors in high school.  The number of students in this group is approximately 5,300 (Group 1).  While there was name, date of birth and test data posted regarding other students, no other students had social security information posted.  This second group consists of approximately 11,000 students (Group 2).   

Q:        Who accessed this data?  Is there any evidence of foul play?

A;        At this time there is no evidence to suggest that the information was accessed by any group other than the non-profit consumer group that helped to bring the situation to light; however, that possibility can not be ruled out.  We believe that this incident occurred due to an unfortunate error in judgment on the part of the district’s employee, and there was no intent to disclose or to harm any children.

Q:        How long was the information on the internet?

A;        To the best of our knowledge the file was on the website for less than 30 days.  The website was taken down within hours after notification of the exposure.  Search engines were contacted to clear their cached (stored) pages that might reflect the information.  This was concluded in early October, 2007.

Q:        Is the employee referenced, Chris Nugent, still employed at the school district?

A:         No. Mr. Nugent is no longer employed by the district. 

Q:        The notice letter says that Williamson County Schools learned of the theft on June 26, 2008.  Why did they wait until now to notify me?

A:         We have worked since June 26, 2008, to identify the list of students in Group 1 and to provide parents with services that will help to identify and address any potential misuse of student information.  To do that, we first needed to interview the employee who posted the website and the non-profit company that first discovered the information on the internet to get a complete understanding of what happened and to make sure that all exposure had been addressed.  In doing so, we also had to notify all of the proper authorities.  We then worked to identify reliable providers of identity monitoring and fraud resolution services.  After selecting National ID Recovery (NIDR) for those services, we promptly negotiated agreements and put the desired services in place.  Once the contracts were executed, we still needed to finalize the notice.  Also, we had to obtain and match addresses with the student names since this was not part of the data attached to the student file.  The letters are scheduled to be mailed during the week of July 14, 2008, to the parents of students whose social security numbers were exposed.

Q:        I have not received a notification about the privacy incident. Does that mean that my student is not affected?

A:         Williamson County Schools is sending notice letters to all parents of students in Group 1 whose social security numbers were exposed.  If your child was in this group, you should receive a notice by July 23, 2008.  There may be some students who have moved out of the district and/or graduated and may not have been contacted. If you did not receive a letter and remain concerned that your child may have been in this group, you may request information by emailing Lydia Glynn at lydiag@wcs.edu.

Q:        Will someone contact me to ask for my child’s personal information in order to activate services?

A:         No!  For those parents whose child’s social security number was exposed (Group 1), we have established a special toll-free number directly to National ID Recovery.  The phone number is included in the parent letter. The parent must place the call.  This is for your child’s protection.  It is a tactic of identity thieves to take advantage of a well-publicized breach situation and randomly contact persons hoping to find someone who is in the affected group, and then ask for personal information.  We recommend that you do not release personal information in response to any contact of this nature that you did not initiate yourself.

Q:        Can I go to www.ssnbreach.org to find out what information was published regarding my child?

A:         The website www.ssnbreach.org is sponsored by a non-profit organization called the Liberty Coalition, which is not affiliated with Williamson County Schools.  If you go to this website, be aware that this organization, although non-profit in structure, displays links to various identity theft companies that charge fees for their services and which may not be appropriate for children. Also, if you see a notation of “SS” on the list that is returned in your search, (for example, “Math SS, Soc St SS”) it means scale score, not social security. This is the case for most students who took the third through eighth grade TCAP. If your child’s social security number was exposed, it should specifically state “social security number” on the list.

Q:        What is Williamson County Schools doing to prevent this from happening again?

A:         Williamson County Schools is no longer requiring social security numbers as part of the registration process, effective immediately. All new students will be issued a Personal Identification Number (PIN). In addition, we are working with the Tennessee Department of Education on efforts to remove all existing social security numbers from the Williamson County student information system by replacing social security numbers with a student PIN.      

Questions About Identity Theft

Q:        How much risk does this incident pose to my child’s identity?

A:         Experts in dealing with identity theft have told us that accidental breach events, such as this one, do not typically have a high risk of identity theft.  However, this is no guarantee.  That is why Williamson County Schools is providing proactive identity monitoring and professional recovery services if identity theft should occur for any reason.

Q:        Has anyone been victimized by ID theft because of this incident?

A:         To date, we are not aware of any student who has been victimized by ID theft because of this incident.

Q:        What do I do if I learn that my child’s identity has been misused?

A:         Contact National ID Recovery to explain the situation.  Use the special toll free number or identify yourself as a parent of a Williamson County child.  The advocate will guide you through the proper course of action. 

Questions About Services That Are Being Provided

Q:        What services are being provided for students in Group 1 whose social security numbers were exposed?

A:         Williamson County Schools is providing one year of identity monitoring services designed to detect misuse of a student’s personal information and  professional identity recovery services if any fraud is found.  A special toll-free number direct to National ID Recovery has been established.  During the initial phone call, National ID Recovery will determine if a credit file exists for your student, and if so will immediately place fraud alerts, obtain copies of credit reports and begin an investigation to identify and address any evidence of fraud.    

Q:        What services are being provided for students in Group 2 whose social security number was NOT exposed?

