Katy officials notified parents in a letter dated Oct. 7, more than a month after it learned of the breach on Aug. 31. The data affects students and staff who were at the district during the 2013-2014 school year.
SunGard K-12, a third-party company that works with Katy ISD's student data management system, told Katy officials that an employee accidentally copied student information and uploaded it to a software application used by 29 other school districts. Hackers were not involved.
In its letter to parents, the district said it does not believe the data was viewed or accessed by officials in other school districts. The only officials who would have access to the records in the 29 districts were information technology staff.
Maria Corrales DiPetta, a spokeswoman for the Katy ISD, said SunGard K-12 initially notified the district of the breach on Aug. 18. But the company did not provide the district with a full report of the breach until Sept. 15.
"The data was never viewed by any users, it was on a server that can only be viewed by several administrative staff members, usually in the IT department. It was not something that kids or mom and pop could see," DiPetta said. "SunGard told us they don't have any evidence that (those staff members) were even aware of the presence of these files."
A SunGard K-12 employee mistakenly copied a file containing Katy ISD data from a database into a standard installation pack for an information security software application. That installation pack was accessible to technology personnel at several other school districts. SunGard K-12 told Katy officials it did not believe the data was viewed or access by anyone in the other school districts.
SunGard K-12 also said it removed the Katy student data from its installation package to prevent anyone from accessing the data in the future.
Since the breach, DiPetta said the district has restricted SunGard K-12's access to its data systems. Employees with the company can now only access district records if they are helping district staff troubleshoot a technological problem.
Brenda Leong, senior counsel and director of operations for the Future of Privacy Forum, said it's very common for schools to use third-party vendors for a variety of data management systems that can oversee everything from social security numbers to grades on recent assignments.
Katy ISD used SunGard K-12 to manage its student information system — a database of student data including zip codes, dates of birth, email addresses, names and social security numbers.
But even if another company is handling the student data, Leong said it's ultimately the district's responsibility under federal law to ensure that data is protected.
"It's the school's responsibility for collecting and keeping this data. If they contract with a third-party data company, they still control the student's education records under FERPA (Federal Educational Rights and Privacy Act)," Leong said. "They have the responsibility to make sure that data is only used for educational purposes and that the vendor handling it within the confines of FERPA."
But DiPetta said there was nothing the district could have done to prevent the breach.
"The agreement with this vendor explicitly states they can't use our data for any other purposes," DiPetta said. "But the vendor took this information without the district's permission and knowledge and took an action that was out of our hands."
These types of employee-error data breaches are much more common for school districts than an attack by hackers, Leong said.
Such an error happened in Houston ISD in 2013, when the district accidentally released its employees' Social Security numbers to a public university and four businesses, including the Houston Chronicle. The Chronicle returned the records it received.
But Houston ISD was hacked in 2010, when someone was able to obtain access the private data of all students, employees and some vendors dating back 10 years prior.
Leong said concerned parents should ask the district what's in their students' records, who that information has been shared with, which third-party data vendors the district uses, and what has been done to remedy the situation.
"The parent always has the right to go to the school for this kind of information," Leong said.
©2016 the Houston Chronicle, distributed by Tribune Content Agency, LLC.
