FOR IMMEDIATE RELEASE: January 19, 2018
For more information contact:
NYS Allies for Public Education (NYSAPE) – nysape.org
Link to Press Release
Parents and Privacy Advocates React to NY Student Data Breach
Yesterday, the New York State Education Department
announced
that their testing vendor, Questar, suffered a data breach that
included student names, student identification numbers, school names,
grade levels and, in some cases, teacher names of students who had taken
computerized NYS assessments. NYSED has assured us that no test scores,
IEPs, or other highly sensitive data were breached. According to
Questar, a former employee is suspected of carrying out this breach and
only 52 students were affected. Check the above link for the schools
and corresponding number of students in each whose information was
breached.
NYSED has acted swiftly, demanding that Questar perform an
independent security audit, reset passwords on all user accounts, and
submit a corrective action plan. In addition, the NYS Education
Commissioner has referred the matter to the New York State Attorney
General for possible prosecution. Yet many questions remain, including
whether computerized testing is more vulnerable to breaches, how we can
be certain that the information of more students wasn’t affected, and
whether Questar violated the terms of its contract with NYSED. We have
asked the NYS Education Department to provide a copy of its contract
with Questar in order to learn what specific security measures were
mandated in the first place.
The NYSED Chief Privacy Officer, Temitope Akinyemi, has held two
recent meetings with a Data Privacy Advisory Council, whose members
include Lisa Rudley of NYSAPE and Leonie Haimson, co-chair of the Parent
Coalition for Student Privacy, along with other privacy advocates and
district officials, to begin the long-delayed process of developing
regulations to implement the 2014 student privacy law,
NYS Education Law § 2-d.
NYSED is also planning to hold public hearings in April and May of
this year so that parents and other stakeholders statewide can provide
input as to what privacy and security protections should be included,
and what provisions should be added to the
Parents’ Bill of Privacy Rights.
Leonie Haimson, co-chair of the Parent Coalition for Student Privacy,
said, “This breach serves to remind us all that the state and vendors
should minimize the amount of personal student data collected, and
maximize the methods used to protect it.”
Jeanette Deutermann of Long Island Opt-Out and Co-founder of NYSAPE
said, “Although parents opt out of state assessments for many reasons,
protecting their children’s data is one of those reasons. This breach
makes it clear that that reason is justified.”
Eileen Graham, a Rochester parent and education activist commented,
"Given the widespread use of technology, a breach of this nature must
not happen again. Protecting our children's data and privacy should be
the highest priority.”
Deborah Brooks of the Port Washington Advocates for Public Education
added, “This is not the first student data breach and, unfortunately, it
won’t be the last. Every day, schools collect and share our children’s
computer data, usually without our consent or even our knowledge.”
Concluded Lisa Rudley, co-founder of NYSAPE, “I hope that NYSED moves
quickly to advise districts and schools on how to best protect and
secure personal student data.”
In the meantime, parents, teachers, and district administrators and
school staff may want to consult the privacy language in the model
vendor contract developed by the
Massachusetts Student Privacy Alliance.
NYSAPE is a grassroots coalition with over 50 parent and educator groups across the state.
###
No comments:
Post a Comment