The Little Rock School District is continuing to seek an attorney general’s opinion on the legality of holding private school board meetings when reacting to a cyber- or ransomware attack on a district’s electronic information systems.
Little Rock Superintendent Jermall Wright sent a lengthy letter in January to the attorney general’s office asking how to appropriately balance a school board’s obligations for disclosure under state law with the risk of harm to students and employees that public discussion of a cyberattack could pose.
Eric Walker, staff attorney for the 21,000-student Little Rock district that experienced a cyberattack late last year, said this week that the matter is pending.
“We did submit a request,” Walker said. “The response was that the Superintendent was not the proper person that could make the request. The response indicated that we should ask a member of the Arkansas General Assembly to submit the request on behalf of LRSD. Sen. Clarke Tucker agreed to submit it for us. I’ve not heard back yet.” In his letter to the state’s lawyers, Wright described in some detail what happened in the Little Rock district cyberattack and said the district “is working diligently to be better protected the next time threat actors attempt a ransomware attack.” “In order for LRSD and other Arkansas school districts to be better prepared, legally, the LRSD requests the opinion of the Attorney General concerning the steps a school board may take to minimize the risk to employees and patrons, to deal effectively with the threat actors, and to restore normal operations as quickly as possible.” Wright specifically asked how a board can strike an appropriate balance between the Arkansas Freedom of Information Act — that requires prior public notice of a meeting and for most meetings to be open to the public — and the threat of harm posed by public discussion on a cyberattack.
“Can a school board meet privately to discuss how best to respond to a threat actor when the alternative is to risk the disclosure by the threat actors of the personal information of school district patrons and employees?” he asked.
Wright noted that the district was advised by the data security consultants that public disclosure of information related to the attack would greatly increase the risk of the attackers releasing the personal information and hindering normal operations for the school system.
Regarding what happened in the Little Rock district, Wright wrote that; “The attackers (threat actors) obtained access to files which contained information about LRSD employees and patrons, including dates of birth, social security numbers, personal addresses, medical information, and personal banking information.
“The threat actors also obtained student records, including FERPA-protected information,” he continued. “The release of this information would have put those individuals at risk of having their personal information compromised.” Wright also said the operations of the district were jeopardized.
“The cyber attack adversely impacted LRSD’s ability to educate its students and maintain its finances because LRSD was forced to disconnect from eSchool and eFinance” which are statewide school data-reporting systems.
“This meant that teachers could not input grades or attendance, and parents were not notified by the automatic call system when their children were absent or tardy,” he said.
Additionally, the district was delayed in ordering supplies, he said.
Wright first told all district employees and the Arkansas Democrat-Gazette on Dec. 1 that the district was a victim of a data network breach, and that the district had employed external computer forensics experts to determine the scope of the problem. The cyberattack — first detected Nov. 11 — was also reported to the FBI.
“Although the investigation is still ongoing, our forensic partners have determined that some data may have been taken from our network,” Wright said in that early December message.
The School Board in a 6-3 vote at a public meeting on Dec. 5 authorized Wright to enter into a settlement of at least $250,000 to end, as favorably as possible for the district, the cyberattack on the data networks.
The School Board had met earlier, Nov. 21, in a session for which no legally required public notice was given.
District leaders relied on state laws that exempted disclosure of security plans as a reason for the private session, although the laws did not authorize private school board meetings on the topic.
Greg Adams, president of the School Board at the time, said a majority of the board felt it was imperative to hold the meeting in private, because of the specific discussions on the district’s networks, concerns about the actions of the cyberattackers and the potential for others to attack the school system.
Adams said at the time that he was “keenly aware” that the private meeting “eroded public trust.” “Moving forward, as we complete our investigation into what occurred in this incident and make sure our systems and networks are as secure as they can be, we will provide information to you about what happened, what we did, and what we are doing.”