Part of the Bay Area News Group

MDUSD responds to questions regarding theft of laptop containing confidential employee information

By Theresa Harrington
Sunday, December 23rd, 2012 at 12:35 am in Education, Mt. Diablo school district.

After word of the theft of a Mt. Diablo district laptop containing confidential information spread Friday, I received the following news release from General Counsel Greg Rolen. Although it was sent to me on Dec. 21, it appears that the news release may have been written days earlier, before letters were sent to the affected employees on Dec. 18.

“Concord – On December 1, 2012, a thief broke a window at the offices of Mt. Diablo Unified School District (‘district’) and stole a password-protected, unencrypted laptop. Law enforcement and district staff were immediately alerted by the office’s security system and have been investigating the incident. The stolen computer contained files that included names, dates of birth, addresses, and Social Security numbers for employees and former employees. No financial or bank account information was involved. The district has no reason to believe that the computer was stolen for the information on it or that the information on it has been improperly used in any way.

While the District has not received any reports of misuse, it will be sending letters to all individuals whose information was on the laptop by December 18, 2012. The letters will have instructions for enrolling in credit monitoring that is being paid for by the district. The district will also provide a dedicated call center for individuals who receive a letter to call.

The letters will be mailed to all individuals who worked at the District between 1998 and 2010. If you do not receive a letter by December 21, 2012, please visit our website where you will find instructions on how to find out if you are affected. We will use the United States Post Office change of address database to find current addresses.

‘We do not believe that any of the information was improperly used, however, as a precautionary measure, we are making this notification and offering eligible individuals one year of credit monitoring and assistance in identity theft protection,’ said Superintendent Dr. Steven Lawrence.

The district deeply regrets any inconvenience this incident may cause. To help prevent a similar incident from happening in the future, the district has implemented measures to minimize the use of employee Social Security numbers [and will install encryption on computers that contain sensitive information].”

After I attended a special board meeting at the district office Friday, Chief Financial Officer Bryan Richards told me that 15,927 letters had been sent to employees and former employees of the district. In addition, he told me that a second round of similar letters would be sent to 2,200 people who worked in the Berkeley school district between 2003-04, because their confidential information was also believed to have been on the laptop.

Richards confirmed that the laptop was stolen from his office and said it had been a “loaner” because his regular laptop was “in the shop.” Two bricks were found outside his office where a window was broken, he said.

The laptop had previously been used by an employee who had worked for the Berkeley district before coming to the Mt. Diablo district, he said. That employee no longer works for Mt. Diablo, he added.

Richards said the district didn’t notify employees sooner because it took a while to determine what was on the laptop, using a backup system. He also said it took a while to find the current addresses of the people whose information was on the laptop.

The social security information was left over from the time when districts used to put such data on payroll documents, Richards said. Now, he said, social security numbers are no longer used on pay check stubs.

Regarding the surveillance video, Richards said it was his understanding that it had been reviewed and that it was not possible to identify the suspect(s).

Board President Cheryl Hansen said she wasn’t sure how much it was costing the district to provide the identity theft service, but she thought it might be covered by district insurance. She said the board learned about the the theft during closed session Dec. 10, under “anticipated litigation,” since it’s possible that employees could hold the district liable if their identities are stolen.

Richards said the district has already begun implementing procedures that do not use social security numbers in documents. He has also begun exploring the possibility of using encryption, but no decision has been made about contracting for that service, he added.

The big outstanding question here is: Why did a “loaner” laptop that apparently wasn’t being used by any employee have all that confidential information on it? And how many other computers in the district may have this type of information on them and be loaned out to employees when their computers are in the shop?

Richards said his laptop, which was being repaired, did not contain this type of confidential information.

Trustee Brian Lawrence told me he wants to review the district’s security protocols and strengthen them, where they may be lacking. Clearly, computers should be wiped clean of confidential information when employees who are using them leave the district (or when the information is no longer being used).

Alicia Minyen has said the district needs to hire an internal auditor. I’m not sure if an internal auditor would have caught this, but it seems pretty likely that an internal auditor would not condone keeping this kind of data on “loaner” laptops.

What do you think the district should do to tighten up its protection of confidential employee information?

DEC. 28 UPDATE: I have just spoken to CFO Bryan Richards who clarified that the information was not on a “loaner” laptop after all. He said it was a laptop that had been reassigned to him by the Technology Information Systems Dept. and the data had been transferred from his previous computer, which was left-over from a previous CFO. He said he is not sure who brought the data to MDSUD from Berkeley.

