The NYT reported this morning on an interesting breach situation:
The Princeton Review, the test-preparatory firm, accidentally published the personal data and standardized test scores of tens of thousands of Florida students on its Web site, where they were available for seven weeks.
[…]
Another test-preparatory company said it stumbled on the files while doing competitive research. This company provided The New York Times with the Web address of the internal files on the condition that it not be named. The Times informed the Princeton Review of the problem on Monday, and the company promptly shut off access to that portion of its site.
Strangely there is no mention of logs or security monitoring at all in this article.
In terms of compliance, the exposed information included names, birth dates, ethnicities and learning disabilities, along with test performance. This is not generally considered personally identifiable information (multiple people may share the same value). And FERPA does not apply because the Princeton Review is not considered a school that receives funds from the DoE.
Nonetheless, it made the NYT because a competitor disclosed it and I suspect there will be increased scrutiny of how regulations can protect children from identity breaches.