While chief information officer for the Maryland State Department of Education, I oversaw more than $100 million in annual technology spending across 36 divisions and helped local school districts manage 100% remote learning during the pandemic. Data governance was one of the department’s top priorities during the tenure of Superintendent Karen Salmon. The department was required under legislative mandate to develop and implement best practices around data governance.
But implementation of this legislative mandate, which started when I was CIO, stopped in 2021, after Superintendent Mohammed Choudhury arrived. This is unfortunate because many of the district CIOs were engaged in the project and a few of them are security experts.
I resigned from my post in 2021, shortly after Choudhury took over.
The Baltimore Banner and other news outlets have reported that Choudhury appeared to have used the encrypted messaging app Signal to conduct state business, possibly shielding the communications from public records requests. Deletion of text messages through the app would probably constitute a violation of the Maryland Public Information Act. This issue speaks to a larger data governance issue at the education department.
In 2018, the Maryland General Assembly approved the Student Data Governance law, also known as House Bill 568. The law required the state education department to establish a data governance working group, develop and apply best practices internally and provide technical assistance and support to local school systems.
A parent, for example, should be able to find out what kind of data is being collected on his or her child and how his or her child’s personally identifiable information is being used by state education officials and private companies contracted with the state or local school systems. The education department should also ensure that personally identifiable information is encrypted at rest and in flight, and not just at the department, but between it and school systems and school systems with one another. Under Superintendent Salmon, I helped draft the first report on HB568 implementation, which was submitted to lawmakers. But the deliverables outlined in a second report, which called for data governance best practices and a toolkit for local school systems, were never implemented, as required by law.
Student information is some of the most valuable data in the world because minors have not started using their personally identifiable information to open bank accounts, get loans and sign up for credit cards. This is one reason public schools are targeted by cybercriminals. The other reason is that hackers know that public schools have significant vulnerability because superintendents have not adequately prioritized and funded data governance and cybersecurity.
State guidelines require user and system-level data, such as that used by Choudhury, and security information to be backed up and thus recoverable. If the superintendent’s messages are not being backed up, it is likely that the more complex work of securing valuable student information and personally identifiable information has not been completed.
While deleting cell phone messages is by no means a trivial act, bigger data governance challenges at the MSDE should have been fixed by now.
In the recent past, Maryland’s public schools have fallen prey to significant cyberattacks, the most notorious of which was in Baltimore County in November 2020 when the entire school system was shut down by a ransomware attack that hit its network systems and closed school for 115,000 students. News sources put damage from the Baltimore County Public Schools attack at $9.7 million, but it is likely the costs were much higher. Other incidents occurred in Anne Arundel, Howard and Frederick counties and Baltimore City. A January 2023 publicly available report from the Department of Legislative Services cited four cybersecurity findings at the state department of education.
The Maryland legislature must force the state education department to comply with the 2018 data governance bill’s requirements. Specifically, the department should be required to publish information annually on the types of student data and personally identifiable information processed. It also should be required to publish protocols for processing student data and rationales for selecting processing protocols. These information requirements should also extend to contracted services when student data between a school system and a school service contract provider are shared. The requirements should apply to procedures and rationales for vetting and selecting websites, services and applications.
The state department of education is required to comply with the state’s Student Data Governance bill of 2018. Choudhury has decided to not seek a second term as superintendent, and a new superintendent and the state department of education must make student data and privacy a priority. Otherwise, the state’s public schools will continue to be vulnerable to the nefarious actions of cybercriminals.
James D. Cornelius is the former chief information officer for the Maryland State Department of Education. He has advised school districts, state departments of education and educational technology companies in the U.S. and Europe.