Skip to main contentSkip to main content
You are the owner of this article.
You have permission to edit this article.
alert top story

NY comptroller audit finds data security gaps at Union Springs schools

  • Updated
  • 0

The Union Springs Central School did not adequately protect sensitive information on mobile devices, according to an audit conducted by state Comptroller Tom DiNapoli's office. 

The audit was performed on Feb. 9-10 and the state comptroller's staff examined a sample of 20 mobile computing devices owned by the district. Fourteen of the devices had at least one form of personal, private and sensitive information. The data could include student information, health records, bank account information or personal identifying information. 

What the audit found was that while the Union Springs school board adopted cybersecurity policies, district administrators and information technology staff did not implement procedures to protect sensitive data on mobile devices. 

"It is the responsibility of district officials to determine whether (a mobile computing device) is the best medium on which to store such information," the auditors wrote. "If such a determination is made, then district officials are responsible for ensuring that adequate safeguards are established, communicated and enforced to help prevent unauthorized access to this information." 

The audit also revealed that the district did not properly restrict email access to read-only by non-district mobile devices, such as smartphones. Employees could use a personal device to access their school email online, but there were no security settings in place to prevent staff from downloading sensitive information to their devices. 

The state comptroller's office recommended Union Springs develop written procedures for protecting personal, private and sensitive information on mobile devices. Another recommendation is for the district to establish a data classification matrix to establish security levels for the data. An inventory of personal, private and sensitive information stored on mobile devices should be conducted. 

According to the audit, Union Springs did not develop a data classification matrix because "they were unaware of what one was or why it was important." There wasn't an inventory of personal, private and sensitive information to determine what was on the mobile devices. 

In a response to the audit, Union Springs Superintendent Jarett Powers shared the district's corrective action plan to adopt the comptroller's recommendations. Powers wrote that the district will "develop procedures that more explicitly outline the proper access, transmission, storage and use of (personal, private and sensitive information) within the school district." The district also plans to implement a data classification matrix, he added. 

Both actions will be completed by the end of this school year. 

"Certainly the district agrees that the ever-evolving environment regarding data security necessitates that we thoughtfully review our policies and practices and work to ensure that they are as current and relevant as possible," Powers wrote.

Politics reporter Robert Harding can be reached at (315) 282-2220 or Follow him on Twitter @robertharding.


* I understand and agree that registration on or use of this site constitutes agreement to its user agreement and privacy policy.

Online producer and politics reporter

I have been The Citizen's online producer and politics reporter since December 2009. I'm the author of the Eye on NY blog and write the weekly Eye on NY column that appears every Sunday in the print edition of The Citizen and online at

Related to this story

Most Popular

Listen now and subscribe: Apple Podcasts | Google Podcasts | Spotify | Stitcher | RSS Feed | Omny Studio

Get up-to-the-minute news sent straight to your device.


News Alerts

Breaking News