Virginia’s Fairfax Schools Urged to Toughen Privacy Safeguards After Data Probe

Help fund stories like this. Donate now!

Virginia’s Fairfax County Public Schools, one of the nation’s largest districts, should make several changes to safeguard student privacy, according to legal experts who investigated the recent accidental release of sensitive, confidential records on more than 35,000 students. 

Several of the documents were internal memos about special education services and litigation brought against the district by two former students who alleged they’d been sexually assaulted. One spreadsheet identified at least 60 students struggling with mental health issues, including some who had been hospitalized or engaged in self harm.

Investigators said that in the future, attorneys should review and label files before a parent inspects them and urged staff throughout the district to be trained on the “importance of redacting and safeguarding confidential information.” In a letter to families Thursday, Superintendent Michelle Reid said the district would comply with all of the recommendations.

The brief summary of the investigation leaves several questions unanswered, including which district officials were responsible for the disclosure and how such a massive breach occurred after a string of similar incidents in recent years.

The 74 first reported on the most recent episode on Nov. 1, two weeks after Callie Oettinger, a parent in the district, reviewed documents that she requested on her own children, a daughter in high school and a son who graduated in 2022. She discovered later that the information she copied and downloaded onto thumb drives included private information on thousands of other students.

The disclosure was just the latest in a series of student privacy incidents within the 178,000-student district in recent years. In 2020, hackers obtained Social Security numbers, birthdates and other data on over 170,000 students and employees. In the early weeks of the pandemic, students were subjected to racist and obscene comments and other harassment in online classes that weren’t protected with a password. And multiple parents told The 74 they have mistakenly received other students’ special education records or that their children’s information has been shared with other parents or staff members. 

In 2019, a former superintendent apologized when staff members forwarded information on Oettinger’s son to the wrong people and promised to train staff to prevent future occurences. But in 2021, the district released private data on about a dozen students to another parent, Debra Tisler. Tisler shared the information with Oettinger, a special education advocate, who published redacted versions on her website. The district sued both parents to get the records back, but lost the case. 

A day after The 74’s report, Reid apologized and announced that a firm with expertise in cybersecurity — Woods, Rogers, Vandeventer and Black — would investigate how the incident occured. Nearly six weeks later, parents whose children were named in the records received a letter notifying them of the disclosure and the district set up a phone line to provide them with more information. 

The summary of the investigation showed that “older thumb drives containing unredacted files” were “unintentionally and unknowingly left within boxes accessible” to Oettinger when she went to her local high school for an in-person review of her children’s records. The probe also included “a forensic examination of a laptop” Oettinger used while she was there.

But Oettinger said the lead investigator, Beth Waller, never contacted her. Waller did not return calls or emails seeking comment. 

Reid’s letter to families stated that Oettinger and her attorney “provided declarations under oath and penalty of perjury stating they have deleted and do not have any of the identifiable student information that was involved in this incident.”

Oettinger said she wished the district had made greater efforts to clarify that she didn’t release any student’s private information. 

She published examples of the documents on her advocacy website to further underscore the point that the district didn’t protect sensitive student data. But she redacted personal identifying information before posting. 

The investigators called the incident “a unique set of circumstances” and an “unusual review,” another description Oettinger objects to. The Individuals with Disabilities Education Act gives parents the right to review records in person. 

In Fairfax, parents are split over whether Oettinger did the right thing in failing to initially inform the district of the error. 

“How do we file a lawsuit against her?” one asked on Facebook. “Let’s def (sic) all band together!”

Another wrote, “Do you understand the stress and anxiety you have caused to thousands of families in your self-righteous quest for ‘justice?’ “

But Oettinger said past privacy violations made her skeptical that the district would properly address the matter.

Other parents defended Oettinger’s actions. “If she hadn’t reported it to the public, we would never have known about it,” said Jill Janson, who has two children whose information were included in the records released. “If [Fairfax County Public Schools] isn’t uber careful with a parent they have a long history with regarding data spills, then just how careful are they with a regular person off the street?”

Oettinger has complained several times to the Virginia Department of Education about the October disclosure. But state officials maintain that the district does not have a systemic problem. 

In October, following a previous complaint, the state said the district had assured officials that staff members would receive training on student privacy. That training began Oct. 31, but the district did not respond to a question on how many staff members completed it. 

“This school division is the Commonwealth’s largest,” Cecil Creasey Jr., a state hearing officer, wrote Dec. 11 when he ruled on an appeal from Oettinger. The district’s size, he said, is not an excuse, but helps to explain why such errors occurred.

But Oettinger and other critics argue the district should be able to secure student privacy given the millions of dollars it spends on legal fees.

“I have heard ‘human error’ too many times through the years,” Oettinger said. “It isn’t an excuse. Can you imagine the president accidentally including Putin in an email and then blaming human error?”

Help fund stories like this. Donate now!