School district explains response to potential exposure of staff and student personal information in cyberattack incident

Students and former students in Riverhead school district are not being offered credit monitoring and identify theft protection services in connection with the Dec. 3 cyber attack and data breach because only their names, addresses and dates of birth were “potentially accessed by an unauthorized individual,” according to a statement from the district.

Exposure of that information in a data breach does not trigger a legal obligation to notify the affected individuals under state laws. Though the district decided to notify students and former students of the potential exposure, it determined that “credit monitoring and identify theft protection services are not warranted.”

The district is offering credit monitoring and identity theft protection services to current and former staff members, however. Its investigation of the data breach determined that current and former staff members’ Social Security numbers were potentially accessed in the data breach, in addition to their names and addresses.

Exposure of that information triggered a notification requirement under state data breach notification laws, the district said. An offer of credit monitoring and identity protection services was “warranted,” according to the statement.

Under a statement of work from cybersecurity firm Identity Theft Guard Solutions (IDX), signed by the district superintendent Feb. 28 and approved by the board of education March 8, IDX will provide single credit bureau monitoring, “CyberScan” dark web monitoring, $1 million reimbursement insurance and fully managed identity recovery, for one year at the rate of $10.99 per adult enrolled.

IDX also offered to provide the same services, without the credit bureau monitoring, for minors at $7.99 per enrolled minor.

The consultant’s statement of work said it would prepare and mail via USPS first class mail a notification letter to approximately 19,500 people for a cost of $20,959.50.

The district has not disclosed how many staff and former staff were affected in the breach and were being offered the monitoring and identity theft protection services.

The district’s statement provided today was in response to a March 28 inquiry seeking information about why students and former students were not offered identity protection services.

RiverheadLOCAL sought additional information after staff, former staff, students and former students began receiving notification letters from IDX.

Superintendent Augustine Tornatore replied in an email March 29 that he had reached out to the “cyber attorney” hired by the district after the incident and was awaiting a response.

Today, Assistant Superintendent for Curriculum and Instruction Christine Tona, provided the statement, which she said was done at the superintendent’s request.

The full statement provided by the district today appears below.

“Following discovery of the data incident, we engaged the services of experts in the field to determine what occurred and what information was potentially compromised as a result of this incident. Following the forensic investigation, it was determined that the data accessed by an unauthorized individual potentially included the names, addresses and social security numbers of current and former Riverhead staff members. This information triggered a notification obligation to all impacted current and former staff members under state data breach notification laws and an offer of credit monitoring was warranted based upon the information potentially compromised. However, in regard to current and former students, the forensic investigation determined that the data potentially accessed by an unauthorized individual was limited to their names, addresses and dates of birth. While this information would not trigger a legal notification to individuals under FERPA or state data breach notification laws, with the exception of North Dakota and Washington state, we provided notice to the potentially impacted current and former students out of an abundance of caution and under Riverhead’s internal policies, which provide for stricter notification guidelines as to data incidents. Based upon the student information that was potentially impacted, credit monitoring and identify theft protection services are not warranted in this incident.”