State attorney won’t investigate administrators for sharing data breach details
Broward prosecutors have declined to launch a formal investigation into former Schools Superintendent Robert Runcie and two other former administrators’ use of closely guarded details about a district ransomware attack for a private business venture.
The district had asked the Broward State Attorney’s Office to review the moves by Runcie, former Safety Chief Brian Katz and former Chief Information Officer Phil Dunn to share potentially privileged district information.
“Prosecutors reviewed the information that was provided and determined … that there was ‘nothing actionable in regard to any criminality,” Paula McMahon, a spokeswoman for the State Attorney’s Office, told the South Florida Sun Sentinel.
“They followed up with school officials to see if any additional information was available and were told none was at this time. If that changes, they would review anything that is provided,” McMahon said. “No formal investigation was opened.”
The district does not plan to conduct its own internal investigation, spokeswoman Keyla Concepcion said.
“No additional actions are being taken,” she said.
The district requested a review after a series of Sun Sentinel investigations revealed the extraordinary efforts the district took to hide the massive ransomware attack from the public in March 2021, including potentially 50,000 victims.
However, many key details were released in a September 2021 “case study” for Safer School Solutions, a Fort Lauderdale company owned by Katz and Dunn. The company got a $1 million contract with Chiefs for Change, a nonprofit group now led by Runcie.
Runcie could not be reached for comment. A statement Monday from Safer School Solutions reiterated a statement from December maintaining the company did nothing wrong.
“Safer School Solutions remains committed to helping schools and districts become more resilient organizations to better protect their students and staff,” Monday’s statement said. “We believe that understanding history and using lessons learned can help districts avoid and better respond to disruptions so that they can focus their attention on their primary mission of educating students.”
The district learned of the attack on March 7, 2021, but refused to acknowledge for three weeks that it happened, confirming it only after hackers posted a transcript of negotiations.
On March 31, 2021, the district sent a message to employees encouraging them to stay vigilant by reviewing their account statements and credit reports for any unauthorized activity, while saying there was no evidence anyone’s personal information had been accessed.
The district determined in June 2021 that personal data was accessed but waited until November 2021 to alert 50,000 potential victims that their personal data may have been breached, three months longer than the 60 days allowed by federal law for such notifications. The district used an outside public relations firm to help dodge questions and refused to put an internal investigation in writing.
Runcie was superintendent at the time of the March 2021 attack, while Katz was the chief safety and security officer and Dunn was the chief information officer. All three left later in the year, with Runcie joining Chiefs for Change and Katz and Dunn creating Safer School Solutions.
Many never-before-released details were included the Safer School Solutions case study co-authored by Runcie, Katz and Dunn. The report detailed how the ransomware attack left 2,000 servers inoperable; how the district put a greater priority on keeping schools open than containing the breach; and how law enforcement encouraged the district to offer, but not pay, ransom to the hackers.
The report irked Board member Nora Rupert, who called for an investigation.
Related Articles
Education | Broward school district asks for external review on data breach concerns
Education | Investigation: School administrators kept ransomware details secret — then used them for private business
Education | Investigation: Broward schools took extraordinary steps to hide key details of massive data breach
“I would hope that we would keep our information to ourselves,” Rupert said at a Dec. 3 School Board meeting. “When another person that used to work here decides to write about something and that becomes a monetary issue, I have to say, not cool. It does not look good or pass the smell test.”
Reached Monday, Rupert said she believes the former employees should have been held accountable.
“The holding back of information of this breach from employees and the public was absolutely astounding to me, and I disagree with it being deemed ‘non-actionable,'” she said.
In a statement in December, Safer School Solutions said the case study document “was created for and shared with school district leaders to help them develop strategies to hopefully avoid, but if not, better respond to such incidents and tragedies in the future. The document was not published or shared with the general public until the Sun Sentinel did so.”
The report contained no “material information” that had not already been released, the December statement said, adding that the authors waited six months after the attack to write about it.
“Information that could not be shared while the District was actively working with law enforcement in an open investigation may be able to be shared once those investigations are no longer active,” the December statement said.
Runcie was not paid, according to officials from the company and Chiefs for Change, the education nonprofit that Runcie is overseeing.
Runcie had the title of “chief in residence” with Chiefs for Change at the time the case study was prepared. He was named interim leader of the organization in April 2021 and permanent CEO earlier this month.
