Navarro County Times, Corsicana, Texas - Sensitive Records Found In Dumpster

Sensitive Records Found In Dumpster

Written by Julianne Dodge

Saturday, 19 July 2008

Protecting children from identity theft is a growing concern for many parents today. Identity theft for children can go undetected for many years, allowing criminals ample opportunity, sometimes years, to use a child’s social security number to open credit card accounts.

A recent find in a dumpster behind Jose Navarro Elementary School raises questions about how sensitive information is protected by school districts. Boxes of seemingly innocuous records were discarded by someone at the school and found in the dumpster on July 6, 2008. The dumpster was approximately half full of records that included attendance records, tardy slips, parents and doctor’s notes, textbook inventories with the school’s tax ID number and account information, and writing samples from children in third, fourth and fifth grades.

However, some of what was tossed in the dumpster was not as innocent. Over seven Texas Workman’s Compensation Claim forms filed by employees were also in the mix. These forms included the employee’s names, addresses, social security numbers and medical information.

A 29-page report, titled “Student Demographics,” listed every student enrolled on the last day of school on May 29, 2003. Over 803 students were listed, along with their social security numbers, student identification numbers, birth dates, home numbers and parent’s names.

Such information could be used by a criminal to establish fraudulent credit card accounts and false identities.

All the documents that had been discarded were from the 2002-2003 school year. According to the district’s policy “data and records shall be stored in a safe and secure manner” and some documents may be destroyed after a certain number of years have passed.

Rob Ludwig, the communications office for Corsicana schools, assured The Times that this dumping of sensitive records was an isolated incident. “That’s not how we do things,” he added.

“Our current procedures include campuses either shredding records on-site in accordance to the (district’s) policy or the documents are sent to a central location in the district where they are either stored or destroyed via shredding.”

According to Suzanne Marchman with the Texas Education Agency, student’s identities are protected by federal law – Family Educational Rights and Privacy Act or FERPA. Texas state law requires that a business destroy documents containing sensitive personal information by “shredding, erasing or otherwise modifying...to make the information unreadable.”

Attorney General Greg Abbott has issued fines against companies, such as CVS Pharmacy and Radio Shack for throwing customer’s sensitive records into dumpsters, in recent months.

Officials at Corsicana Independent School District are taking steps to ensure that this error doesn’t happen again.

“What occurred at Navarro was not within our procedures and the district is investigating how the records were placed in the dumpster. The district will also investigate potential preventive measures to ensure this doesn't occur on any campus in the future,” Ludwig said, adding his appreciation for bringing the incident to their attention.

Other tips to help protect a child’s identity include:

1. Teach your child not share personal information, including PIN numbers, social security numbers, etc.

2. Be careful about giving out the child’s Social Security number or birth certificates. Always question whether it is really necessary.

3. Leave Social Security cards at home.

4. Watch for collection notices or pre-approval credit offers in your child’s name.

5. Maintain password privacy.

6. Check the child’s credit rating occassionally. Credit bureaus are required to provide one free credit report per year. (Information from fraudguides.com)

List Of Items Found In Dumpster

1. Textbook inventory – Order forms, purchase orders

Has ISD acct numbers, prices

2. First Day Count 2002-2003

List of Students with ID#s

3. Enrollment Count First 6 weeks, 8-19-02 – 9-27-02

4. Textbook Inventory

5. Tardy Check In – First 6 weeks, 8-19-02 – 9-27-02

6. Tardy Check In (with student names) Third 6 weeks, 11-11-02 – 12-20-02

7. Third 6 Weeks – Attendance-11-11-02 – 12-20-02

Names, ID, Contact #

8. Third 6 Weeks – Enrollment Count, 11-11-02 – 12-20-02

9. Third 6 Weeks – Summary Sheet – Daily Attendance

(Parent’s Notes, Doctors Notes, Clinic and Hospital notes, with patient acct #s, medical conditions listed on some.)

