A Different Kind of ‘Pay cut:’ When Student/Employee Data is Compromised

On Friday, reports surfaced that the data of thousands of NYCDOE students and employees was compromised, after a breach that also affected several companies and governmental agencies. In some cases, the information hacked included sensitive identifiers like social security numbers. We don’t know who was affected yet or even the specific date when we will.

UFT headquarters was slow to communicate with members about the issue, but finally sent out an email on Sunday night. (CSA had done so by Friday). In that email, we learned that: “The DOE is in the process of determining precisely which staff and students were affected and which confidential information was compromised in each instance. The DOE plans to notify affected staff and caregivers and offer them access to an identity-monitoring service. In the meantime, all of us should be extra vigilant and be on the lookout for any unusual online activity or communications.” We also learned that “The union will continue to closely monitor the situation to ensure the DOE and the city expeditiously take the appropriate steps to protect us and the families we serve. We are advocating that the DOE provide credit fraud protection to any UFT member whose confidential information was compromised in this breach.”

It’s indicative that the response is vague. UFT appears to be advocating for the DOE to do what it already planned to do, which is to offer access to an “identity-monitoring service,” unless they distinguish that from “credit fraud protection.” There’s also no information about how much protection UFT members might be afforded, and how much they themselves might be on the hook for if their identity is stolen and unauthorized accounts or major purchases are made. There’s also precious little information about how long this unspecified protection would be given to UFT members. When a similar situation occurred to postal workers in 2014, for instance, employees were only offered a single year of protection. If cybercriminals wait 366 days before using the compromised data of UFT members to cause financial or other harm, will we be on our own?

In the age of big data, where employer-stored data that could be used to destroy the lives of members is at a hacker’s finger tips, our union needs to be proactive. Our new would-be contract ups the amount that the Board can reimburse teachers for damaged personal property from $100 to $500. That’s an improvement, but the data breach and our union’s delayed and lackluster response exposes that the bigger risk to members’ finances may be our cyber-vulnerability.

Vague and reactive procedures aren’t enough. The UFT must ensure that no member is at risk of employer-caused identity theft and the catastrophic financial consequences that this act can engender. Period.