A:         If a parent of a child in Group 2, whose name, date of birth, and test scores were exposed, believes that their child has been compromised by fraud for any reason National ID Recovery will provide an advocate to address the issue until it is resolved.  Once a case is opened, it will continue until all issues are resolved, even if the timeline goes beyond the expiration of the one year benefit.  

Q:        Is there a deadline to enroll in the identity monitoring service?

A:         No, but we encourage all parents in the affected group to promptly contact National ID Recovery to activate the monitoring services.  The monitoring services will be provided through July 23, 2009. 

Q:        What does identity monitoring do?

A:         Identity monitoring uses a sophisticated software system that looks for anomalies, or “red flags,” in the use of personal information.  For instance, in the case of a minor, it checks the credit bureaus for the existence of a credit file.  It also looks at companies that collect large amounts of data, like Lexis Nexis, to see if the personal information of the person is being used for true name or other forms of identity theft.  If something unusual is found, an alert is issued.  An advocate will get in contact with you to discuss whether the alert is evidence of a problem or not.  If it is a problem, the advocate will open a case and begin the process of recovery for you.  So, in other words, it is an early warning system.

Q:        Is this just like credit monitoring?

A:         No. While credit monitoring is limited to credit, identity monitoring looks for many types of identity theft.  Also, credit monitoring depends on the fact that a credit file exists.  Then on an ongoing basis it alerts you if something new is added to that credit file.  You must determine whether the new activity is legitimate or fraudulent.  Since a child should not have a credit file, credit monitoring is ineffective. 

Q:        How did you select National ID Recovery?

A:         We looked at eight different companies to determine the best fit for our situation.  We felt that National ID Recovery had the best approach, was the most hands-on to help make it easy for parents, had the most comprehensive services, and had more experience working with children’s identities than the other companies. 

Q:        What will National ID Recovery do for me and my child if identity theft does occur?

A:         A professional identity theft advocate will be assigned to manage your case.  This person is a trained paralegal professional who will perform an analysis of the case, document all incidents of fraud, and provide all of the paperwork, phone calls, and follow-up to make sure that each incident of fraud is addressed and expunged.  The advocate will also work with law enforcement, to the extent possible, to help to identify and apprehend the criminal. 

Q:        Is National ID Recovery staffed to handle calls from 5,000 parents?

A:         Yes. They have handled cases involving hundreds of thousands of individuals such as this.  However, please be patient if for some reason you do not get through on the first call, just wait a few minutes and call again.  Occasionally there will be an influx of calls that will require you to wait.

Q:        What if there is identity theft in my child’s name but we can’t prove that it is connected to this incident?

A:         You do not have to show a connection to this event.  The services that are being offered through National ID Recovery are available for any identity theft situation, no matter how it occurs, even if you know that it is NOT connected to this incident.

Q:        What kind of information has been given to National ID Recovery?

A:         National ID Recovery has been provided with a list of student names and addresses in order to complete the notification process.   In order to begin the identity monitoring process, a parent will need to call the toll free number and provide the student’s social security number, your phone number and email address, if you have one. 

Questions About Fraud Alerts and Credit Reports

Q:        What is a fraud alert?

A:         Generically speaking, a fraud alert tells creditors to contact you before opening any new accounts or changing your existing accounts.  Once you notify one of the three national credit bureaus of your fraud alert, the others will be notified to place a fraud alert as well.  All three credit bureaus also will send you one credit report, free of charge.  Since your child shouldn’t have a credit report, with the possible exception of some older teens, a fraud alert can not be placed.

Q:        What is the best way to find out if my child has a credit report?

A:         The best way to find out if your child has a credit report is to call in or attempt to place a fraud alert online.  If your child has no credit report, the attempt will fail.  This is the desired result!  You can either call one of the credit bureaus listed below or, if you are in the affected group, you can call the number for National ID Recovery on the notice letter and a representative will help you complete this test.  If you are able to place a fraud alert, we suggest you follow through to obtain the credit report and review what is contained on the report.  If you are working with an advocate at National ID Recovery, they will do this for you. 

            Call any ONE of the credit reporting agencies below if you want to place a fraud alert or learn if your child has a credit report. 

            Equifax:         1-800-525-6285; www.equifax.com

            Experian:       1-888-397-3742; www.experian.com

            TransUnion:  1-800-680-7289; www.transunion.com

Q:        I have been told that I can request a copy of my child’s credit file, and even if one doesn’t exist, a file will be created by my inquiry.  Then I can place a fraud alert on the file.  Should I do this?

A:         This may not be a good idea. It will make it harder to detect potential problems going forward, since an empty file will exist.  It is easier to monitor a minor’s status when there is no file.  It can also make it difficult for your child to obtain credit, once they get ready to do so.  Also, you need to consider that a fraud alert will not guarantee that your child’s personal information will not be used for credit and other forms of identity theft.  You should learn about the pro’s and con’s before taking any action on your own.  If after considering all of your options, you still have concerns about your child’s identity being exposed, contact National ID Recovery prior to placing a fraud alert.

Posted July 16, 2008
Williamson County Schools in its employment of personnel and in its educational activities with students does not discriminate on the basis of race, color, national origin, sex or disabilities.    Email the Webmaster