WCPSS Student SSN Disclosure

Recently the Wake County Public School System, in Raleigh North Carolina, sent out about 15,000 post cards to the parents of students.  These post cards contained information for parents on how to indicate their intentions for school attendance in the next school year.  And about one third of these post cards contained something else…the social security number of the student.  My children attend school in Wake County and also received one of these post cards.  Luckily, we were in the two thirds that did not have the social security number displayed on the post card.  Below is a photo of an actual card that was sent out.  The number circled in red was an actual social security number on those cards that were affected by the leak.

DSCN0630new

As troubling as this mistake was, what is even more troubling is the lack of recourse for affected students and parents.  North Carolina, like most states, has a data breach notification law which I have written about previously.  This law specifically prohibits sending post cards that contain personal information such as social security numbers.  See the relevant section of the law below:

Except as provided in subsections (c) and (d) of this section, no agency of the State or its political subdivisions, or any agent or employee of a government agency, shall do any of the following:

(9) Print an individual’s social security number on any materials that are mailed to the individual, unless state or federal law required that the social security number be on the document to be mailed. A social security number that is permitted to be mailed under this subdivision may not be printed, in whole or in part, on a postcard or other mailer not requiring an envelope, or visible on the envelope or without the envelope having been opened.

Like most state breach notification laws, the North Carolina law requires incidents such as this to be reported and for those affected to be contacted.  To their credit, the Wake County Public School System did disclose the error and has agreed to provide one year of free credit monitoring for affected families.  But they are not required to do so.  According to the statute, “No private right of action may be brought by an individual for a violation of this section unless such individual is injured as a result of the violation.”   Proving injury is next to impossible as there usually is no way to demonstrate the source of identity theft or credit fraud.  Moreover, these SSNs could be stored for years before being used fraudulently.  Affected students will need to monitor their credit closely for many years to come.  And if they do end up being victimized by the this egregious mistake, they have little legal recourse.

North Carolina’s breach notification law is similar to most states in that it requires businesses and other organizations to disclose breaches of personally identifiable information (PII).  And as with most other state laws of this type, penalties for violation are not very strong.  North Carolina’s law is one of the few that actually does allow an individual to sue in the event that injury is caused by the breach.  In actuality though, it is highly unlikely that any business will have to pay for injuries resulting from disclosure of PII.  Congress is currently debating a federal breach notification law that would apply to all U.S. business.  This is a step in the right direction and guarantees that any U.S. citizen whose PII has been disclosed will be notified.  But penalties for violation are still weak and until businesses are faced with financial penalties, disclosures will continue to be a problem.

Leave a Reply

Your email address will not be published. Required fields are marked *