Part of the Bay Area News Group

MDUSD responds to questions regarding theft of laptop containing confidential employee information

By Theresa Harrington
Sunday, December 23rd, 2012 at 12:35 am in Education, Mt. Diablo school district.

After word of the theft of a Mt. Diablo district laptop containing confidential information spread Friday, I received the following news release from General Counsel Greg Rolen. Although it was sent to me on Dec. 21, it appears that the news release may have been written days earlier, before letters were sent to the affected employees on Dec. 18.

“Concord – On December 1, 2012, a thief broke a window at the offices of Mt. Diablo Unified School District (‘district’) and stole a password-protected, unencrypted laptop. Law enforcement and district staff were immediately alerted by the office’s security system and have been investigating the incident. The stolen computer contained files that included names, dates of birth, addresses, and Social Security numbers for employees and former employees. No financial or bank account information was involved. The district has no reason to believe that the computer was stolen for the information on it or that the information on it has been improperly used in any way.

While the District has not received any reports of misuse, it will be sending letters to all individuals whose information was on the laptop by December 18, 2012. The letters will have instructions for enrolling in credit monitoring that is being paid for by the district. The district will also provide a dedicated call center for individuals who receive a letter to call.

The letters will be mailed to all individuals who worked at the District between 1998 and 2010. If you do not receive a letter by December 21, 2012, please visit our website where you will find instructions on how to find out if you are affected. We will use the United States Post Office change of address database to find current addresses.

‘We do not believe that any of the information was improperly used, however, as a precautionary measure, we are making this notification and offering eligible individuals one year of credit monitoring and assistance in identity theft protection,’ said Superintendent Dr. Steven Lawrence.

The district deeply regrets any inconvenience this incident may cause. To help prevent a similar incident from happening in the future, the district has implemented measures to minimize the use of employee Social Security numbers [and will install encryption on computers that contain sensitive information].”

After I attended a special board meeting at the district office Friday, Chief Financial Officer Bryan Richards told me that 15,927 letters had been sent to employees and former employees of the district. In addition, he told me that a second round of similar letters would be sent to 2,200 people who worked in the Berkeley school district between 2003-04, because their confidential information was also believed to have been on the laptop.

Richards confirmed that the laptop was stolen from his office and said it had been a “loaner” because his regular laptop was “in the shop.” Two bricks were found outside his office where a window was broken, he said.

The laptop had previously been used by an employee who had worked for the Berkeley district before coming to the Mt. Diablo district, he said. That employee no longer works for Mt. Diablo, he added.

Richards said the district didn’t notify employees sooner because it took a while to determine what was on the laptop, using a backup system. He also said it took a while to find the current addresses of the people whose information was on the laptop.

The social security information was left over from the time when districts used to put such data on payroll documents, Richards said. Now, he said, social security numbers are no longer used on pay check stubs.

Regarding the surveillance video, Richards said it was his understanding that it had been reviewed and that it was not possible to identify the suspect(s).

Board President Cheryl Hansen said she wasn’t sure how much it was costing the district to provide the identity theft service, but she thought it might be covered by district insurance. She said the board learned about the the theft during closed session Dec. 10, under “anticipated litigation,” since it’s possible that employees could hold the district liable if their identities are stolen.

Richards said the district has already begun implementing procedures that do not use social security numbers in documents. He has also begun exploring the possibility of using encryption, but no decision has been made about contracting for that service, he added.

The big outstanding question here is: Why did a “loaner” laptop that apparently wasn’t being used by any employee have all that confidential information on it? And how many other computers in the district may have this type of information on them and be loaned out to employees when their computers are in the shop?

Richards said his laptop, which was being repaired, did not contain this type of confidential information.

Trustee Brian Lawrence told me he wants to review the district’s security protocols and strengthen them, where they may be lacking. Clearly, computers should be wiped clean of confidential information when employees who are using them leave the district (or when the information is no longer being used).

Alicia Minyen has said the district needs to hire an internal auditor. I’m not sure if an internal auditor would have caught this, but it seems pretty likely that an internal auditor would not condone keeping this kind of data on “loaner” laptops.

What do you think the district should do to tighten up its protection of confidential employee information?

DEC. 28 UPDATE: I have just spoken to CFO Bryan Richards who clarified that the information was not on a “loaner” laptop after all. He said it was a laptop that had been reassigned to him by the Technology Information Systems Dept. and the data had been transferred from his previous computer, which was left-over from a previous CFO. He said he is not sure who brought the data to MDSUD from Berkeley.

In addition, Richards said he could not answer questions regarding how much it is costing to provide the free identity theft service. That question, along with any other legal or insurance questions, should be answered by Greg Rolen, he said. Unfortunately, however, Rolen has not yet responded to my phone message asking for more information.

DEC. 28 UPDATE: Here is a followup story that touches on questions about the theft being raised by MDUSD employees and retirees:

I will prepare a new blog post with additional information I received from Rolen and Richards.

[You can leave a response, or trackback from your own site.]

111 Responses to “MDUSD responds to questions regarding theft of laptop containing confidential employee information”

  1. g Says:

    Whatever they do it won’t be done before Solar, or before favored contractors are guaranteed their piece of the pie. Multiple Modulars stuck all over the place take precedent over student or site security. They do plan to upgrade, add digital, and other security system/alarms etc. in 2013.

    First thought: How many hands had “borrowed” that computer?

    Second: As Executives leave, don’t they lock their private office doors to secure sensitive files and computers? Or Was his door also broken into?

    Third: Just his office? Just his computer? Somebody was intent enough to bring their own bricks, but left with just one computer–or are we just being told about the one that had personnel information on it? Or were there loose bricks just lying around the building begging to be chucked at the windows?

    Fourth: 16,000 employees in 12 years is a whole-big-bunch of turnover.

    Fifth: How about this board gets with the new program. Start reporting out action taken in closed session ‘in a timely manner’ whether for approving expenditure of funds for Experian, or -whatever. Ten days after it happened, ‘somebody’ knew if Experian was covered by insurance. Wasn’t that ascertained? Why does Cheryl just “think” it might be? I thought the district was ‘self insured’ for most things. If so, that certainly doesn’t make Experian cost any less–it’ll just come out of a different bucket.

    Sixth: They reported the theft to the CA State Attorney General 10-12 days earlier than they reported to the employees.

    By law if more than 500 people are affected, they have to report it to the State.