10. TOP Student Rating

11. 3^rd Grade Writing Samples

12. 4^th

13. 5^th

14. First Six Weeks – Daily Attendance Sheets

15. TOP 04-05 – Castillo

16. 5^th Masters

17. Records Request – Out of District (fax covers, student names & date of birth)

18. Records Request – In District

Loose CISD At Risk Referrals – Student Names, Grades, Subjects

19. Navarro At Risk

20 – 23. 4^th Six Weeks – Attendance Sheets, Enrollment Count, Summary Sheets, Tardies

Loose – Teacher-Grade – Student Roll 8-21-02

24. 5^th Six Weeks folder – Empty

25 – 28. 6^th Six Weeks – Attendance, Enrollment County, Summary Sheets, Tardies

29-31. 5^th Six Weeks – Summary Sheets, Attendance, Enrollment Count

32-34. Second 6 weeks – Enrollment Count, Tardies, Summary Sheet

**7 Workman’s Comp Claims with Employees names, address, SS#s and medical report

**A truancy court preparation folder for a student

**Student Demographics – Alpha Listing prepared June 11, 2003, Jose Navarro Elementary School, Debbie Cottar, Principal – Students enrolled on the last day of school – May 29, 2003 (lists 803 students, their social security numbers, student ID numbers, birthdates, grade, age, home number and parent’s or contact names.)

Texas Statues - Bus. & Comm. Codes

§ 48.102. BUSINESS DUTY TO PROTECT AND SAFEGUARD

SENSITIVE PERSONAL INFORMATION. (a) A business shall implement

and maintain reasonable procedures, including taking any

appropriate corrective action, to protect and safeguard from

unlawful use or disclosure any sensitive personal information

collected or maintained by the business in the regular course of

business.

(b) A business shall destroy or arrange for the destruction

of customer records containing sensitive personal information

within the business's custody or control that are not to be retained

by the business by:

(1) shredding;

(2) erasing; or

(3) otherwise modifying the sensitive personal

information in the records to make the information unreadable or

undecipherable through any means.

as defined by 15 U.S.C. Section 6809.

Added by Acts 2005, 79th Leg., Ch. 294, § 2, eff. September 1,

2005.

Text of section effective until April 1, 2009

SUBCHAPTER C. REMEDIES AND OFFENSES

Text of section effective until April 1, 2009

§ 48.201. CIVIL PENALTY; INJUNCTION. (a) A person who

violates this chapter is liable to the state for a civil penalty of

at least $2,000 but not more than $50,000 for each violation. The

attorney general may bring suit to recover the civil penalty

imposed by this subsection.

(b) If it appears to the attorney general that a person is

engaging in, has engaged in, or is about to engage in conduct that

violates this chapter, the attorney general may bring an action in

the name of this state against the person to restrain the violation

by a temporary restraining order or a permanent or temporary

injunction.

a district court in Travis County or:

(1) in any county in which the violation occurred; or

(2) in the county in which the victim resides,

regardless of whether the alleged violator has resided, worked, or

done business in the county in which the victim resides.

(d) The plaintiff in an action under this section is not

required to give a bond. The court may also grant any other

equitable relief that the court considers appropriate to prevent

any additional harm to a victim of identity theft or a further

violation of this chapter or to satisfy any judgment entered

against the defendant, including the issuance of an order to

appoint a receiver, sequester assets, correct a public or private

record, or prevent the dissipation of a victim's assets.

(e) The attorney general is entitled to recover reasonable

expenses incurred in obtaining injunctive relief, civil penalties,

or both, under this section, including reasonable attorney's fees,

court costs, and investigatory costs. Amounts collected by the

attorney general under this section shall be deposited in the

general revenue fund and may be appropriated only for the

investigation and prosecution of other cases under this chapter.

(f) The fees associated with an action under this section

are the same as in a civil case, but the fees may be assessed only

against the defendant.

