A school board member’s account allegedly accessed private student info. Now what?

The Talawanda School District has contacted law enforcement to evaluate options for criminal prosecution after “students and one school board member accessed calendars” and private student information without authorization, according to a March 27 communication from Superintendent Ed Theroux.

Multiple board members and Talawanda parents have accused board member Dawn King of violating ethical obligations by accessing confidential documents including Individualized Education Programs (IEPs) through Google Calendars without reporting the security concern. A cybersecurity investigation found that King’s Talawanda account was used to access calendars and files without authorization starting on Dec. 8, more than a week before her husband Scotty King raised the issue at a public board meeting Dec. 19.

Neither of the Kings responded to multiple requests for comment or an email providing a detailed list of questions.

In the aftermath of a March 26 meeting where the Board of Education voted to make the investigation public, we’re answering seven questions about the security concerns and what comes next.

What happened?

During public comment of a board meeting Dec. 19, Scotty King raised a security concern which he said came from a parent who asked him to read a statement on their behalf. The parent, King claimed, had discovered that anyone with a Talawanda account could access most staff calendars and attachments, including sensitive student information, “while assisting [their] child with exam preparation.” King himself said that he was “not involved in this issue.”

Talawanda uses Google Suite for student and staff email accounts, calendars and more. Before the December meeting, many staff members had their calendars set to public, which allowed anyone with Talawanda accounts to see their events. People could then open documents attached to specific events, including sensitive information like IEP drafts and disciplinary hearings. IEPs are written plans for students with disabilities to meet their educational needs and can include accommodations, medical details and family history.

Within minutes of King’s statement, a Facebook account under the name “John Adams” posted screenshots of calendar events and a draft student IEP document with everything except the parent’s name, Molly Farler, blurred out.

The account was owned by Sean Brooks, Farler said on March 26. Brooks is a rightwing podcaster who lost his teaching license in both Florida and Ohio for “conduct that is unbecoming the teaching profession,” according to a 2018 resolution from the Ohio State Board of Education. He acknowledged the post in a Jan. 6 episode and said the account was his in a March 28 podcast episode, stating, “By the way, I’m John Adams.”

Brooks does not have any children in the district and would not have had his own calendar access, Farler said at the March 26 meeting. 

Brooks did not respond to a request for comment.

How did the district respond?

Farler was out to dinner during the Dec. 19 meeting when her child’s IEP was posted on social media with everything except Farler’s name blurred out. She immediately heard about the incident from friends, she said, and reached out to Theroux before the board meeting had ended.

“I immediately kind of freaked out about it,” Farler said. “I didn’t know exactly what was posted, how much detail was posted, so I was upset about it to say the least. That violation, and how the hell did they get a copy of my child’s IEP?”

Farler has never had any personal interactions with Brooks but remembered him speaking out against Covid-19 vaccines at a school board meeting in 2021.

Farler received a response from the district during the meeting, saying they were looking into the situation. After the meeting ended, district staff called her directly to go over what had happened.

According to district communications, the district’s leadership team “immediately took steps to address the privacy settings in TSD’s Google Suite.” Administrators met with teachers and staff in the morning Dec. 20 to discuss the issue and “provide the training in regard to privacy settings in Google Calendar.” That same day, the district filed an insurance claim to complete a cyber investigation into what data was accessed, and by whom.

A district statement from Dec. 20 stated that the district had changed privacy settings for all calendars to the most restrictive setting and that it was a “Google Suite issue, NOT an issue created by TSD.” The district did not acknowledge in the statement why the settings were not already on restricted settings to begin with.

The Oxford Free Press reached out to IT Director Matthew Rand for more details on what specific steps were taken to secure sensitive information but received no response. According to district communications, families whose children’s information was accessed were notified.

“We’ve honestly just been in a bit of a holding pattern to get that report … and so our next steps were getting an attorney,” Farler said. “We are going to go after whoever decided to violate our children’s privacy and access their protected information, as well as share it online.”

Molly Farler’s husband, Andy Farler, is an IT professional with 30 years of experience in security. When the issue was first raised, he said he recognized it as a configuration issue, not a hack or vulnerability. He said he could see why some teachers might have opted to make calendars public to allow people to see when they are and aren’t available.

“That part of it, I quickly got over, because I understood how that could happen,” he said. “But it definitely started to move on to anger as to how or why somebody would do this.”

As the district continued its investigation, Farler said the district kept them aware of all the actions administrators were taking, including reaching out to other school districts in the county to inform them of the issue.

What did the investigation find?

At the end of the December meeting where her husband raised the issue, Dawn King said she was “kind of confused about the email, Google email data breach thing.”

“What’s going on with that?” King asked. “I don’t know. Maybe that’s something we need to look into, if people can actually access IEPs, student and employee information.”

In fact, King’s account had already been used to access five unique IEP drafts and a parent invite and created print previews of more than a dozen events on Theroux’s calendar by that time.

Surefire Cyber, a cybersecurity company, found that board member Dawn King’s Talawanda account was first used to access calendars without authorization on Dec. 8. That same day, after King’s account created print previews of several events on Theroux’s calendar, including at least one expulsion hearing, King’s own calendar access level was changed to a more restrictive level, the investigation alleges.