In addition, Richards said he could not answer questions regarding how much it is costing to provide the free identity theft service. That question, along with any other legal or insurance questions, should be answered by Greg Rolen, he said. Unfortunately, however, Rolen has not yet responded to my phone message asking for more information.

DEC. 28 UPDATE: Here is a followup story that touches on questions about the theft being raised by MDUSD employees and retirees: http://bit.ly/10u3WLg

I will prepare a new blog post with additional information I received from Rolen and Richards.

[You can leave a response, or trackback from your own site.]

  • Doctor J

    G, no recording will sure make it hard for the Board Secretary to prepare accurate “Minutes” of the meeting, especially since only the Board and their new attorney were “present” during the first closed session. I suspect the new Board will expect the Board secretary to have full minutes of the reports of “closed session” to the public. Amazing. I wonder what they really teach Supts at “superintendent’s school” ? I have heard they have lessons on “governance” each day.

  • Doctor J

    Theresa, I would love to hear Joe’s explanations as to why he didn’t record both the “reports” of both “closed sessions”. Maybe Joe didn’t realize that Loreen got a raise in the Gang of Five deal for taking notes at the Board meetings.

  • g

    We appreciate you, Theresa, being there to keep us informed, but hundreds of thousands of taxpayers from five cities should NOT have to attend every meeting OR rely on you or your flip cam to know what the hell is going on in this district.

    They did record the open session before the first closed session, including comments from Lack and DeTrinidad and Mayo’s poorly disguised passive-aggressive ‘TRUST’ attack on Theresa, the press, Brian Lawrence’s blog and board and public use of 21st century technology to stay informed.

    The meeting of Dec. 10, they came out of closed session, did the swearing in and then “took five” to take pictures. When that break was over, we expected (rightfully) a reporting out from the closed session, but then, [click-click] the recording doesn’t come back on until in the middle of an open session presentation from Richards or someone.

    When they came back from the 12/21 first closed session, [snip-snip] the open mic restarted with Cheryl calling for public comment on the Pedersen presentation. (And why are speaker cards left out on the dais from 12/10 to 12/21. Don’t they frequently include names AND addresses, etc.–things that should NOT be left lying around? Security issues abound.)

    TWO meetings in a row, there is no report out recorded–or rather, IF it was recorded, someone PURPOSELY erased it before linking to the district site.

  • Doctor J

    G, I think Rose Mary Woods is alive and works for MDUSD !

  • Theresa Harrington

    g: I have posted my video of the Dec. 10 report out of closed session as a Dec. 27 update to that blog post. However, the only closed session report out I captured was from Nov. 5. I don’t remember if there was a Dec. 10 closed session report out and I don’t have anything in my notes about it.

    I am now uploading my YouTube videos from the Dec. 21 meeting, including the report out from closed session, at http://www.youtube.com/tunedtotheresa

  • Theresa Harrington

    I just spoke to Joe Estrada and he said the audio posted DOES include the public comment before the first closed session: http://www.mdusd.org/boe/Documents/audio/2012/121012.mp3
    I am listening to it now, and he is correct. Estrada told me he didn’t capture the report out of the closed session on Dec. 10 because he was so busy setting up the new board members on the Electronic School Board that he didn’t push the “record” button on time.
    After the Dec. 21 closed session, Estrada said he took a bathroom break (because it went longer than anticipated). When he returned, Hansen had already reported out (however, as I have noted, I recorded that report out: http://youtu.be/XqkHC0IAQNs

  • Theresa Harrington

    After listening to Mayo’s comments, I am very surprised by what appears to be her opinion that trustees should not speak to the press or use social media because any discussions could be “out of context.” She appears to be stating that the public should rely solely on public board discussions to glean the opinions of trustees. Is that what voters expect? Does this mean that voters who elected trustees cannot speak to them one-on-one to try to determine their views about important subjects? To me, this idea appears to be a huge step backwards in terms of transparency and accountability.
    It is the same argument that Bill Gillaspie ended up resorting to when he grew exasperated trying to defend FCMAT’s lack of backup for its generalizations about “most districts” in its transportation review. Although Gillaspie was willing to answer questions at first, he eventually said he would not answer any more and declared that the report would speak for itself. The only problem with this is that the report has many holes in it. What does that tell the public? It says follow-up questions will not be answered. That is not a responsive way to run a district or any public agency.
    Even more surprising is that the context for Mayo’s comments is building trust among board members. She appears to want the trustees to agree to some sort of pact that shuts the public out. Would that build public trust?

  • g

    A bit out of context here, but on 12/21 the board took hook, line and sinker from Pedersen/Cody. We knew they would approve his Lease/Leaseback, but I would have appreciated it if even one of them acknowledged that they understand that there is really NO significant difference between integrating a 3% contingency clause, and a 2% cost of lease clause directly into a contract budget; “Oh, that 2% isn’t interest, and ‘we own’ that 3% contingency money and only pay it out if they need it,” -versus- “Golly gee, we ran into issues and had to do a 5% change order, but look on the bright side; the original budget allowed for up to 10% contingency, so we did really great.”

    No difference at all. The money gets spent!

  • Theresa Harrington

    Back to the topic of this blog post, here is a copy of the district’s letter that has been posted on the Vermont attorney general’s webiste: http://www.atg.state.vt.us/assets/files/2012%2012%2020%20Mt%20Diablo%20Unified%20School%20District%20Security%20Breach%20Notice%20ltr%20to%20consumer.pdf

  • g

    Theresa @57: As you can tell from my earlier comment, I found Mayo’s little ‘trust’ speech offensive to every sector or the public.

    Take out the “T” for Team, Ms Mayo, and what you have is Rust! Fifteen years of ‘majority du jour’ flip-flop and supplementing your living off of taxpayers will do that to you.

  • Anon

    OMG! Mayo is beyond belief. What a self serving, sanctimonious, hypocritical piece of tripe.

  • g

    I wonder why the Sample letter was even submitted to the Vermont AG, and why, while otherwise nearly identical, it provides more complete contact information than the one on the CA AG site.

  • Rich

    Theresa,
    I beieve this copy of the letter you posted is a product of Experian’s “Data Breach Resolution.” I believe the district contracted with them to handle the problem and it was Experian that sent out the letters and probably gave them the guidelines on what to do.

  • Theresa Harrington

    Now, it looks like MDUSD is being held out as an example to districts nationwide in how to handle security breaches. It is surprising that this letter has less redacted from it than the one I received from Rolen.

  • g

    The Vermont letter also gives a different link and phone number to Enroll. So I guess they got the new, improved version.

  • g

    Let’s not give this district any credit. The sample letter required to be filed is published as a ‘fill in the blanks’ on the CA AG site.

  • MDUSD Board Watcher

    Now why would Linda Mayo care if board members posted on blogs?

    Is she trying to prevent some of her past and likely illegal (in my opinion) board decisions from getting exposed?

  • Theresa Harrington

    I wonder if CSBA has given any guidance on this. Many school board members across the state use blogs to inform their communities, including Rachael Norton in SFUSD: http://rachelnorton.com/

    Todd Groves, who was recently elected in WCCUSD (in another election where an incumbent was ousted, in part due to lack of transparency) has also started blogging as a way to inform his community about what his district is doing: http://toddgroves.org/2012/12/17/board-workshop-on-wednesday-december-19/

    Perhaps Mayo, who reportedly doesn’t read blogs, doesn’t feel it’s fair for her to be left out of the conversations.

  • MDUSD Board Watcher

    TH #68,

    If Linda feels left out she could simply start reading blogs.

    Also, if it is true she doesn’t read blogs as she claims then how is she aware that any other board member might be posting to blogs?

  • Theresa Harrington

    I believe she hears through the grapevine.

    I have left a message asking to speak to her about her comments, but I don’t know whether she will call me back, since she apparently doesn’t believe trustees should speak to the press.

  • g

    CSBA started its own blog in Nov, but have let it die. I guess their Facebook guidelines would indicate CSBA training is to: not ask for or give any weight to public opinion, or the press for that matter.

    “5.CSBA has implemented a system to insure that participants on our Facebook page are education professionals”

    http://www.csba.org/NewsAndMedia/SocialNetworking/~/link.aspx?_id=ACCDF9B27F7E4CD18911D8556F075BD8&_z=z

  • Doctor J

    TH#70 has a good point — there is nothing wrong with the public sending Linda Mayo emails at her AOL address on the district website. Of course, they should be respectful, express an opinion, and request a reply. Those replies could then be posted on a blog. There is more than one way to skin a snake.

  • Theresa Harrington

    I am not trying to trick Trustee Linda Mayo into releasing information to the public. I would hope that she would do so willingly, as part of her role as an elected official, who is answerable to the public.

  • Hell Freezing Over

    It has been my experience that the emails I have sent to board members during the years from 2008 through 2012 which specifically asked for the courtesy of a reply to specific questions asked, were ignored with the exception of one email in 2010 regarding the school closures.

    I received an email reply from Gary Eberhart thanking me for my email. Of course there were no responses to the specific questions i asked, or anthing else that would indicate the reply was anything more than simply an automated email response anyone can set up on their email accounts. I suspect Gary’s and other board members were in “email jail” with over limit inboxes during that fiasco.

    Sometimes I think Linda and Lynn don’t even know HOW to use email. My 83 year old mother took classes to learn how to use her computer so she could keep up with all her adult children and her grandchildren via email and Facebook. Maybe we need to ask Linda and Lynn if they know how to use email on a computer without a grandchild helping them.

  • g

    I have on multiple occasions written to the board and supt. making it clear that they all got the same questions. Although I did not receive responses from most, I did receive at least one or two responses each time. Two people never responded–never. Whitmarsh and Mayo.

  • Theresa Harrington

    That’s surprising, since Whitmarsh often seemed to gauge public interest in topics based on the number of emails she received. But, I don’t believe she mentioned whether she answered them or not.

  • Hell Freezing Over

    Public interest is different than public dissatisfaction.

    And anyone can claim they received email showing “interest” or “agreement” if they never intend to back up those claims with any evidence. Remember the mysterious and non-existent 2010 Measure C poll?

  • Theresa Harrington

    I remember the Measure C poll well. It did exist. It just didn’t say what Whitmarsh, Eberhart and others claimed it said.

  • Theresa Harrington

    Here’s an interesting new tidbit from Bryan Richards. Apparently, the laptop that he thought on Friday was a “loaner” was actually assigned to him through a computer reorganization in the Technology Information System dept. that he didn’t realize had occurred (even though he oversees that dept.)

  • Hell Freezing Over

    TH # 79 –
    It’s like the three stooges – did he say when it was assigned to him?

  • Hell Freezing Over

    And TH, did he offer any tidbits on why all the former & current employee info was saved on that computer, and who saved it?

  • Rich

    Theresa, I’ve never known of an administrator, especially the district CFO, to be issued a used computer. Plus, the site tech very carefully loads all of the administrators’ computers for them, under the special treatment for administrators who control your job unwritten policy.

  • Hell Freezing Over

    And why would Richards think his computer “was in the shop” in the first place? Did he report issues with it to the tech dept?

  • Theresa Harrington

    Rich, Apparently you are correct. But, on Friday, Richards thought he was going to get his old laptop back. He now says that his old laptop was reassigned to someone else.

    HFO: I have added a Dec. 27 update to this blog post, clarifying the fact that Richards now says it wasn’t a loaner. He said the information came from the computer of the previous CFO, Gloria Gamblin, but he wasn’t sure who loaded it on there in the first place. He said he did not believe it was Gamblin.

    Regarding protocol for purging old files, he said there are different rules for different types of data. Some payroll files, which include social security numbers, cannot be purged. But, when I asked if the “soft copies” could be purged, as long as hard copies are kept in the payroll department, he responded: “Good question.”

  • Rich

    More colleagues are now calling the San Francisco bureau of the FBI over this. That number is 415 553 7400. This number will get you kicked over to Washington DC. They’ll take a report and then send it back to San Francisco. This was advised by the FTC. Maybe the FBI can find out what really happened. Make sure you have your letter from the district when you make the call. They’ll also want the address and the phone number for the Dent Center. Has any one out their tried to get a police report on this yet?

  • Theresa Harrington

    I may have found the missing link. I just happen to have a Contra Costa schools directory from 2005. At that time, Steve Pavlina was the director of fiscal services.

    I did a quick google of Steve Pavlina and Berkeley and found this in a Berkeley school board agenda packet: “Increase in contract to Steve Pavlina for the implementation of Measure B budget preparation and budget development. The Board approved a contract for $10,500 on May 25, 2005. The additional contract amount of $10,000 is needed for more consultant support service during 2005-2006 budget development for a total amount of $20,500. To be paid from General Fund Budget. Requested by Song Chin-Bendib.”

    So, apparently, Pavlina worked for both districts in a budgetary capacity in 2005. Whether this is a coincidence or not (or whether this is the same person) remains to be seen.

  • Rich

    Theresa, My definition of “soft files” are those that are digitally stored, not printed. If that’s correct, I believe the district was storing personel information on the district file server at the Dent Center. It should never have been stored on a laptop or any other kind of work station. Of course you wouldn’t purge the files of the file server because you would need those files later. What the tech would do would re-image the computer and load whatever the administrator would tell them they needed.
    When an administrator needed to access personel files they would access the Dent Center file server. The only way to have those files on the “stolen” computer was if those files had been copied and saved on the computer in some way. There had to be other “soft files” available. Someone had to take personel information and store it in on a disc, jump drive, CD or another computer to have a loss like this happen. Here’s a question for Bryan Richards, did the district make a file available for the insurance reps that came around to the schools every year? I remember that when I met with them, the reps had all my information pre-loaded, including address and Social Security number.

  • Theresa Harrington

    Rich, Yes, I think you’re correct that the files were part of the “re-imaging” that was loaded onto the computer.
    I have also heard from an employee that her credit card was used fraudulently. She’s wondering if thieves could have accessed it simply by knowing her name, address and social security number. This also happened to her daughter, who worked for the district briefly, as well as to another district employee, she said.

  • g

    The dates for CFO Gamblin’s employment here might work, but the districts in question do not. She was at Oakland, not Berkeley in 2003-04.

    Nothing explains a computer being allowed to go from Berkeley to here with existing Berkeley files, and then being left here. Of course, nothing explains why somebody was willing and capable of breaking in, but then took only one laptop either.

  • Theresa Harrington

    Yes, but Steve Pavlina appears to have worked in both districts. But, whether he had access to Berkeley personnel files is unclear.

  • Doctor J

    The plot thickens and the suspects increase. Richards claims he got a 7 year old computer as his “replacement” — really ?

  • Theresa Harrington

    No, Richards said it was not the old computer. The data was transferred from the previous CFO’s computer. So, the data was old, but not the computer.

  • Rich

    Theresa, the districe tries to re-image every computer that goes on MDUSD network. If someone is telling you that the re-imaging includes personel information they’re not telling you the truth. The re-image consists of the district’s own version of Windows or Apple software. It allows the user to use the district network services and safeguards. The re-image puts on tools, not data that’s stored on the district file server.

    I would hope that the district would contact the FBI about what happened and be truthful. I know from a good friend how thorough they’re experts are. The FBI will show up with their agents that are experts and find out exactly what happened.

  • Anon

    How many different stories has Richards come up with as of this date?

  • Giorgio C.

    FBI? Shouldn’t these kinds of complaints be submitted to the County DA? The DA then makes the determination as to whether or not this is the jurisdiction of the FBI. Correct?

  • Doctor J

    The most basic unanswered question is why would the CFO Byran Richards, in charge of IT and Technology Services, leave his laptop on his desk on a Friday night, knowing that it contained private confidential financial information of 18,000 people ? Secondarily, what kind of supervision and leadership does the CFO provide over IT&T to ensure that policies and proceedures are in effect, and FOLLOWED, to protect confidential financial information ? If Richards did this in a similar position for Chevron, would he find himself in the unemployment line ? Where is Byran Richards “Exhibit A” to his contract ? I think Steven Lawrence needs a spelling lesson: A C C O U N T A B I L I T Y. Why Steven did YOU not ensure that Byran had those policies in place and practice them ? What kind of management is the Supt providing ?

  • g

    Don’t worry. As I understand CPA license mobility laws, Gov Brown just recently approved legislation that will, finally, make Bryan Lawrence’s Virginia CPA license legal to practice, and call himself a CPA, in California. The law goes into effect July 1, 2013, so it’ll be just in time for his new contract.

  • g

    SORRY–Bryan Richards’ Virginia CPA—too many similar names to keep straight!

  • Theresa Harrington

    Speaking of Richards’ “new” contract (which includes a substantive change in the number of vacation days he is allowed to accrue that was never discussed or approved by the board), he said he has “no comment” on that.
    It’s still unclear whether the employees have even signed the contracts yet. As Alicia Minyen points out, the employees were supposed to first notify the district that they wanted to stay on.
    Since Whitmarsh jumped the gun on extending the contracts, the district never received any written indication from the employees that they wanted the extensions in the first place. The contracts aren’t fully executed unless they are signed by both parties. So, if Richards hasn’t yet signed his “new” contract, he’s still working under his old contract.

  • Theresa Harrington

    It appears that many public agencies have reported similar security breaches: https://oag.ca.gov/ecrime/databreach/list