Roaring Fork Schools data breach response seen as trial run should bigger incident occur

A recent breach involving student and staff information kept by a contract vendor for the Roaring Fork School District doesn’t appear to have seriously compromised any of those involved.
But it did serve as a trial run for the district’s response system should a more serious incident occur, according to Jeff Gatlin, chief operating officer for the district.
“It’s unfortunate, but it’s also a reality in this day and age,” Gatlin told the school board when it met last week. “It’s probably just the first of more things to come.”
The district was advised of the incident in July, after database contract provider Pearson turned up an unauthorized access into an older database platform that had occurred back in March.
Gatlin said the database is used by the district’s special education department to monitor student academic progress. It involved 119 students and 60 staff members.
“It was first and last names, primarily,” he said. “There might have been some emails.”
Affected students and staff were informed of the breach via a letter sent on Aug. 13. It stated: “No social security numbers or financial information was accessed in the breach, only the first and last names. We take student confidentiality very seriously and wanted you to be aware of this situation.”
The breach impacted some 13,000 schools and university student accounts globally, according to Pearson’s letter to Roaring Fork School District officials.
The software platform, Aimsweb 1.0, is no longer used, as Pearson and the district have begun using a newer Aimsweb platform. However, information still exists on the old platform and is used for reference, Gatlin said.
“We were fortunate in this instance that the number of students impacted was relatively low,” he said.
Still, the incident triggered a formal response that is dictated by district policy whenever such database breaches occur. That includes a public hearing before the school board to determine if the district should continue with the contractor.
The policy states, in part:
- If the district discovers the breach, it shall notify the contract provider of the public hearing date (in this instance, it was the contractor that brought the matter to the district’s attention).
- Prior to the board meeting, the contractor may submit a written response to the district regarding the material breach.
- The board shall discuss the nature of the material breach at a regular or special meeting, where the district and the contractor can present testimony.
- Members of the public will be allowed to speak, in accordance with the board’s policy on public participation at board meetings.
- The board shall decide whether to terminate the contract with the contract provider within 30 days of the board meeting, and shall notify the school service contract provider of its decision.
No one appeared at the Aug. 28 hearing to speak to the March breach, and the district will continue using Pearson, the board agreed.
According to the formal recommendation to the board: “Due to the limited nature of data exposure, the change in platforms, Pearson’s response and the importance of this service for our students, RFSD recommends continued use of the Pearson’s Aimsweb platform for progress monitoring students with disabilities.”

Support Local Journalism

Support Local Journalism
Readers around Glenwood Springs and Garfield County make the Post Independent’s work possible. Your financial contribution supports our efforts to deliver quality, locally relevant journalism.
Now more than ever, your support is critical to help us keep our community informed about the evolving coronavirus pandemic and the impact it is having locally. Every contribution, however large or small, will make a difference.
Each donation will be used exclusively for the development and creation of increased news coverage.