    So, how about telling the folks who count. ‘We couldn’t warn people until we confirmed 18,000 addresses’ is: A) a crock. How about your 5000 current employees immediately, and the rest as soon as you could.

    We are counting on This board to not hide closed session information until it is “convenient” to make it public.

    Seventh: Strike one.

  2. Doctor J Says:

    Show us the surveillance video — its a public record. Lets hear the 911 or other police tape recordings of the reporting of the crime.

  3. Doctor J Says:

    ComputerGATE — Richards must have known what information was on this computer — why did he leave it on ? Why didn’t he secure his computer before he left Friday night ? Who is the person(s) that put this information on the computer ? Why wasn’t the computer “wiped clean” by IT before it was “lent out” ? Did Berhart and Whitmarsh ever return their computers to MDUSD ? Has their access to MDUSD reccords been eliminated ?

  4. Doctor J Says:

    Berkeley Unified — has anyone asked that district how its confidential employee information got onto a MDUSD computer ? They have a major security breach themselves. Have they reported the data breach to the California Attorney General ?

  5. Rich Says:

    I think you have a major story here. The explainations by the district of what occurred are questionable. The Concord Police department is providing very little information. The events involve at least three of the district heads. There will probably be 2,000 employees involved with notification before this is over. I would not be surprised to see other media outlets coming in on this. It will be interesting to see how board votes on administration contracts.

  6. Rich Says:

    Sorry guys, I meant 20,000 employees, not 2,000.

  7. Doctor J Says:

    @Rich#5 Bryan Richards already said the letter went out to 16,000 current and former employees — plus there is another 2,000 from Berkeley, which I would presume that MDUSD has to obtain current mailing info from Berkeley. That is at least 18,000 affected employees. Lots of unanswered leadership and policy questions, potential liability, etc. We await answers to these questions. If Steven thinks he can use Christmas and New Year’s to shield himself, its time to dial his cell phone.

  8. Doctor J Says:

    One of my insurance friends just told me that a big question that should be asked [hint hint Theresa] — how much is the insurance deductible ? And when is the renewal date for the policy so follow up can be made if the district will be cancelled. He also said a copy of the insurance application and policy should be obtained to see if the districts representations were accurate and what are the “exclusions” for these type of event as the insurance company may be “denying coverage”.

  9. Theresa Harrington Says:

    There is now a large message in red on the district’s home page with information for employees and former employees who received a letter from the district:

    Regarding accountability, the district’s organization chart shows that Richards oversees IT and Technology Services, which should be responsible for erasing sensitive data from loaner laptops:

    Also, although it isn’t listed, Greg Rolen oversees risk management. As I recall, that was also part of the justification for his $30,000 salary increase. Obviously, the buck stops with the superintendent and the board.

    Linda Mayo was the trustee who helped put together the agenda for the Dec. 10 meeting and she reported out of the closed session. Hopefully, agendas from now on will give more detail about what is being discussed and reports out will be more thorough.

    It appears that the board is still looking to Rolen and the superintendent for guidance regarding how much to say about these issues. Trustee Barbara Oaks told me she couldn’t say anything, but she confirmed that this was discussed Dec. 10. Trustee Brian Lawrence said he could confirm what I already knew, but he said the district was trying to balance the need to inform the public with the need to protect employees. Hansen said she didn’t want to compromise the police investigation by saying too much, but she’s the one who acknowledged the district could face lawsuits from employees over this. They all referred me to Rolen for more information.

  10. Hell Freezing Over Says:

    1. How did the “district” end up with this computer? Please tell us someone at the “district” can trace this computer back to it purchase order date and any “maintenance” performed on it. For that matter, how many laptops does the “district” own and what is the status of those assets? Don’t forget the “district” recently obtained a boatload of iPads; where are are all of those assets, who is using them and how are they being used?

    2. How can a computer be “used” by an employee who worked in one district (Berkeley), and then by the same employee who worked in another district (MDUSD)? Computers owned by the “district” don’t follow an employee from one place of employment to another, so how and why did Berkeley employee data get put on this MDUSD owned computer? What other data was stored on this computer?

    3. Who had access to / use of this computer in its lifetime? There has to be a list of “ownership” for this computer showing who used it, when they used it and when it was returned it. If it was a loaner, I’m shocked that it wasn’t wiped clean before being handed out to another employee for use, no matter how short of a time that may be.

    4. Why would any employee of either “district” have this type of information on a computer? The only area with the need to access the type of data found on it would be personnel dept staff. Note: Needing to access files and having data stored on a computer are two very different things.

    5. Who is the person who was employed in both districts that Richards said used this computer and is no longer with the “district”? When did the employee who had used this computer as their primary computer leave, and for what reason?

    Sooooo many questions … What a mess for all involved. I would bet voice mail and email inboxes at Dent have been maxed out by extremely anxious and pissed off former / current employees as they learn of this breach of personal information when they recieve their letter in the mail over the holiday break. Postage must have cost us – the MDUSD community and families – thousands of $$$$ alone; then there is the cost of the ink in the printers, the paper to print the notice on, the printed envelopes to mail the letters in, the electricity to run the printers and postage machines, the time of Dent staff to compose, stuff and mail those notices … And there will be lawsuits filed … We will never truly know the real cost of this mess.

  11. g Says:

    Theresa: I can find nowhere that this “News Release” was ever published. Not in the Times, or on the district website. I wonder, did the district mail one letter to tell 18,000 people that a second letter would be coming?

  12. Rich Says:

    Dear Frozenover
    To Muddy things a bit more:
    1. There are a lot of computers, privately owned by staff members, that are on the MDUSD system.
    2. That may give you a partial answer to your #2.
    3. Good luck on the ownership issue. There are so few techs and so little money for equipment that I would be “shocked” if there were notes on the use of a computer.
    4. It took a lot of work to get the district to give us an employee number rather than a Social Security number. There were a lot of documents out there with our SSN and we complained about this back in the 90’s to get it changed.
    4-5. Every year, we met with a representative from an insurance firm that the district brought in, that went over our buying disability insurance, cancer insurance, 403b accounts and other types of products. You’d set down with these folks and they would type your name in the laptop and, guess what? You’re SSN and date of birth would show up on their screen. There was no CAT5 cable going to the laptop, just a power cord. I could only guess that they already had a copy our records in advance. The same representatives worked a number of districts.
    As a teacher, I heard very few concerns about our ID security. We had too many other things to worry about.