Due to technological constraints, Surefire could only track instances where accounts looked at calendars if the viewers created print previews or opened attachments.

On Dec. 14, King’s account was the first one used to access several draft IEPs without authorization, according to the investigation. An hour later, multiple student accounts accessed the same IEP without authorization. Her account was again used to access IEPs on Dec. 18, a day before the board meeting.

Of the two IEP drafts referenced on social media, one was viewed by seven unique users, and the other by three, the investigation found. In both cases, King’s account was the first to access the documents without authorization, a spreadsheet in the investigation report shows.

King said that she “did not share this information” during the March 26 board meeting but did not directly address whether she accessed IEPs in the first place. She said she has been the victim of a “calculated, vicious campaign to intimidate me, break me down and drive me out.” She felt that her concerns over the past year have been ignored by administrators including the superintendent and called district leadership “a damn disgrace.”

Was the access targeted?

Farler is an admin for Oxford Talk, the largest local Facebook group. She has also been a vocal supporter of Superintendent Ed Theroux, who the Kings have repeatedly called incompetent and called for his resignation.

She felt it was a coordinated decision to use her name as an example in the social media post regarding the security issue.

“I have no doubt about the intentions behind it,” Farler said. “It wasn’t random.”

In the past, Farler said she has received criticism from people who have been removed from Oxford Talk. While some people feel they’ve been politically targeted, she said the removals are really a rules issue. “The rules are very clear, and there are people on both sides of the spectrum that have been removed.” She thinks her information being shared was partially in response to her role as an admin.

The investigation shows that the only calendar which King’s account opened documents through belonged to the intervention specialist who works with Farler’s children, Farler said.

“I have never, ever had a conversation with [Dawn King] or her husband,” Farler said. “Yet she was aware of what grade my kids were in, and she went to their calendar to access it.” Though the investigation only shows that King’s account was used to access documents and can’t prove that King herself did the digging, Farler is convinced that Dawn King was involved. “She went with intent, I would say.”

The Kings did not respond to questions regarding whether they accessed IEP information for Farler’s children, or whether such access was intentional. During the March 26 meeting, Scotty King said it is “imperative that a whistleblower is to be safeguarded from attacks and retaliation rather than being penalized for the courage of coming forward.”

What does federal law say about student privacy violations?

All schools which receive funding through U.S. Department of Education programs are subject to the Federal Educational Rights and Privacy Act (FERPA).

Under FERPA, parents or eligible students must provide written consent before educational agencies disclose personally identifiable information from student education records. Schools can share certain limited information, as well as provide some access to education records for school officials and teachers whom the school deems to “have legitimate educational interests” in those records.

IEPs, which often include medical information and family history, are protected documents. Even if a parent makes information about a student public, school officials are still required to keep that information confidential, according to the Institute of Education Sciences (IES).

Districts can allow some third parties like Google to access information, but if that third party improperly discloses personally identifiable information, the school “may not allow that third party access to information for at least five years,” the IES states. The Department of Education does receive complaints regarding FERPA compliance, but the first cause of action is to bring a district into compliance, not to punish it. “If voluntary compliance is not achieved, then a school would be in jeopardy of losing federal education dollars.”

During the March 26 board meeting, Dawn King said the district had deflected responsibility for the Google security issues and accused Theroux of violating “numerous policies by not securing our student and staff’s personal information.”

Why no censure vote?

At the March 26 board meeting when the report was made public, board member Pat Meade called on Dawn King to resign, which she refused. When board president Rebecca Howard presented a resolution to censure her, though, none of the other board members seconded it.

Meade and board member Matt Wyatt both said in interviews with the Free Press on March 28 that they didn’t see the censure resolution before Howard read it out. They both opted not to second the motion to have a chance to look at it in more detail before making a decision.

“I now have a copy of it and am able to read over it and am comfortable with moving forward with censuring her at the next meeting,” Meade said.

Wyatt agreed and went a step further, saying he would support additional information being included in the resolution. He viewed Scotty King’s statement on Dec. 19 as part of a coordinated effort to make the district look bad.

Wyatt joined the board in September following former board member David Bothast’s resignation and said he had made an intentional effort to build a relationship with Dawn King, who has reached out to him more than other board members. Now, he believes that she personally accessed the student information through her account in December and lied about not knowing about it.

“It destroys all that relationship building when somebody does that,” Wyatt said. “There’s no going back with something like this. There just isn’t. I can forgive a lot of things; I just can’t forgive this.”

What comes next?

After the special session last week, the school district contacted local law enforcement to “evaluate the information in regard to it meeting the criteria of a criminal case.” The Farlers say they are also exploring every legal option to prosecute those who accessed their children’s private information without authorization.

Beyond a censure vote, school officials have little power to reprimand other board members if they believe those members have done something wrong.

According to the Ohio School Boards Association, board members may only be removed for “gross neglect of duty, gross immorality, drunkenness or other flagrant misconduct in office.” The process must be voter-initiated by filing a petition with signatures to the Court of Common Pleas. A judge can then hold a hearing to determine whether to remove the board member. This process can only be bypassed if the board member is convicted of a felony offense.