Tonight I received the following email from the Halton District School Board:

To summarize the email - Edge Imaging, a vendor tasked with managing school photographs for yearbooks during the 2022-2023 and 2023-2024 academic years, experienced a data breach. This breach occurred within the vendor's third-party service provider and not on the infrastructure of the Halton District School Board (HDSB). The HDSB Information Services Department is reportedly investigating the details of this incident.

So far this is a standard breach notification email - it clearly outlines who was impacted, what was impacted, and exactly what information was exposed.  

Here's the issue - the email's assertion that the HDSB is "in no way responsible" for the breach is absolutely false. The statement, intended or not, comes across as an attempt to absolve the school board of any responsibility in the matter. While it is true that the breach occurred within the systems of a third-party vendor, it is overly simplistic and, frankly, misleading to suggest that the school board bears no responsibility whatsoever.

As a cybersecurity specialist and concerned parent, I find the school board's stance not just disappointing but alarming. Selecting a vendor to handle sensitive student data carries with it an inherent duty of care. The school board is responsible for ensuring that its vendors adhere to stringent cybersecurity practices - this responsibility includes conducting thorough due diligence before engaging with a vendor and ongoing oversight to ensure that the vendor maintains the highest standards of data protection.

The argument that the breach occurred outside the HDSB's infrastructure misses the point. When a school board entrusts student data to a third party, it does not—and should not—relinquish its responsibility to safeguard that data. On the contrary, it assumes a critical role in the data protection ecosystem, acting as a guardian of its students' digital footprints.

The response from the HDSB to this incident does a disservice not only to the affected families but also to the broader cybersecurity community. It perpetuates a dangerous misconception that organizations can outsource their data protection responsibilities along with their data. This misunderstanding undermines efforts to build a culture of accountability in cybersecurity, where every entity in the data processing chain understands and accepts its role in protecting personal information.

By taking the stance it has, the HDSB has eroded any trust I have in their ability to safely handle my children's data and I will be making it a point going forward to attend more board meetings and start asking hard questions about the boards stance on cybersecurity.  

Communication in such situations must be handled with greater sensitivity and a recognition of the shared responsibility for data protection. The wording matters, and taking responsibility is a critical first step to ensuring the safety of the data you are entrusted to protect.

This incident serves as a stark reminder of the complexities of data protection in an interconnected digital world. While the breach itself is a cause for concern, the response to it highlights a deeper issue—the need for a more accountable and nuanced approach to data protection. As we navigate these challenges, we need to advocate for practices and attitudes that prioritize the safety and privacy of our children above all.