  13. Pat Says:

    Mr. Richards should be fired for the shocking disregard of private employee personal information. To leave a laptop with this information on his desk when he is not at work is beyond irresponsible. Do folks realize that the rest of our lives we will have to have credit monitoring? And since this insurance does not monitor bank or credit card accounts, we will have to monitor them ourselves, and/or purchase special insurance that covers account theft. With social security numbers and birth dates, thieves can wipe out our bank accounts. Also, this insurance does not put a 7 year credit freeze on our accounts at the three credit agencies. If you want that you will have to file your own theft report with the police.

  14. Doctor J Says:

    Police investigation ? I thought they gave up — just referred back to the district and are depending on insurance to follow up.

  15. Hell Freezing Over Says:

    Rich #12 – wow. Incredible. Your post should have our new board member Brian Lawrence (tech executive) twitching and spitting nails.

    Your response on #1 is simply astonishing. Im still trying to pick myself up off the floor after reading the rest of your responses.

  16. Anon Says:

    Congratulations to the district and the times. By publicizing that the computer contains valuable information, you have just turned a $100 P.O.S. computer into something much more valuable and now there is a real possibility that the information will end up in the hands of evil doers. More great reporting!

  17. Theresa Harrington Says:

    g: News releases are not published verbatim in the Times. They are supposed to be sent to news organizations and then it’s up to the news outlet to decide what to do with it. But, the district has a habit of not seeming to understand how to prepare and distribute a news release. Remember back when Deb Cooksey produced a “News Release” about union negotiations, but failed to actually send it to any news organizations? She said she had left copies of it in the back of the room at a board meeting, where I didn’t see it and I don’t think any other news organizations saw it either. The district didn’t get around to posting that “news release” on its website until after the board meeting, when it was too late for anyone to respond to it. At that time, I explained to Cooksey that news releases are normally sent or faxed to news organizations. She responded: “I’m just learning.”
    The “news release” I received was emailed to me by Rolen, but I don’t know if it was sent to any other news organizations. The release itself was not dated. However, since it refers to the Dec. 18 mailings as though they will occur in the future, it appears it was written before that date, but not sent out until Dec. 21.
    The superintendent’s messages to the community are also often called “news updates.” These are normally posted on the district’s website.
    It’s unclear why the district didn’t post this “news release” on its website. That’s why I posted it, so the public could see exactly what was sent to me (and possibly to other media outlets).

  18. Theresa Harrington Says:

    Anon: That information was in the “news release” sent out by Rolen. If the district didn’t want that information to appear in the press, why did it include it in its own press release?

  19. Giorgio C. Says:

    Has the MDUSD had a district Performance Evaluation performed in recent years, such as the one WCCUSD requested, found here?

    Such evaluations tell the Superintendent and Board where any weaknesses might exist. They are a powerful tool for the quality improvement process. If this has been done, where can we find this document?

  20. Rich Says:

    Dear Anon and the Evil Doers,

    There’s also the good chance that with this knowledge, we can protect our personel credit information. So, thanks Theressa for getting out the information and publishing it and thanks MDUSD for getting personel ID protection for us. It’s not a perfect answer but we needed to know.

  21. Jim Says:

    @17 — “I explained to Cooksey that news releases are normally sent or faxed to news organizations. She responded: ‘I’m just learning.’”

    That’s the problem, isn’t it? At MDUSD, the six-figure-a-year administrators are always “just learning” about the things that most adult professionals understand within the first year or two on the job. Meetings should have agendas. Agendas should be circulated prior to meetings. Contracts should be read before being approved. Press releases should be — get this — released to the press. And now, they are “just learning” that confidential, personally identifiable employee information should not be kept in unencrypted form on unsecured “loaner” laptops that get passed around an organization and left on desks overnight.

    Again we must ask, do you really think these “learners” should be in charge of ANYONE’s education?

  22. Brian Lawrence Says:

    On Dec. 10, at my first meeting as a MDUSD Board Member, we were informed of this crime in closed session. It was not reported out to the public immediately because of the concern that detailing exactly what had been stolen would actually make the stolen item more valuable to the criminal.

    At the Jan. 14th Board meeting, our next regularly scheduled one, I’ll be requesting a full reporting on this matter during public session. I’m compiling a list of questions that I will be asking the Superintendent and General Counsel- I will share my questions with the public prior to the meeting.

    The Board’s duty is to understand exactly what happened and how we can prevent anything like this from happening again.

    I can be reached at if you have additional questions or comments.

    Thank you.

  23. Hell Freezing Over Says:

    Anon #16 – that information should have never been saved to that “$100 P.O.S. computer” as you call it, in the first place. Any fault for any outcome of the theft is squarely on the district tech dept and then the CFO, who compounded that mistake by leaving the “P.O.S. computer” unattended and not secured on his desk in plain view.

  24. Theresa Harrington Says:

    Brian, Thank you for responding.
    I understand that Trustee Linda Mayo made her own public comment before the first closed session on Friday, suggesting that she thought it was inappropriate for board members to comment on blogs. I surmise by the fact that you are still responding to questions on this blog that you disagree with her assessment.
    Since I wasn’t there to hear what she said first-hand (and the district still hasn’t posted the audio), could you please recap it for us and let us know why you apparently do believe it is appropriate for trustees to use this forum to communicate with the public?

  25. Brian Lawrence Says:


    One of the things on my list to tackle is to work to have a way to broadcast the meetings in real time on the web- I’ll be working on that one in January. Ideally it would also have a video archive that would be immediately accessible.

    I am open to having productive, respectful conversations in lots of different formats- blogs being one of them. I won’t presume to speak for Mrs. Mayo.

  26. g Says:

    Brian; Thank you for your candor. Now, just be careful and don’t step on the dog’s tail by offering your opinions of the board’s pending issues, lest you be accused of using the Blogs to try to influence other board votes.

    Believe it or not, the watchdogs don’t just want things OUR way.

    We want them the RIGHT way!

    None of us want things that need to be kept confidential by law, to be leaked out of closed session. However, if any sort of collective Action was taken — on anything really — but specifically in this case to instruct staff to expend funds, ie. Experian, you simply should have stayed in closed session until you came up with a responsible way to report that out.

