Friday, January 19, 2018

Update: Parents and Privacy Advocates React to NY Student Data Breach

UPDATE:  The COO of Questar says that there is no evidence that a former employee was responsible, and doesn't know how this happened:   "Questar Assessment's chief operating officer says the company doesn't know who accessed personal information of 52 elementary students in New York state or why....State Education Commissioner MaryEllen Elia said she was told that Questar suspected a former employee, but Questar Chief Operating Officer Brad Baumgartner later said there wasn't any evidence to support that."

Read more here:

Read more here:
Meanwhile, the personal data of 663 students in Mississippi was also breached, including their test score data.  Why no NY student test scores were accessed and even if we can be sure that is the case is still a mystery.  Clearly, many unanswered questions remain, including the impact of the breach on NY opt out rates,  as Jeanette Deutermann and I discussed on LI Talk Radio on Monday.

Articles about the data breach were published in the NYT, Chalkbeat and elsewhere.  According to NYSED, the data of ten NYC students at PS 15 Jackie Robinson school in Queens was illegally accessed and 31 students on Long Island.


For more information contact:
Lisa Rudley, (917) 414-9190;
Leonie Haimson, 917-435-9329;

Parents and Privacy Advocates React to NY Student Data Breach

Yesterday, the New York State Education Department announced that their testing vendor, Questar, suffered a data breach that included student names, student identification numbers, school names, grade levels and, in some cases, teacher names of students who had taken computerized NYS assessments. NYSED has assured us that no test scores, IEPs, or other highly sensitive data were breached. According to Questar, a former employee is suspected of carrying out this breach and only 52 students were affected.  Check the above link for the schools and corresponding number of students in each whose information was breached. 

NYSED has acted swiftly, demanding that Questar perform an independent security audit, reset passwords on all user accounts, and submit a corrective action plan.  In addition, the NYS Education Commissioner has referred the matter to the New York State Attorney General for possible prosecution. Yet many questions remain, including whether computerized testing is more vulnerable to breaches, how we can be certain that the information of more students wasn’t affected, and whether Questar violated the terms of its contract with NYSED.  We have asked the NYS Education Department to provide a copy of its contract with Questar in order to learn what specific security measures were mandated in the first place.

The NYSED Chief Privacy Officer, Temitope Akinyemi, has held two recent meetings with a Data Privacy Advisory Council, whose members include Lisa Rudley of NYSAPE and Leonie Haimson, co-chair of the Parent Coalition for Student Privacy, along with other privacy advocates and district officials, to begin the long-delayed process of developing regulations to implement the 2014 student privacy law, NYS Education Law  § 2-d.

NYSED is also planning to hold public hearings in April and May of this year so that parents and other stakeholders statewide can provide input as to what privacy and security protections should be included, and what provisions should be added to the Parents’ Bill of Privacy Rights. 

Leonie Haimson, co-chair of the Parent Coalition for Student Privacy said, “This breach serves to remind us all that the state and vendors should minimize the amount of personal student data collected, and maximize the methods used to protect it.”

Jeanette Deutermann of Long Island Opt-Out and Co-founder of NYSAPE said, “Although parents opt out of state assessments for many reasons, protecting their children’s data is one of those reasons. This breach makes it clear that that reason is justified.”

Eileen Graham, a Rochester parent and education activist commented, "Given the widespread use of technology, a breach of this nature must not happen again.  Protecting our children's data and privacy should be the highest priority.”

Deborah Brooks of the Port Washington Advocates for Public Education added, “This is not the first student data breach and, unfortunately, it won’t be the last. Every day, schools collect and share our children’s computer data, usually without our consent or even our knowledge.”

Concluded Lisa Rudley, co-founder of NYSAPE, “I hope that NYSED moves quickly to advise districts and schools on how to best protect and secure personal student data.”

In the meantime, parents, teachers, and district administrators and school staff may want to consult the privacy language in the model vendor contract developed by the Massachusetts Student Privacy Alliance.

No comments: