UPDATE: The COO of Questar says that there is no evidence that a former employee was responsible, and doesn't know how this happened: "Questar Assessment's chief operating officer says the company doesn't
know who accessed personal information of 52 elementary students in New
York state or why....State Education Commissioner MaryEllen Elia said she was told that
Questar suspected a former employee, but Questar Chief Operating Officer
Brad Baumgartner later said there wasn't any evidence to support that."
Meanwhile, the personal data of 663 students in Mississippi was also breached, including their test score data. Why no NY student test scores were accessed and even if we can be sure that is the case is still a mystery. Clearly, many unanswered questions remain, including the impact of the breach on NY opt out rates, as Jeanette Deutermann and I discussed on LI Talk Radio on Monday.
Articles about the data breach were published in the NYT, Chalkbeat and elsewhere. According to NYSED, the data of ten NYC students at PS 15 Jackie Robinson school in Queens was illegally accessed and 31 students on Long Island.
Meanwhile, the personal data of 663 students in Mississippi was also breached, including their test score data. Why no NY student test scores were accessed and even if we can be sure that is the case is still a mystery. Clearly, many unanswered questions remain, including the impact of the breach on NY opt out rates, as Jeanette Deutermann and I discussed on LI Talk Radio on Monday.
Articles about the data breach were published in the NYT, Chalkbeat and elsewhere. According to NYSED, the data of ten NYC students at PS 15 Jackie Robinson school in Queens was illegally accessed and 31 students on Long Island.
FOR IMMEDIATE RELEASE: January 19, 2018
For more information contact:
Lisa Rudley, (917) 414-9190; nys.allies@gmail.com
Leonie Haimson, 917-435-9329; leoniehaimson@gmail.com
Parents and Privacy Advocates React to NY Student Data
Breach
Yesterday, the New York State Education
Department announced that their testing vendor, Questar,
suffered a data breach that included student names, student identification
numbers, school names, grade levels and, in some cases, teacher names of
students who had taken computerized NYS assessments. NYSED has assured us that
no test scores, IEPs, or other highly sensitive data were breached. According
to Questar, a former employee is suspected of carrying out this breach and only
52 students were affected. Check the above
link for the schools and corresponding number of students in each whose
information was breached.
NYSED has acted swiftly, demanding that
Questar perform an independent security audit, reset passwords on all user
accounts, and submit a corrective action plan.
In addition, the NYS Education Commissioner has referred the matter to
the New York State Attorney General for possible prosecution. Yet many
questions remain, including whether computerized testing is more vulnerable to
breaches, how we can be certain that the information of more students wasn’t
affected, and whether Questar violated the terms of its contract with
NYSED. We have asked the NYS Education
Department to provide a copy of its contract with Questar in order to learn
what specific security measures were mandated in the first place.
The NYSED Chief Privacy Officer, Temitope
Akinyemi, has held two recent meetings with a Data Privacy Advisory Council,
whose members include Lisa Rudley of NYSAPE and Leonie Haimson, co-chair of the
Parent Coalition for Student Privacy, along with other privacy advocates and
district officials, to begin the long-delayed process of developing regulations
to implement the 2014 student privacy law, NYS Education Law
§ 2-d.
NYSED is also planning to hold public hearings
in April and May of this year so that parents and other stakeholders statewide
can provide input as to what privacy and security protections should be
included, and what provisions should be added to the Parents’ Bill of Privacy Rights.
Leonie Haimson, co-chair of the Parent
Coalition for Student Privacy said, “This breach serves to remind us all that
the state and vendors should minimize the amount of personal student data
collected, and maximize the methods used to protect it.”
Jeanette Deutermann of Long Island Opt-Out and
Co-founder of NYSAPE said, “Although parents opt out of state assessments for
many reasons, protecting their children’s data is one of those reasons. This
breach makes it clear that that reason is justified.”
Eileen Graham, a Rochester parent and
education activist commented, "Given the widespread use of technology, a
breach of this nature must not happen again.
Protecting our children's data and privacy should be the highest
priority.”
Deborah Brooks of the Port Washington
Advocates for Public Education added, “This is not the first student data
breach and, unfortunately, it won’t be the last. Every day, schools collect and
share our children’s computer data, usually without our consent or even our
knowledge.”
Concluded Lisa Rudley, co-founder of NYSAPE,
“I hope that NYSED moves quickly to advise districts and schools on how to best
protect and secure personal student data.”
In the meantime, parents, teachers, and
district administrators and school staff may want to consult the privacy
language in the model vendor contract developed by the Massachusetts Student Privacy Alliance.
###
No comments:
Post a Comment