    Of course you could have just instructed council to “proceed as necessary”, and then voted to “continue” the item to the next meeting.

    Then your Report Out would have been. “Discussion and finalizing of one Pending Litigation item has been continued to Jan 14, and we will report our findings on that date.”

    Now how easy was that?

    Please don’t leave room for us to have to come after this shiny new board over making decisions in closed session and not properly reporting it. Secretive discussions and approvals of Grand Jury responses come to mind.

  27. Giorgio C. Says:

    The “I’m just learning” excuse does not hold water. The very fact that you (a non-employee) are having to articulate protocol to a district employee is a BIG problem.

    When “I am just learning”, I rely on reading written procedures until I have learned them. The superintendent is responsible for making sure these procedures have been drafted and distributed to appropriate staff. If the procedures are incomplete, then DC cannot be held accountable. That is the Superintendent’s responsibility, who is assessed by the school board.

    Sample Superintendent Performance Assessment form

    Changes to procedures are also distributed with a “Change in Policy” communication. All documents are accompanied by an attestation signature sheet. This is why I previously referenced the district Performance Evaluation, because the auditor will point out deficiencies in communication and procedures. I would have asked “DC” for a copy of the News Release Procedure she is learning from. You can still do this, Theresa.

    Whenever there is a major incident, a board member should get out the org chart, job descriptions, and all relevant training documents. Sometimes, honest mistakes are made. Sometimes, cash-strapped districts are the victims of numerous mistakes because they are forced to hire the least experienced or least qualified staff. This includes teachers and administrators.

    For this reason, it is incumbent upon the Superintendent to ensure these new employees who are just learning have all necessary reference documents at their disposal. The Superintendent must create an environment that mitigates the ill-effects of the “I’m just learning” scenario.

  28. Brian Lawrence Says:


    Board President Cheryl Hansen reported out the Dec. 21 closed session with substantive detail. That will be the standard going forward.

  29. Pat Says:

    I have two friends in their eighties who retired from teaching before the 1998 date listed in the newspaper article. They received letters Saturday. And they don’t know what to do since the news release says 1998, the letter says 1998 and yet they have an activation code for the ID Protect. So how far back does this apply to retirees? And should they enroll?

  30. Pat Says:

    Further, the last word in the link that the district listed in the letter for the security service is “/protect”. That should read “/enroll”. If you linked to the former, it instructs you to purchase the product. If you go to the later it instructs you to enroll with your activation code. The customer service personnel will cancel it if you accidentally sign up to pay yourself because of going to the wrong part of the site. The representative I spoke with said it was unfortunate that the district listed the link incorrectly and that they were fielding lots of calls because of this.

  31. Doctor J Says:

    24 days since the burglary of a single laptop containing confidential information — the Concord police don’t work property crimes that hard — no arrests, no suspects, and 18,000 victims. More questions every day. Silence from the “point man” Greg Rolen — his SOP. Steven Lawrence won’t release the surveilance video — might the public not recognize the perp ? Maybe that’s what they are afraid of.

  32. Doctor J Says:

    @Brian#28 I laud the “new standard” but there haven’t been any communications about what she reported nor the contents of the Taber discussion. The district hasn’t posted the audio, it appears that the voting record on the electronic agenda wasn’t used, and so we don’t know who voted for what, so the public is once again left “in the dark”. I know you are going to propose live webcam, but in the meantime . . . for the public, its DDSS.

  33. Theresa Harrington Says:

    Dr. J: Although I have not yet had time to post the video clips, I have already reported out what Hansen said and how the board voted.
    Again, Hansen said the board discussed exactly what was written on the agenda — anticipated litigation from Wendy Lack and the five district employees whose contracts are at issue. She said the board would publicly discuss its response to Lack’s cure and correct letter Jan. 14.
    The board unanimously approved the Taber contract after a lengthy presentation by Pete Pedersen and Tim Cody. As usual, however, the PowerPoint presentation was not posted online before the meeting and it is still not posted:
    Although Pedersen promised to send it to me, I haven’t yet received it.
    If the board is truly pushing for transparency, these PowerPoints should be uploaded BEFORE the meeting begins, so the public can see them ahead of time and possibly even comment on them before the board votes. If they are not posted before the meeting, paper copies of them should be distributed during the meeting and they should be posted immediately after the meeting.
    Often, when I ask the superintendent’s secretary why these aren’t posted, she says the staff member (or other person giving the presentation, such as Jon Isom), never gave it to her. This isn’t rocket science. If the board requires staff to give Powerpoints to the superintendent’s secretary, she can ensure that they get posted. If the board doesn’t insist on this, the public may never see the Powerpoints unless they are sitting in the room when they are presented. And even then, they won’t be able to review them before or afterwards.

  34. Brian Lawrence Says:

    I think it is reasonable to give at least one business day for the voting record to be posted. The special session took place on Friday and ended after 7:30 PM. I’ll ask/request that it be posted by COB on Wednesday. ESB was not used for the meeting- we may look at another system- certainly seems to have limitations.

    Theresa- you raise a very good point and one I’ve mentioned before. At the start of each presentation, I’ll ask if it has been posted for the public. The District absolutely should be posting these before meetings. In the interim, I will post them myself whenever possible and/or necessary.

    Board President Hansen did also report out that the Board had unanimously voted to schedule the Superintendent’s evaluation for January. I don’t have the exact wording of it, but that was the gist of it. That was the result of the second closed session.

  35. Jim Says:

    @34 — Good news that the Superintendent’s evaluation is finally going to be conducted, after so many questionable years on the job. And since his current contract extension apparently wasn’t legal, perhaps the evaluation can now be completed BEFORE a final contract extension commitment is made. Imagine that! Doing things in the appropriate order for once!

    It is all happening ever so sloooowly, but the Board may finally be showing the “learners” at MDUSD how their $300 million/yr enterprise ought to be managed. There may be limits to how much this dysfunctional district can be reformed, but at least now maybe it doesn’t have to remain the laughing stock of Northern California.

  36. g Says:

    What was discussed in that second closed session? At Comment #160 under MDUSD BOARD ACCUSED OF VIOLATING BROWN ACT, Theresa says: “Closed session is going seriously overtime. I was unable to get to the first closed session, but heard that Ernie DeTrinidad and Wendy Lack spoke. DeTrinidad reportedly asked for more information about the cure and correct process and Lack read a cure and correct letter from Alicia Minyen, which I will post shortly.”

    That “seriously overtime” Closed Session was used solely for covering the Supt. evaluation; right?

  37. g Says:

    The way agenda should be handled (IMHO):
    The board would:
    Insist that if back-up documents/powerpoints are not ready to be published online with 72 hr lead standards, the Agenda will be noted, stating: “Documents will be posted no later than 24 hours before meeting time.” If docs cannot be published at least 24 hrs in advance, the agenda should state (24hrs in advance): “Documents unavailable” AND “Item continued in its entirety until the next meeting.”

    Of course there may be an ‘occasional’ exception, due to an urgent need to rush something onto an agenda, but history shows that links to many back-up docs never make it to the Agenda site, or are added later–without clarification–that makes it look like those documents were posted prior to the meeting. Too often, well after the fact we are told: “Oh, ‘that document’ is/will be posted over on the (whatever) site.” –go fish.

  38. Anon Says:

    And a Merry Christmas to All and to All a Good Night. May you enjoy the blessings of family and friends in this joyous season.

  39. Doctor J Says:

    I would like to see the Board demanding detailed wirtten staff reports supporting their recommendations — posted at least 72 hours with the agenda so the public and board members alike can consider the proposals. The problem with the powerpoints is that they have become “fluff” with just a few bullet points and little detail to support the conclusions. Of course the public is invited for comment prior to the powerpoints, and really can’t address the issues, nor critically consider the proposals. Powerpoints should never have replaced detailed staff reports. One of the problems with Monday Board meetings, is that the Board and the public lose the ability to ask questions about the proposals over the weekends when staff generally is not available to answer those questions.

  40. Doctor J Says:

    Another lie by Steven Lawrence ? He said: “The letters will have instructions for enrolling in credit monitoring that is being paid for by the district.” paid for by the district ? A teacher on Claycord is reporting that it is “free” to anyone who has a security breach. Who is telling the truth ? How much is it does it “cost” the district per person who signs up ? Does Expirian then sell your enrollment information to advertisers ?

  41. Theresa Harrington Says:

    g: Sorry my comment about the closed session going overtime was confusing. I was referring to the first closed session. I meant that I didn’t get there for the beginning of it to hear the public comments before it. I arrived at 5 p.m. for the regular meeting, but the closed session went about 25 mins late. I did not hang out for the report out of the second closed session, in which trustees discussed the superintendent’s evaluation.

  42. g Says:

    Thanks for explaining, Theresa. Next questions for the Jan 16 report:

    1) What is it costing internally – mail costs, new encryption service company, etc?

    2) How did they decide on Experian? Did they go out for bids to see which company gives the best service – for the best rates?

    Not sure about any discounts for large enrollments, but individually, Lifelock is about $12 per year less than Experian and is more highly rated.

  43. g Says:

    The recording of the 12/10 board meeting is “Partial” leaving the public in the dark.

    The recording of the 12/21 Special meeting is posted. Unfortunately, it does NOT include any of the reporting out of the closed sessions. Direct from the district site there is 49min01seconds. It jumps from going into the first Closed Session directly to the Open Session. When downloaded to get full results, there is still no reporting out of the first Closed Session. Then, the recording ends at just over 51minutes with Ms Hansen closing the Open session, and saying “We will now go into Closed Session.”

    Where can we listen to or see published transcripts of the Reporting Out of both closed sessions?

  44. Rich Says:

    Those that received the district letter need to read the entire 2 1/2 pages. There’s a lot of work to do. I was informed by a retired colleague that the FBI considers this a theft of our personal identification information. On the district letter, it advises to contact the FTC. The FTC advises each of us that is concerned to file a police report and do a variety of things for our credit protection.
    Please take the time to protect yourself.

  45. Rich Says:

    There’s more,
    Our letters were mailed from Claysburg, Pennsylvania and the district’s link for those that received letters takes you to what looks like a Power Point… that doesn’t work.

  46. Rich Says:

    So I checked out Protect My ID. Of course they’re part of Expedian and they have a program “Data Breach Resolution.” I read all the reviews I could stomach. There were no comments about Protect My ID protecting them. There were many complaints about Protect My ID charging monthly fees without permision.
    It was when I found Expedian’s “Data Breach Resolution” video that I felt complete. Here’s the link for the video:

  47. Doctor J Says:

    So which police department do you call ? Can you imagine the Concord Police getting 18,000 calls because Steven Lawrence asked them to follow the instructions in his letter ? Concord Police where the burglary occurred ? Or the Police Department where you live ?

  48. Doctor J Says:

    @G#43 I guess Brian Lawrence wasn’t aware that staff has not been instructed to record “all” of the reporting of the Open Session that would include the reports on the “closed sessions” which would require staff to remain until the completion of the meeting.

  49. g Says:

    Dr J: Are you insinuating that Dr. Steven Lawrence, the board secretary, does not know the importance of, or how to, turn a recording device on as soon as Open Session starts, or keep a recording button turned on until the gavel comes down, or how to turn it off, pop a disc, secure same?

    Maybe he also needs an “Exhibit A.” ;=)

  50. Theresa Harrington Says:

    I specifically asked Joe Estrada if he recorded the open session before the first closed session and he said he did. He also said it would be part of the audio that would be posted on the website. I recorded the first report out of closed session and will post it in the morning, along with the Taber discussion and vote (I’m back at work Thursday and Friday).

  51. Doctor J Says:

    G, no recording will sure make it hard for the Board Secretary to prepare accurate “Minutes” of the meeting, especially since only the Board and their new attorney were “present” during the first closed session. I suspect the new Board will expect the Board secretary to have full minutes of the reports of “closed session” to the public. Amazing. I wonder what they really teach Supts at “superintendent’s school” ? I have heard they have lessons on “governance” each day.

  52. Doctor J Says:

    Theresa, I would love to hear Joe’s explanations as to why he didn’t record both the “reports” of both “closed sessions”. Maybe Joe didn’t realize that Loreen got a raise in the Gang of Five deal for taking notes at the Board meetings.

  53. g Says:

    We appreciate you, Theresa, being there to keep us informed, but hundreds of thousands of taxpayers from five cities should NOT have to attend every meeting OR rely on you or your flip cam to know what the hell is going on in this district.

    They did record the open session before the first closed session, including comments from Lack and DeTrinidad and Mayo’s poorly disguised passive-aggressive ‘TRUST’ attack on Theresa, the press, Brian Lawrence’s blog and board and public use of 21st century technology to stay informed.

    The meeting of Dec. 10, they came out of closed session, did the swearing in and then “took five” to take pictures. When that break was over, we expected (rightfully) a reporting out from the closed session, but then, [click-click] the recording doesn’t come back on until in the middle of an open session presentation from Richards or someone.

    When they came back from the 12/21 first closed session, [snip-snip] the open mic restarted with Cheryl calling for public comment on the Pedersen presentation. (And why are speaker cards left out on the dais from 12/10 to 12/21. Don’t they frequently include names AND addresses, etc.–things that should NOT be left lying around? Security issues abound.)

    TWO meetings in a row, there is no report out recorded–or rather, IF it was recorded, someone PURPOSELY erased it before linking to the district site.

  54. Doctor J Says:

    G, I think Rose Mary Woods is alive and works for MDUSD !

  55. Theresa Harrington Says:

    g: I have posted my video of the Dec. 10 report out of closed session as a Dec. 27 update to that blog post. However, the only closed session report out I captured was from Nov. 5. I don’t remember if there was a Dec. 10 closed session report out and I don’t have anything in my notes about it.

    I am now uploading my YouTube videos from the Dec. 21 meeting, including the report out from closed session, at

  56. Theresa Harrington Says:

    I just spoke to Joe Estrada and he said the audio posted DOES include the public comment before the first closed session:
    I am listening to it now, and he is correct. Estrada told me he didn’t capture the report out of the closed session on Dec. 10 because he was so busy setting up the new board members on the Electronic School Board that he didn’t push the “record” button on time.
    After the Dec. 21 closed session, Estrada said he took a bathroom break (because it went longer than anticipated). When he returned, Hansen had already reported out (however, as I have noted, I recorded that report out:

  57. Theresa Harrington Says:

    After listening to Mayo’s comments, I am very surprised by what appears to be her opinion that trustees should not speak to the press or use social media because any discussions could be “out of context.” She appears to be stating that the public should rely solely on public board discussions to glean the opinions of trustees. Is that what voters expect? Does this mean that voters who elected trustees cannot speak to them one-on-one to try to determine their views about important subjects? To me, this idea appears to be a huge step backwards in terms of transparency and accountability.
    It is the same argument that Bill Gillaspie ended up resorting to when he grew exasperated trying to defend FCMAT’s lack of backup for its generalizations about “most districts” in its transportation review. Although Gillaspie was willing to answer questions at first, he eventually said he would not answer any more and declared that the report would speak for itself. The only problem with this is that the report has many holes in it. What does that tell the public? It says follow-up questions will not be answered. That is not a responsive way to run a district or any public agency.
    Even more surprising is that the context for Mayo’s comments is building trust among board members. She appears to want the trustees to agree to some sort of pact that shuts the public out. Would that build public trust?

  58. g Says:

    A bit out of context here, but on 12/21 the board took hook, line and sinker from Pedersen/Cody. We knew they would approve his Lease/Leaseback, but I would have appreciated it if even one of them acknowledged that they understand that there is really NO significant difference between integrating a 3% contingency clause, and a 2% cost of lease clause directly into a contract budget; “Oh, that 2% isn’t interest, and ‘we own’ that 3% contingency money and only pay it out if they need it,” -versus- “Golly gee, we ran into issues and had to do a 5% change order, but look on the bright side; the original budget allowed for up to 10% contingency, so we did really great.”

    No difference at all. The money gets spent!

  59. Theresa Harrington Says:

    Back to the topic of this blog post, here is a copy of the district’s letter that has been posted on the Vermont attorney general’s webiste:

  60. g Says:

    Theresa @57: As you can tell from my earlier comment, I found Mayo’s little ‘trust’ speech offensive to every sector or the public.

    Take out the “T” for Team, Ms Mayo, and what you have is Rust! Fifteen years of ‘majority du jour’ flip-flop and supplementing your living off of taxpayers will do that to you.

  61. Anon Says:

    OMG! Mayo is beyond belief. What a self serving, sanctimonious, hypocritical piece of tripe.

  62. g Says:

    I wonder why the Sample letter was even submitted to the Vermont AG, and why, while otherwise nearly identical, it provides more complete contact information than the one on the CA AG site.

  63. Rich Says:

    I beieve this copy of the letter you posted is a product of Experian’s “Data Breach Resolution.” I believe the district contracted with them to handle the problem and it was Experian that sent out the letters and probably gave them the guidelines on what to do.

  64. Theresa Harrington Says:

    Now, it looks like MDUSD is being held out as an example to districts nationwide in how to handle security breaches. It is surprising that this letter has less redacted from it than the one I received from Rolen.

  65. g Says:

    The Vermont letter also gives a different link and phone number to Enroll. So I guess they got the new, improved version.

  66. g Says:

    Let’s not give this district any credit. The sample letter required to be filed is published as a ‘fill in the blanks’ on the CA AG site.

  67. MDUSD Board Watcher Says:

    Now why would Linda Mayo care if board members posted on blogs?

    Is she trying to prevent some of her past and likely illegal (in my opinion) board decisions from getting exposed?

  68. Theresa Harrington Says:

    I wonder if CSBA has given any guidance on this. Many school board members across the state use blogs to inform their communities, including Rachael Norton in SFUSD:

    Todd Groves, who was recently elected in WCCUSD (in another election where an incumbent was ousted, in part due to lack of transparency) has also started blogging as a way to inform his community about what his district is doing:

    Perhaps Mayo, who reportedly doesn’t read blogs, doesn’t feel it’s fair for her to be left out of the conversations.

  69. MDUSD Board Watcher Says:

    TH #68,

    If Linda feels left out she could simply start reading blogs.

    Also, if it is true she doesn’t read blogs as she claims then how is she aware that any other board member might be posting to blogs?

  70. Theresa Harrington Says:

    I believe she hears through the grapevine.

    I have left a message asking to speak to her about her comments, but I don’t know whether she will call me back, since she apparently doesn’t believe trustees should speak to the press.

  71. g Says:

    CSBA started its own blog in Nov, but have let it die. I guess their Facebook guidelines would indicate CSBA training is to: not ask for or give any weight to public opinion, or the press for that matter.

