Resources
Especially For
Last Update:
August 26, 2008

Curator: Nancy Moy
nancy.moy@fcps.edu

Princeton Review and FCPS Student Data

UPDATE (08/25/08)

Frequently Asked Questions Regarding Princeton Review Data Security Breach

When did FCPS learn of the compromise?
FCPS first learned in the New York Times on Tuesday August 19 that FCPS student data had been inadvertently compromised.  FCPS contacted the Princeton Review team after reading the article and were able to talk with Princeton Review personnel about the matter late on 8/19. On Wednesday evening August 20, Princeton Review returned the compromised files to FCPS. FCPS staff immediately requested a Princeton Review phone number to provide to parents for more information.  Princeton Review did not provide this phone number until Friday evening, August 22.  Notifications to FCPS parents via telephone and e-mail were sent as soon as the information was received from Princeton Review. 

Why was the message sent on Friday evening?
The notifications were sent to parents as soon as the contact information was provided to FCPS by Princeton Review, on Friday evening, August 22.

How can I make sure that FCPS has my most current contact information?
Parents or guardians can go onto their Parent View Account for FCPS 24-7 to review and/or update their contact information at any time.  Or, they can contact their local school for assistance.

How do I know if my student’s data was involved?
All FCPS students who were enrolled in grades 3-8 during the school year 2005-2006 were affected. 

What student information was compromised?
The exposed data included FCPS student ID number, student first and last name, and student date of birth.  Note that Social Security numbers or test scores were NOT included in any of the data files.

Does FCPS plan to change the student IDs of the students involved in this incident?
FCPS does not plan to change student IDs. The FCPS student ID is a unique identifier used by FCPS information systems to identify student records. It has no use or value outside of FCPS and no relation to student financial information. FCPS student IDs cannot be used to gain further information on a student. Access to further student information requires separate accounts and passwords by authorized users. These accounts were not compromised.

Did FCPS sell this student information to Princeton Review?
No.  FCPS does not sell student information to anyone.

Did FCPS terminate the contract with Princeton Review?
Yes.  FCPS no longer uses Princeton Review for SOL practice tests.

Is there any action I should take if my student’s data was involved?
Students can log on to their FCPS 24-7 Learning account at any time and change their password.  Students are asked to do this annually at the start of the school year.

How long was the information on the Princeton Review website?
According to Princeton Review, this information was on an unsecure site from June 28 to August 18.  This information has been removed.

Do you know if any of the compromised data has been misused as a result of this incident?
No, we have no knowledge of any misuse of this information.

What right did FCPS have to give this information to Princeton Review without parental consent?
The Princeton Review was acting in an official capacity for FCPS, under contract with a strict data confidentiality agreement, thus permission is not required.

A federal law known as the Family Educational Rights and Privacy Act (FERPA) authorizes school divisions to disclose education records, without prior parent consent, to contractors, consultants and other service providers. In other words, the law allows school divisions to share student information with people and companies that it has engaged to perform a specific service if the person or company needs to know that information to perform the task assigned.  In its Annual Notice of Survey, Records, Curriculum, Privacy, and Related Rights and Opt-Out Forms, FCPS provides parents and students with notice that such disclosures may occur.

Why did Princeton Review have this information?
The Princeton Review had this information in order to create testing accounts for SOL practice tests used by students in grades 3-8.

If I need to contact someone in FCPS about this, what should I do?
E-mail your question or concern to FCPSinfo@fcps.edu

UPDATE (08/23/08) Yesterday, Dr. Dale, Fairfax County Public Schools Superintendent, notified the parents of the affected students via the Keep in Touch (KIT) phone and e-mail service.  Included here are a sample email message (PDF) and the script from Dr. Dale’s voicemail message (PDF).  For more information, please contact Princeton Review at 800-955-4600.

FCPS first learned in the New York Times the morning of August 19 that FCPS student data had been inadvertently compromised.  FCPS contacted the Princeton Review team after reading the article and were able to talk with Princeton Review personnel about the matter late on 8/19.

According to Princeton Review staff, the data had been inadvertently placed on an open website by an internet service company under contract to the Princeton Review.  Princeton Review had received the information from FCPS as part of a SOL practice test program for students in grades 3-8; that contract between Princeton Review and FCPS has ended for other reasons.

On Wednesday evening Princeton Review returned the compromised files to FCPS.  There were 245 files exposed from June 28 to August 18 that included student and teacher information. Based on FCPS analysis of these files, data from the school year 2005-2006 for 75,559 students and 3,157 teachers were exposed. The exposed student data included: FCPS student ID, student first and last name, and student date of birth. The exposed teacher data included: teacher domain login ID and teacher first and last name.

Princeton Review is finalizing their investigation to determine how this happened.  Princeton Review is preparing a letter of explanation and apology to the students involved. As soon as we receive the letter, we will notify parents of affected students and affected teachers via e-mail.