When a representative from the Internal Revenue Service arrived at the Manatee County School Board offices last week to pick up information on a cyber attack in January, Chief Information Officer Patrick Fletcher gave him a double take.
On Feb. 3, district administrators learned that two payroll employees had fallen for an email phishing scam. A hacker posing as Superintendent Diana Greene sent an email to one of the employees, requesting all W-2 forms for district employees. The Manatee payroll employee complied, and with the help of another employee, sent the hacker a PDF file containing all 7,700 W-2s for any employee who worked in the district in 2016.
Because of the freshness of the attack, Fletcher wasn’t taking any chances. Rather than hand over the sensitive information to the man claiming to be from the government, Fletcher drove the file down to the IRS office himself.
“Now we are going to be like Fort Knox,” said Deputy Superintendent Ron Ciranna.
Now we are going to be like Fort Knox.
Deputy Superintendent Ron Ciranna
That vigilance may seem like too little, too late to the 7,700 district employees whose information was leaked through what many have characterized as an obvious scam.
But school district officials say they are doing everything they can to help employees regroup after the attack. The district notified employees as soon as administrators learned of the attack and purchased identity protection and credit monitoring for all employees, and Ciranna said the district will be increasing its cyber-security training.
Costs for the district
As one of the only districts in the area with cyber-security insurance, Manatee may be better positioned financially to handle the fallout from a data breach than neighboring districts.
Manatee purchased a $1 million cyber insurance policy two years ago. The policy, which has a $25,000 deductible, covers the district in the event of any lawsuits stemming from the attack. Pinellas, Hillsborough and Sarasota all do not have cyber insurance, according to representatives from each district.
On Monday, Superintendent Diana Greene signed an $80,000 contract with AllClearID, an identity protection and credit monitoring firm. The AllClear service went live on Friday with a toll-free hotline employees can call to get event-specific help.
Under the terms of the contract, all employees will be covered with AllClear Identity Repair for two years and will be able to get direct help regarding this specific incident from the customer support center for 90 days. Employees will also receive up to $1 million in identity protection per employee.
Bill Kelly, the district’s director of risk management, said the insurance policy might help pay for the $80,000 contract with AllClear ID because the service was likely to prevent lawsuits, but identity protection is not a specific part of the coverage.
Beyond purchasing the AllClear service, Kelly said, the district did not anticipate additional costs.
Previous audit findings
State auditors have had issues with Manatee’s network security in each of the school district’s last three major audits. In 2011, 2014 and 2017, the auditor listed findings against the district related to cyber security. In the most recent audit, the auditors listed “district security controls related to user authentication and data loss prevention” as one of the deficiencies.
The report does not go into details about the specific issues because publicizing the specifics would make the district more susceptible to cyber attacks.
Ciranna said the specific deficiencies found by the state do not relate to preventing phishing scams, and Kelly said the district had already addressed the deficiency reported by the auditors.
In the most recent Florida auditor general’s report reviewing statewide trends for school districts, 13 out of 67 school districts, including Manatee, had deficiencies related to data-loss prevention in the 2014-15 school year.
I think you'll find in general that security and data loss is a concern throughout the state.
Manatee Chief Information Officer Patrick Fletcher
Fletcher said audit deficiencies related to cyber security have become more common this year, and that when meeting with chief information officers from other districts, most say they have had a cyber security-related finding.
“I think you’ll find in general that security and data loss is a concern throughout the state,” Fletcher said.
Edward Sarskas, a Wisconsin-based attorney who counsels corporations on cyber security and data breaches, said while lawsuits over security breaches are happening more frequently, courts are still figuring out where they stand on who can be held liable in the event of a data breach.
“This area of class-action lawsuits being triggered by compromises of personal information is becoming increasingly common,” Sarskas said. “We are definitely on an uptick and have been for a couple of years.”
A data breach at the University of Central Florida that released 63,000 student and employee Social Security numbers led to two lawsuits.
Sarskas said Manatee had taken the right steps by providing identity protection for its employees, and he said owning cyber insurance showed the school system was being vigilant against the risks involved with data loss.
Courts tend to hold institutions to a higher standard when it comes to protecting customer data than it does for protecting employee data. Sarskas pointed to a case where the University of Pittsburgh Medical Center was sued after a data breach leaked 62,000 employees’ information. A court ultimately dismissed the case, ruling that the school did not need to go to extraordinary measures to prevent a third party from stealing information.
“Courts will look at employer’s conduct and say, ‘Was it reasonable given the circumstances?’” Sarskas said. “But the courts are grappling with what is ‘reasonable.’”
Courts will look at employer’s conduct and say, ‘Was it reasonable given the circumstances?’ But the courts are grappling with what is ‘reasonable.’
Edward Sarskas, a Wisconsin-based attorney who counsels corporations on cyber security and data breaches
Sarskas said a school district should be able to show it provided adequate training for employees handling sensitive information.
“If there was absolutely no training to the people handling sensitive information, I would say there is an argument to be made that the school district did not make reasonable efforts,” Sarskas said. “On the other hand, if the district could show that everyone who had access to sensitive information had gone through a one-day training or half-day training seminar on phishing attacks and how to recognize fake emails, it would be harder to find that the school district failed to train its employees properly.”
Ciranna said he was confident Manatee had been providing adequate training to its employees, but the district would ramp up its cyber-security training in the wake of the breach.
Employee cyber-security training in the Manatee school system is mostly conducted through monthly email reminders that alert employees to common scams and remind them to be careful about what they send in emails, Ciranna said. Employees who handle sensitive information receive more specific training from their direct supervisors.
“Are we doing a good enough job? Evidently not,” Ciranna said. “We need to step that up a little bit more as far as having many more face-to-face-type training, small room, classroom in-service training types, and going around and doing it in that manner throughout the district.”
Are we doing a good enough job? Evidently not. We need to step that up a little bit more as far as having many more face-to-face-type training, small room, classroom in-service training types, and going around and doing it in that manner throughout the district.
Deputy Superintendent Ron Ciranna
Lila Rajabion, visiting assistant professor of information technology at the University of South Florida Sarasota-Manatee, said more thorough training can prevent these types of attacks.
“This lady at payroll, she was not aware of phishing attacks. They have to train them,” said Rajabion. “Phishing is very easy, someone can trick you very easily. ... Basic cyber-security training can prevent these things from happening.”
Fletcher said the district is planning to begin sending “white hat” phishing emails. These are emails pretending to be scam emails, which district IT staff will send to staff to see who takes the bait. The district can then provide specific additional training to whomever replies.
Joe Binswanger, the director of information technology for Sarasota County schools, said Sarasota is tracking what is happening in Manatee, and he plans to use the incident as an opportunity to reinforce the need for cyber security.
“We’ll use this as an opportunity to have a discussion and debrief with our employees,” Binswanger said. “(Manatee) is living my worst nightmare.”