    “5.CSBA has implemented a system to insure that participants on our Facebook page are education professionals”

  72. Doctor J Says:

    TH#70 has a good point — there is nothing wrong with the public sending Linda Mayo emails at her AOL address on the district website. Of course, they should be respectful, express an opinion, and request a reply. Those replies could then be posted on a blog. There is more than one way to skin a snake.

  73. Theresa Harrington Says:

    I am not trying to trick Trustee Linda Mayo into releasing information to the public. I would hope that she would do so willingly, as part of her role as an elected official, who is answerable to the public.

  74. Hell Freezing Over Says:

    It has been my experience that the emails I have sent to board members during the years from 2008 through 2012 which specifically asked for the courtesy of a reply to specific questions asked, were ignored with the exception of one email in 2010 regarding the school closures.

    I received an email reply from Gary Eberhart thanking me for my email. Of course there were no responses to the specific questions i asked, or anthing else that would indicate the reply was anything more than simply an automated email response anyone can set up on their email accounts. I suspect Gary’s and other board members were in “email jail” with over limit inboxes during that fiasco.

    Sometimes I think Linda and Lynn don’t even know HOW to use email. My 83 year old mother took classes to learn how to use her computer so she could keep up with all her adult children and her grandchildren via email and Facebook. Maybe we need to ask Linda and Lynn if they know how to use email on a computer without a grandchild helping them.

  75. g Says:

    I have on multiple occasions written to the board and supt. making it clear that they all got the same questions. Although I did not receive responses from most, I did receive at least one or two responses each time. Two people never responded–never. Whitmarsh and Mayo.

  76. Theresa Harrington Says:

    That’s surprising, since Whitmarsh often seemed to gauge public interest in topics based on the number of emails she received. But, I don’t believe she mentioned whether she answered them or not.

  77. Hell Freezing Over Says:

    Public interest is different than public dissatisfaction.

    And anyone can claim they received email showing “interest” or “agreement” if they never intend to back up those claims with any evidence. Remember the mysterious and non-existent 2010 Measure C poll?

  78. Theresa Harrington Says:

    I remember the Measure C poll well. It did exist. It just didn’t say what Whitmarsh, Eberhart and others claimed it said.

  79. Theresa Harrington Says:

    Here’s an interesting new tidbit from Bryan Richards. Apparently, the laptop that he thought on Friday was a “loaner” was actually assigned to him through a computer reorganization in the Technology Information System dept. that he didn’t realize had occurred (even though he oversees that dept.)

  80. Hell Freezing Over Says:

    TH # 79 –
    It’s like the three stooges – did he say when it was assigned to him?

  81. Hell Freezing Over Says:

    And TH, did he offer any tidbits on why all the former & current employee info was saved on that computer, and who saved it?

  82. Rich Says:

    Theresa, I’ve never known of an administrator, especially the district CFO, to be issued a used computer. Plus, the site tech very carefully loads all of the administrators’ computers for them, under the special treatment for administrators who control your job unwritten policy.

  83. Hell Freezing Over Says:

    And why would Richards think his computer “was in the shop” in the first place? Did he report issues with it to the tech dept?

  84. Theresa Harrington Says:

    Rich, Apparently you are correct. But, on Friday, Richards thought he was going to get his old laptop back. He now says that his old laptop was reassigned to someone else.

    HFO: I have added a Dec. 27 update to this blog post, clarifying the fact that Richards now says it wasn’t a loaner. He said the information came from the computer of the previous CFO, Gloria Gamblin, but he wasn’t sure who loaded it on there in the first place. He said he did not believe it was Gamblin.

    Regarding protocol for purging old files, he said there are different rules for different types of data. Some payroll files, which include social security numbers, cannot be purged. But, when I asked if the “soft copies” could be purged, as long as hard copies are kept in the payroll department, he responded: “Good question.”

  85. Rich Says:

    More colleagues are now calling the San Francisco bureau of the FBI over this. That number is 415 553 7400. This number will get you kicked over to Washington DC. They’ll take a report and then send it back to San Francisco. This was advised by the FTC. Maybe the FBI can find out what really happened. Make sure you have your letter from the district when you make the call. They’ll also want the address and the phone number for the Dent Center. Has any one out their tried to get a police report on this yet?

  86. Theresa Harrington Says:

    I may have found the missing link. I just happen to have a Contra Costa schools directory from 2005. At that time, Steve Pavlina was the director of fiscal services.

    I did a quick google of Steve Pavlina and Berkeley and found this in a Berkeley school board agenda packet: “Increase in contract to Steve Pavlina for the implementation of Measure B budget preparation and budget development. The Board approved a contract for $10,500 on May 25, 2005. The additional contract amount of $10,000 is needed for more consultant support service during 2005-2006 budget development for a total amount of $20,500. To be paid from General Fund Budget. Requested by Song Chin-Bendib.”

    So, apparently, Pavlina worked for both districts in a budgetary capacity in 2005. Whether this is a coincidence or not (or whether this is the same person) remains to be seen.

  87. Rich Says:

    Theresa, My definition of “soft files” are those that are digitally stored, not printed. If that’s correct, I believe the district was storing personel information on the district file server at the Dent Center. It should never have been stored on a laptop or any other kind of work station. Of course you wouldn’t purge the files of the file server because you would need those files later. What the tech would do would re-image the computer and load whatever the administrator would tell them they needed.
    When an administrator needed to access personel files they would access the Dent Center file server. The only way to have those files on the “stolen” computer was if those files had been copied and saved on the computer in some way. There had to be other “soft files” available. Someone had to take personel information and store it in on a disc, jump drive, CD or another computer to have a loss like this happen. Here’s a question for Bryan Richards, did the district make a file available for the insurance reps that came around to the schools every year? I remember that when I met with them, the reps had all my information pre-loaded, including address and Social Security number.

  88. Theresa Harrington Says:

    Rich, Yes, I think you’re correct that the files were part of the “re-imaging” that was loaded onto the computer.
    I have also heard from an employee that her credit card was used fraudulently. She’s wondering if thieves could have accessed it simply by knowing her name, address and social security number. This also happened to her daughter, who worked for the district briefly, as well as to another district employee, she said.

  89. g Says:

    The dates for CFO Gamblin’s employment here might work, but the districts in question do not. She was at Oakland, not Berkeley in 2003-04.

    Nothing explains a computer being allowed to go from Berkeley to here with existing Berkeley files, and then being left here. Of course, nothing explains why somebody was willing and capable of breaking in, but then took only one laptop either.

