Center for Digital Education & Converge: research in education technology for K-12 and higher education

Lower Merion IT Leader Shares Lessons from Laptop Privacy Incident

on March 7, 2012
Laptop webcam photo via Shutterstock

WASHINGTON, D.C. — Managing school-issued laptops via tracking software can be a tricky proposition rife with privacy concerns.

At the Consortium of School Networking conference on Wednesday, March 7, technology directors learned what not to do from a school district that gained international attention for all the wrong reasons.

Lower Merion School District outside Philadelphia made headlines after a high school student's family sued in February 2010. The lawsuit alleged that IT employees employed by the school district remotely controlled the built-in webcam on a loaner laptop and surreptitiously took screenshots of the student in his home. The plaintiffs claimed the same action had been taken against other students.

The district took immediate action as it sought to control the damage. It turned off the tracking module in a software client management program called LANRev. The district called an independent investigation of the incident. And it communicated to parents what was going on until a court order limited that communication.

In August 2010, the two parties settled, with the district paying over $1.6 million in legal costs and payment to two students, Philly.com reported. An internal investigation showed that the district wasn't spying on students. But lack of procedures that mapped to policies as well as a lack of communication caused the district to stumble.

To comply with a court order, the school district made a number of changes in its policies and procedures. And at the conference, Director of Information Systems George Frazier told IT directors what they can do to keep from repeating his district's mistakes. Frazier was hired by Lower Merion July 2009, after the district had purchased the laptops and tracking software.

Through the court proceedings, Frazier said he realized that the school district was part of the government. Educators typically may not think of themselves as government. But school boards are considered government bodies.

And just like state, county and local governments have to conduct risk assessments, so do school districts.

"I think in education we don't spend enough time doing risk assessment. We don't stop and ask the 'what if,'" Frazier said.

While Lower Merion had policies in place, none of the agreements that students and parents signed said anything about theft tracking software. In fact, before Frazier came to the district, the software was purchased, but few people knew about it, even administrators.

Had Lower Merion created procedures that mapped to the school board's policy, the network technicians would have known when to activate the theft tracking module and what steps to take.

"Much of this would have been resolved if there had been two things: One, communication. And two, solid written procedures on how that software tracking would be used," Frazier said.

If the district had communicated that it was using the software and had established procedures, Frazier said he doesn't think the school would have sparked an incident that made headlines around the world.

"They had a concern that laptops would be stolen; they started using theft tracking software, but they didn't communicate it to anyone," Frazier said of actions taken by the district's IT employees.

Frazier mentioned a number of things that school districts should do to avoid making the same mistakes:

  • clearly communicate that you have the ablility to monitor and track devices;
  • establish procedures that tell network technicians what to do and that protect them;
  • assess the risks of a one-to-one laptop program and ask the "what if" questions;
  • clearly define the roles of teachers, principals, network technicians and the director of information systems in laptop management;
  • train staff on the policies and procedures they need to be aware of and follow;
  • provide enough staff members to support laptops for every student so no one takes shortcuts when solving problems;
  • take a course like he did on IT and law; and
  • check out government resources including the National Institute of Standards and Technology.

A year after the initial lawsuit was filed, Lower Merion has revamped its policies and procedures, which are published on its website. By learning from Lower Merion's mistakes, school districts can emphasize communication, risk assessment and procedure development for both district-provided laptop and bring-your-own-technology initiatives.

"Take what I learned the hard way and take it back and give it some thought," Frazier said.


You may use or reference this story with attribution and a link to
http://www.centerdigitaled.com/policy/Lower-Merion-IT-Leader-Shares-Lessons-from-Laptop-Privacy-Incident.html


If you enjoyed this story, subscribe for updates.

View Sample

Tanya Roscorla

Tanya Roscorla covers education technology in the classroom, behind the scenes and on the legislative agenda. Likes: Experimenting in the kitchen, cooking up cool crafts, reading good books.

E-mail: troscorla@centerdigitaled.com
Twitter: twitter.com/reportertanya
Google+: Gplus.to/reportertanya

Comments

Add a Comment

Add a Comment



FEEDBACK NEEDED

We want your input! Give us just 5 minutes to tell us what you think.

Take The Survey