Added by Acts 2005, 79th Leg., Ch. 294, § 2, eff. September 1,

2005.

Text of section effective until April 1, 2009

§ 35.48. RETENTION AND DISPOSAL OF BUSINESS RECORDS.

(a) In this section:

(1) "Business record" means letters, words, sounds, or

numbers, or the equivalent of letters, words, sounds, or numbers,

recorded in the operation of a business by:

(A) handwriting;

(B) typewriting;

(D) photostat;

(E) photograph;

(F) magnetic impulse;

(G) mechanical or electronic recording;

(H) digitized optical image; or

(I) another form of data compilation.

(1-a) "Personal identifying information" means an

individual's first name or initial and last name in combination

with any one or more of the following items:

(A) date of birth;

(B) social security number or other

government-issued identification number;

(D) unique biometric data, including the

individual's fingerprint, voice print, and retina or iris image;

(E) unique electronic identification number,

address, or routing code;

(F) telecommunication access device, including

debit and credit card information; or

(G) financial institution account number or any

other financial information.

(2) "Reproduction" means a counterpart of an original

business record produced by:

(A) production from the same impression or the

same matrix as the original;

(B) photograph, including an enlargement or

miniature;

(D) chemical reproduction;

(E) digitized optical image; or

(F) another technique that accurately reproduces

the original.

(3) "Telecommunication access device" has the meaning

assigned by Section 32.51, Penal Code.

(b) A business record required to be kept by state law may be

destroyed at any time after the third anniversary of the date the

record was created unless a law or regulation applicable to the

business record prescribes a different retention period or

procedure for disposal.

satisfied by retention of a reproduction of the business record.

(d) When a business disposes of a business record that

contains personal identifying information of a customer of the

business, the business shall modify, by shredding, erasing, or

other means, the personal identifying information to make it

unreadable or undecipherable.

(e) A business is considered to comply with Subsection (d)

if the business contracts with a person engaged in the business of

disposing of records for the modification of personal identifying

information on behalf of the business in accordance with Subsection

(d).

(f) A business that does not dispose of a business record of

a customer in the manner required by Subsection (d) is liable for a

civil penalty of up to $500 for each record. The attorney general

may bring an action against the business to:

(1) recover the civil penalty;

(2) obtain any other remedy, including injunctive

relief; and

(3) recover costs and reasonable attorney's fees

incurred in bringing the action.

(g) A business that modifies a record as required by

Subsection (d) in good faith is not liable for a civil penalty under

Subsection (f) if the record is reconstructed, in whole or in part,

through extraordinary means.

(h) Subsection (d) does not require a business to modify a

record if:

(1) the business is required to retain the record

under other law; or

(2) the record is historically significant and:

(A) there is no potential for identity theft or

fraud while the record is in the custody of the business; or

(B) the record is transferred to a professionally

managed historical repository.

(i) Subsection (d) does not apply to:

(1) a financial institution as defined by 15 U.S.C.

Section 6809; or

(2) a covered entity as defined by Section 601.001 or

602.001, Insurance Code.

Added by Acts 1989, 71st Leg., ch. 955, § 1, eff. June 15, 1989.

Renumbered from § 35.47 by Acts 1990, 71st Leg., 6th C.S., ch.

12, § 2(2), eff. Sept. 6, 1990. Amended by Acts 1991, 72nd Leg.,

ch. 472, § 1, eff. Aug. 26, 1991; Acts 1995, 74th Leg., ch. 735,

§ 3, eff. Sept. 1, 1995.

Amended by:

Acts 2005, 79th Leg., Ch. 935, § 1, eff. September 1, 2005.

Acts 2005, 79th Leg., Ch. 935, § 2, eff. September 1, 2005.

Acts 2005, 79th Leg., Ch. 935, § 3, eff. September 1, 2005.

Text of section effective until April 1, 2009

< Prev		Next >

[ Back ]

Random Image

Main Menu

Login Form

Syndicate

News Flash

Polls