  90. Theresa Harrington Says:

    Yes, but Steve Pavlina appears to have worked in both districts. But, whether he had access to Berkeley personnel files is unclear.

  91. Doctor J Says:

    The plot thickens and the suspects increase. Richards claims he got a 7 year old computer as his “replacement” — really ?

  92. Theresa Harrington Says:

    No, Richards said it was not the old computer. The data was transferred from the previous CFO’s computer. So, the data was old, but not the computer.

  93. Rich Says:

    Theresa, the districe tries to re-image every computer that goes on MDUSD network. If someone is telling you that the re-imaging includes personel information they’re not telling you the truth. The re-image consists of the district’s own version of Windows or Apple software. It allows the user to use the district network services and safeguards. The re-image puts on tools, not data that’s stored on the district file server.

    I would hope that the district would contact the FBI about what happened and be truthful. I know from a good friend how thorough they’re experts are. The FBI will show up with their agents that are experts and find out exactly what happened.

  94. Anon Says:

    How many different stories has Richards come up with as of this date?

  95. Giorgio C. Says:

    FBI? Shouldn’t these kinds of complaints be submitted to the County DA? The DA then makes the determination as to whether or not this is the jurisdiction of the FBI. Correct?

  96. Doctor J Says:

    The most basic unanswered question is why would the CFO Byran Richards, in charge of IT and Technology Services, leave his laptop on his desk on a Friday night, knowing that it contained private confidential financial information of 18,000 people ? Secondarily, what kind of supervision and leadership does the CFO provide over IT&T to ensure that policies and proceedures are in effect, and FOLLOWED, to protect confidential financial information ? If Richards did this in a similar position for Chevron, would he find himself in the unemployment line ? Where is Byran Richards “Exhibit A” to his contract ? I think Steven Lawrence needs a spelling lesson: A C C O U N T A B I L I T Y. Why Steven did YOU not ensure that Byran had those policies in place and practice them ? What kind of management is the Supt providing ?

  97. g Says:

    Don’t worry. As I understand CPA license mobility laws, Gov Brown just recently approved legislation that will, finally, make Bryan Lawrence’s Virginia CPA license legal to practice, and call himself a CPA, in California. The law goes into effect July 1, 2013, so it’ll be just in time for his new contract.

  98. g Says:

    SORRY–Bryan Richards’ Virginia CPA—too many similar names to keep straight!

  99. Theresa Harrington Says:

    Speaking of Richards’ “new” contract (which includes a substantive change in the number of vacation days he is allowed to accrue that was never discussed or approved by the board), he said he has “no comment” on that.
    It’s still unclear whether the employees have even signed the contracts yet. As Alicia Minyen points out, the employees were supposed to first notify the district that they wanted to stay on.
    Since Whitmarsh jumped the gun on extending the contracts, the district never received any written indication from the employees that they wanted the extensions in the first place. The contracts aren’t fully executed unless they are signed by both parties. So, if Richards hasn’t yet signed his “new” contract, he’s still working under his old contract.

  100. Theresa Harrington Says:

    It appears that many public agencies have reported similar security breaches:

  101. Theresa Harrington Says:

    Pat, I asked Richards about this and he said he’d need to look at the individual information for the people involved to try to determine if they were affected. Would you or your friends be willing to talk to me “on the record” about this for a follow-up story I’m working on?
    If so, please call me at 945-4764.

  102. Theresa Harrington Says:

    Here’s more of what Richards told me yesterday regarding why the data was on his laptop:

    “It was information that was part of reports that staff had pulled from the system.
    The backups are imaged by which job title person they belong to.
    For example, when an employee upgrades computers, or whatever, the technology dept backs up their files, so those files are added to the new machine.
    They were files that came from the CFO’s previous laptop – the original laptop that I inherited when I started in this dist. When it was upgraded to the laptop that I had…they backup the files and then move them back over, so the files would have been part of what was on the laptop at that time.”

  103. Rich Says:

    So, all the time that Bryan Richards had the previous CFO’s laptop, he never checked to see what files had been pulled off the file server and stored on the laptop? When Richards got the new laptop it sounds like he didn’t check to see what files were on his new laptop, probably becaue he didn’t know that the new laptop was “his” laptop. The new laptop was left on his desk, on a Friday evening, and then a early riser burglar came by with two bricks, broke a window about 6:00 a.m. on a Saturday morning and took just that one laptop. Plus, someone then was able to determine what files were on that computer that Richards did not know about when he had the new computer and the old computer.
    I get it.

  104. Theresa Harrington Says:

    I just spoke to the PIO in Berkeley, who said that district immediately sent letters to affected employees and former employees to alert them of the breach. They still haven’t received their letters from MDUSD.
    The PIO said the Berkeley district believes the data was accidentally transferred to a computer by a temporary BUSD employee who later went to MDUSD. He said he didn’t know the employee. When I asked him if it was Steve Pavlina, he said that name didn’t ring a bell.

  105. Anon Says:

    Richards needs to resign or be placed on administrative leave. This is a disaster and he is responsible for it. Finis

  106. g Says:

    Yes, Rich. And in the thousands of times that Richards must have scrolled through files or opened folders to get to the one he wanted, the descriptive words ‘Berkeley’ ‘SSN’ ‘Private’ ‘Personal’ ‘Personnel’ simply never caught his attention to get him to question why he had such files, or legal ramifications of having such files on an un-encrypted computer.

    Of course, he has only had four years with that data. These things take time.

  107. Theresa Harrington Says:

    Since I have been unable to reach Richards by phone today, I just tried emailing him and got this response:

    “I am out until Wednesday, January 2nd. I will respond to your message when I return.
    Bryan Richards
    Mt. Diablo USD”

    I have also emailed Rolen, with a copy to the superintendent, but have not heard back.

  108. Doctor J Says:

    @th#107 I think you just got played. :-) I hope you put out public records requests before Christmas so the time is ticking.

  109. Theresa Harrington Says:

    I received a response from Rolen.

  110. Theresa Harrington Says:

    Please note that I have added a Dec. 28 update to this blog post with a link to my follow-up story. I will create a separate blog post with additional information I have received from Rolen and Richards.

  111. Theresa Harrington Says:

    Here is my new blog post, with additional information from Rolen and Richards:

Leave a Reply