To recap this story briefly, on December 19th, 2024, Scotty King (husband of school-board member Dawn King) alerted the school board and the public to an open vulnerability regarding the district’s use and access to Google Workspace, specifically the districts use of Google Calendar. Mr. King did so here at the selected time stamp:
Toward the end of this meeting, the school board and the Superintendent Ed Theroux stated that they would be looking into it.
As it turns out, given the open access to IEP’s and 504 forms of minors, and other district information like disciplinary hearings for employees and students, or other personnel matters and private meetings, all of this information was available through Google Calendar, and has been accessible since approximately 2018, since its adoption by the Superintendent Ed Theroux.
Shortly after the December 19th 2024 board meeting, the district claimed that the Google Calendar settings were now closed, while also meeting with staff the following days to make the necessary moves to close the system. The problem was, the system was not closed and could still be accessed by anyone who had a district email account, and this included students and employees themselves, including those who no longer attended the district. Then, this school district did what most school district do across America when they get caught being negligent; they shift the blame from themselves—to the public.
In later board meetings that took place in the early part of 2025, board member Pat Meade claimed that anyone not bringing this information to the board first and directly, without making mention of it to the public in a open board meeting, would have been doing the right thing, and to bring this to the public in a board meeting for the first time was the wrong thing to do.
On the contrary. The public has oversight over all elected officials and school districts, because both elected officials and school districts are not only government entities, but both are directly tied to local tax payers. Not to mention, this was an open admission by board member Pat Meade and others, that keeping this a secret would have been the best policy. Therefore, as far as the district is concerned, keeping any district negligence and potential illegality from the public, is the best approach. Yet, this district has a long history of targeting students, parents and the public, when it comes to their own malfeasance, so bringing such an issue that impacts so many, to the public, out of the gate, was the exact thing to do.
Endless parents reached out to me personally to tell me what was going on, because they trust me over the school district itself. That, right there, should tell people how little trust the public actually has with those who work within Talawanda City Schools and those who claim to run the district.
That night (December 19th, 2024), I uploaded the instructions that were told to me by parents, as to how any employee, parent or student could access this information, and I did so in an attempt to have the parents and staff members find out for themselves, as I personally don’t have access and never have.
Apparently, it was remarkably easy, and frankly, I suggest that any school district who uses Google Workspace or Google Calendar follow the same steps below, to see if their district has a completely open system or not. If it isn’t closed, you need to bring this information to the public and the district immediately upon verification, as that school district is also not in compliance with FERPA.
I posted the following, at the direction of parents (as they wrote these steps themselves), within a local Facebook Group:
Open up the Talawanda email account.
On the right-hand side of the screen you will see the calendar, click on the button to maximize it.
Once it's full screen, you will see a small drop-down box on the left-hand side that says "Search for people."
Type in whoever's calendar you would like to see. For example, Edward Theroux (Superintendent).
Search away.
Once you are in a calendar, if you know what the dates of your child's last 504 or IEP meeting is, or any kind of meeting for that matter, you can look it up under the teachers' name that was involved. This goes back YEARS folks!
If you're a staff member who has had a hearing, clearly you can see here that your information is also out there available for all to see. There are very few staff members whose calendars are unavailable and they are marked with a (*) by their names.
An unknown number of parents and students accessed this information afterwards, in an attempt to verify the information and see if the district’s Google Calendar truly was accessible with this level of ease. As it turns out, it was accessible, and all employee and student information that was available on Google Calendar was easily seen, and un-redacted. Clearly, all of this information is to be 100% confidential and is not to be accessible to anyone, in particular minors or other district employees.
Typically, in the game of “image protection,” the default setting for a school district is to pass blame onto the innocent. The only thing this school district had to do, was accept responsibility for having an open technological system, shut it down, apologize, and then never repeat the same negligence.
But, that’s not what happened.
The district board members and Superintendent Ed Theroux (excluding Dawn King) began to use words like “breech” or “hack” in an attempt to shift blame from themselves to anyone else (either on purpose, or through their own lack of knowledge regarding their own technology), as the sole responsibility to check and double-check such technological information legally lies with the Superintendent, among others. The district then notified the public that an outside cyber-security firm (Surfire Cyber) through their district insurance company’s law firm (allegedly), would be conducting an investigation. The district spent little time talking about this issue publicly in board meetings, in January and February of 2025, and simply stated that a cyber-security firm was investigating and would deliver their conclusions in a few months.
Throughout this time, concerned parents (and or citizens) reached out to board member Dawn King, expressing their frustration with this negligence from the other board members, and the districts inability to know that their Google Workspace program was wide open to anyone with a district email address. One parent of a former student, (an Open Records Requested made by me) stated the following in an email to Dawn King:
On Mon, Feb 10, 2025 at 7:21 AM (parent of a former student and citizen) > wrote:
Dear Board Members,
I am writing this morning out of concern for the privacy of all Talawanda Students information. Specifically not locking down gmail calendars so that they are not shareable outside of your domain/network and not running periodic audits to see if calendars are being shared and if they are, is there a compelling reason to do so? I know for a fact this is not happening, as I went to add an appointment to my gmail calendar over the weekend and could see Kalinde Webb's appointments ON MY CALENDAR!!!
You are probably wondering why Kalendie would ever share her calendar with me, well my daughter graduated almost 7 years ago from Talawanda, I can only assume that this calendar was shared with me many years ago for (redacted) Track events.
As an IT Healthcare Exec, who is also a Privacy and Security Officer for my organization you can imagine my shock!
This is extremely concerning, as how many other former parents can still see this calendar or other talawanda calendars? And can see the student’s names and reason for the appointments? I know this has been brought up before, and our community was assured this was being addressed. That was two months ago. This is inexcusable and needs to be addressed immediately. As a Privacy and Security Officer, I would suggest hiring someone who knows how to properly secure a domain, who knows how to run audits and set up alerts to prevent this from happening, as these are careless mistakes and easily avoidable.
I would like a response as to what will be done to correct this carelessness beyond just Kaliendie un-sharing her calendar. There needs to be steps taken to protect the students information, and ongoing actions to audit and monitor who is sharing calendars with email addresses outside of the school's domain.
School board member Dawn King then responded and forwarded this email to the Board President Rebecca Howard. Board President Rebecca Howard never responded back to Dawn King over email regarding the parental concern.
From: King, Dawn < kingd@talawanda.org> Sent: Monday, February 10, 2025 11:59 AM EST. To: Rebecca Howard <howardr@talawanda.org>
Subject: Request for Executive Session
Ні Веску,
After receiving the following email below I request that the board have an executive session this week to address complaints against an administrator. At a minimum we need to examine the violation of policies 8305, 7530.02, 8351 and 8320.01 by our superintendent. As board members we have personal liability for legal issues, especially if they are not addressed. I want to go on record as saying I have asked many questions about the cybersecurity investigation that is ongoing and have received almost no answers. We haven't even been told what the scope of the investigation is or what questions it is supposed to answer. This problem is obviously not even close to fixed and we are struggling internally to even understand what the problem is. I will not be held responsible for the ineptitude of our superintendent for whom I didn't even hire. It is only a matter of time before this goes public as well and we don't have a board meeting until March 20th.
Thank You,
Dawn
Let’s recap, shall we.
In the email above, from a parent of a former student who graduated seven years ago from the district, this parent verifies that not only do they themselves have access (which they shouldn’t), but she verifies that the school district failed to shut down the Google Workspace Calendar and it’s access two whole months after their own negligence was brought to their attention by Scott King in the December 19th, 2024 school board meeting.
Whoops!
Then, in Dawn King’s own email to Board President Rebecca Howard (of which Board President Rebecca Howard failed to ever reply), Dawn King brings up her concerns with the entire situation and the policies that have been violated by Superintendent Ed Theroux, not to mention the personal liability that comes with a failure to shut down an open technological system with sensitive private information, months after it was brought to their attention.
Another month passes, and in the March 26th, 2025 Talawanda School Board meeting, the entire school board, except for board member Dawn King, voted to release the Surfire Cyber Executive Summary Report, dated March 20th, 2025. It also says on the front page; “Privileged and Confidential.” Therefore, the school board should have never released this, let alone vote to release it to the public.
In fact, within the first paragraph, on the first page, it states;
“The contents of this report are subject to attorney-client privilege in anticipation of future litigation.”
Therefore, the results of this so-called investigation were to never be released to the public. Not because there’s incriminating evidence against board-member Dawn King, but, because anyone who looks at this could use it against the Talawanda City School District in future litigation.
The only reason they did was to target selected students and parents, purposefully not go after other parents and students, intimidate the innocent, and attempt to frame board member Dawn King for wrong-doing that she never engaged in.
This is a huge self-inflicted error.
Not only did the report not find any “breech” or “hack,” but it stated in this 18-page document, that I, was a “concerned citizen.”
So much for any criminal investigation or criminal charge against a “concerned citizen.” 🤣
Not only did the district’s own initiated cyber investigation group call me a “concerned citizen,” but Surfire Cyber themselves references the ease of availability of anyone in the school district to access the Google Calendar, by stating:
“…because Client's (Talawanda City Schools) Google Workspace lacked advanced logging capabilities, available logs did not provide detailed access records for Google Calendar events, and an alternative approach was required. Surefire leveraged attachments stored in Google Drive as a means of tracking access.”
They went on to state:
“Although Client did not have advanced logging enabled, the default Google Drive logs provided/sufficient detail to track file access.”
This clearly shows that there can be more advanced settings that are applied with the application of this Google software, yet the district failed to take these precautions, even during their own hiring of, and investigation by Surfire Cyber.
Whoops again!
This report, also shows that limited information was sent to Surfire by the district specifically, based on the number of staff members or others who accessed the Google Calendar, and on what dates, as Surfire stated:
“Surefire obtained a list of staff members from Client and utilized Client's Google.Cloud Console to integrate with the Google Calendar API.”
This was probably done by the Superintendent or other board members in an effort to conceal the identities of themselves and other staff members who accessed others Google Calendars, while the school board members; Matt Wyatt, Pat Meade, Rebecca Howard and Chris Otto, and the Superintendent Ed Theroux, themselves, sought to single out board-member Dawn King as being the only person who checked to see if the Google Calendar was wide open. Which, as stated in the pervious article (and below), is not only legal to do as a board member, it’s quite specifically their legal role and responsibility as a school-board member, even based on their own district policy:
Talawanda School District (Oxford, Ohio) Staff Technology Acceptable Use Policy; "The Southwest Ohio Computer Association and Board (school board) has a right to all material stored on the network which are accessible to others.
Section K: The Board and SWOCA reserve the right to monitor any system or network information and activity to assure compliance with applicable policies, procedures, and rules.”
8320.01 - Personal Information Systems; "The Superintendent is directly responsible for the operation of the PI System, including preparing and implementing rules that provide for the operation of the information system."
8351 - Security Breach of Confidential Databases; "Unauthorized access of information will not be considered a security breach if: A. the employee or agent acted in good faith in accessing the data; B. the access was related to the activities of the District or the employee's or agent's job-related duties; and C. the employee or agent did not use the personal information for an unlawful purpose or subject the information to further unauthorized disclosure.
If this wasn’t bad enough, (specifically the alleged falsification of a front-loaded inquiry to an investigative group, regarding the districts own negligence with their use of Google Workspace, at their own direction); within the Surefire Cyber report the appendices within contained personally identifiable information that were un-redacted by the district itself, specifically regarding the IP addresses of minors/students.
In the March 26th, 2025 Talawanda school-board meeting, every board member voted to release this Surefire Cyber report with the IP addresses of minors, un-redacted, except for board-member Dawn King who voted “No” on its release to the public. Time stamp below:
Under the Family Educational Rights and Privacy Act (FERPA), a federal law in the United States, the privacy of student education records is protected. FERPA applies to educational institutions that receive federal funding and governs what constitutes "personally identifiable information" (PII) in a student's education records. FERPA defines PII in a broader sense, including information that, alone or in combination, can be linked to a specific student and would allow a reasonable person to identify the student. This includes things like names, addresses, Social Security numbers, or other identifiers.
If an IP address is collected as part of a student's education record (e.g., through a school-issued device or online learning platform) and can be directly linked to an individual student, it can potentially be considered PII under FERPA, as IP addresses are considered Personal Identifiers or PI’s. Therefore, such information, in particular that being directly attached to minors, can and should be redacted in any report, let alone any report that is made available to the public.
As a result of this move, the district failed to redact any of these IP addresses of minors (students) before releasing this report to the public through open records requests.
I will not include screen shots of the appendices of the Surfire Cyber report for obvious reasons.
Personally speaking, I can plug any IP address into websites like; MaxMind’s, GeoIP, IPinfo, DB-IP, WHOIS (available through sites like ARIN.net or DomainTools), IPLocation.net and WhatIsMyIPAddress.com. Anyone can do this, and you can find the general location of a person or device that is attached to that IP address. A person can then use Google Maps and then narrow the search by street or neighborhood, and then find the person and street address of whom is directly attached to the IP address. This is exactly why IP address are supposed to be redacted and marked as private, even at the advice of the Federal Department of Education.
I, too, asked for a single copy of the Surfire Cyber report that is now in my possession, and I did so only once. It was sent to me twice by their Treasurer Shauna Tafelski through my open records request. There are 17 differing IP addresses of minors in the appendices of the report that are un-redacted, and every differing IP address is it’s own FERPA violation. That accounts for 34 FERPA violations in just one ORR’d email to me, alone. By my count, as of April 1st, 2025, there were at least seven other differing individuals who requested the Surfire Cyber report from Talawanda Treasurer Shauna Tafelski. If the requesting person received only one copy of the report, that would equate to approximately 171 FERPA violations, not counting any other copies that have been released to the public un-redacted.
Again, every school board member voted to release this un-redacted report to the public in March 26th’s 2025 board meeting, except for board member Dawn King. Dawn King voted “No” on its release. Perhaps now, people can figure out why.
Board member, Dawn King, accessed the Google Calendar with her own district-issued email to see if the reports that were made to her by concerned parents were accurate, and she did so at the advice of her lawyers (which are independent from the district’s lawyer). She did so beginning on the 14th of December, 2024, as per the appendices of the Surfire Cyber report. She then did so on the 17th of December of 2024, while only looking at approximately three documents in total, and logging-in a combined nine times total, all of which a school-board member has the legal right, role and responsibility to do, to check if an allegation is true or not. This was then brought to the public’s attention during the December 19th, 2024 board meeting.
No other board member nor the Superintendent accessed the Google Workspace Calendar to check for this flaw (at least according to the appendices of the Surfire Cyber report, unless of course, someone backtracks the IP addresses that were included in the un-redacted appendices of the Surfire Cyber report, or names were intentionally left out and deleted before sending to Surfire). Therefore, and perhaps worse yet, district employees, board members and the superintendent’s own inquiries and email logins were purposefully removed beforehand and not sent to Surfire Cyber, in an attempt to frame Dawn King of non-existent wrong-doing?
If the removal of other board-member’s or employee’s emails occurred, it occurred because the other board members and the Superintendent actually thought that looking at Google Calendar to check for a vulnerability would be a violation of policy, when in fact it actually wasn’t. Therefore, any removal of their own district emails (proof of them looking into this), could have happened at the hands of Superintendent Ed Theroux, as he would be the one responsible for front-loading any specified inquiry that would be sent to Surfire Cyber for a specified investigation, solely based on information that Surfire Cyber was given by the district administration directly.
Just in case the Superintendent and school-board members are unaware;
In the State of Ohio, ORC 2921.44 - Dereliction of Duty is defined as:If school board members knowingly fail to perform their duties or act outside their legal authority (e.g., by voting to censure a member based on false claims), they could be guilty of dereliction of duty, a misdemeanor of the second degree. Fabricating a claim to justify the removal could aggravate this violation.
ORC 2921.13 - Falsification is defined as:If the fraudulent claim involves making false statements in an official proceeding or document (e.g., a board resolution or record), the board members responsible could violate this statute. Falsification in a governmental context is a misdemeanor, but it can escalate to a felony if it involves defrauding the government or concealing a crime.
ORC 102.03 - Ohio Ethics Law’s are defined as: (Conflict of Interest and Misuse of Office): The Ohio Ethics Law prohibits public officials, including school board members, from using their positions to secure benefits for themselves or others improperly. If the illegal vote was motivated by personal gain, retaliation, or another improper purpose tied to a fraudulent claim, this could breach ORC 102.03. For example, voting to remove a member to silence dissent or favor a connected party might violate this section.
ORC 121.22 - Ohio Open Meetings Act (Sunshine Law’s) are defined as: School board actions, including votes, must comply with Ohio’s Sunshine Law, which requires public meetings and proper notice, and could potentially expose members to legal consequences.
Conspiring to frame a school-board member in Ohio could be considered a crime under several statutes, depending on the specifics of the act. The most relevant laws include:
Conspiracy (Ohio Revised Code § 2923.01): If two or more people plan to commit a criminal offense, such as framing someone, with intent to carry it out, they could be charged with conspiracy. This applies if the underlying act (e.g., fabricating evidence) is itself a crime.
Falsification (Ohio Revised Code § 2921.13): Knowingly making false statements or providing false evidence to mislead a public official, including framing someone, is a misdemeanor or felony, depending on the severity.
Obstructing Justice (Ohio Revised Code § 2921.32): Providing false information or fabricating evidence to hinder an investigation or prosecution could be charged as obstructing justice, a felony if it involves a serious offense.
Perjury (Ohio Revised Code § 2921.11): If the framing involves lying under oath, perjury charges could apply, which is a third-degree felony.
Tampering with Evidence (Ohio Revised Code § 2921.12): Creating or presenting false evidence to mislead an investigation is a third-degree felony.
The severity of the charges depends on the nature of the framing, the intent, and the consequences. For example, if the conspiracy involves fabricating evidence to accuse a school-board member of a serious crime, it could lead to felony charges. Penalties could include fines, imprisonment, or both.
In the March 26th, 2025 Talawanda school-board meeting, board-member Pat Meade did his best Sal Alinksy impersonation, and attempted to frame Dawn King (as did the rest of the board and Superintendent) as being irresponsible with district information, and they clearly did so an attempt to get ahead of their own negligence in failing to close or recognize an open Google Workplace system, that has been open since approximately 2018 or the later date of it’s implementation. In fact, the entire school-board ganged up on Dawn King, falsely believing that she was in the wrong, when it was they themselves that failed to follow their own district policy.
After all, those who scream the loudest have the most to hide.
In the next part of this series, I will show a parents Facebook posts and the districts own documentation that describes how the Talawanda City School District specifically targeted her son (and other students and parents), and in doing so attempted to extort her and her son by threatening to suspend them, expel them, take away their son’s right to attend prom, or walk during graduation.
There’s a lesson here, among endless others. Unethical and unprofessional school boards and their district administrations can, and will, target students and parents in an effort to deflect from their own wrong-doing; all while hypocritically claiming; “The safety and security of students is our number one concern.”
In this case, it’s a school district itself that is to blame for their own lack of knowledge on how to use their own adopted technological systems, and their own cover-up of their actions that followed.
Again, the cover-up is always worse than the crime.
