Parents and Privacy Advocates React to NY Student Data Breach

FOR IMMEDIATE RELEASE: January 19, 2018
For more information contact:
Lisa Rudley, (917) 414-9190; nys.allies@gmail.com
Leonie Haimson, (917) 435-9329;  leoniehaimson@gmail.com
NYS Allies for Public Education (NYSAPE) – nysape.org
 
                      Parents and Privacy Advocates React to NY Student Data Breach
 
Yesterday, the New York State Education Department announced that their testing vendor, Questar, suffered a data breach that included student names, student identification numbers, school names, grade levels and, in some cases, teacher names of students who had taken computerized NYS assessments. NYSED has assured us that no test scores, IEPs, or other highly sensitive data were breached. According to Questar, a former employee is suspected of carrying out this breach and only 52 students were affected.  Check the above link for the schools and corresponding number of students in each whose information was breached.  
 
NYSED has acted swiftly, demanding that Questar perform an independent security audit, reset passwords on all user accounts, and submit a corrective action plan.  In addition, the NYS Education Commissioner has referred the matter to the New York State Attorney General for possible prosecution. Yet many questions remain, including whether computerized testing is more vulnerable to breaches, how we can be certain that the information of more students wasn’t affected, and whether Questar violated the terms of its contract with NYSED.  We have asked the NYS Education Department to provide a copy of its contract with Questar in order to learn what specific security measures were mandated in the first place.
 
The NYSED Chief Privacy Officer, Temitope Akinyemi, has held two recent meetings with a Data Privacy Advisory Council, whose members include Lisa Rudley of NYSAPE and Leonie Haimson, co-chair of the Parent Coalition for Student Privacy, along with other privacy advocates and district officials, to begin the long-delayed process of developing regulations to implement the 2014 student privacy law, NYS Education Law  § 2-d.
 
NYSED is also planning to hold public hearings in April and May of this year so that parents and other stakeholders statewide can provide input as to what privacy and security protections should be included, and what provisions should be added to the Parents’ Bill of Privacy Rights.  
 
Leonie Haimson, co-chair of the Parent Coalition for Student Privacy, said, “This breach serves to remind us all that the state and vendors should minimize the amount of personal student data collected, and maximize the methods used to protect it.”
 
Jeanette Deutermann of Long Island Opt-Out and Co-founder of NYSAPE said, “Although parents opt out of state assessments for many reasons, protecting their children’s data is one of those reasons. This breach makes it clear that that reason is justified.”
 
Eileen Graham, a Rochester parent and education activist commented, “Given the widespread use of technology, a breach of this nature must not happen again.  Protecting our children’s data and privacy should be the highest priority.”
 
Deborah Brooks of the Port Washington Advocates for Public Education added, “This is not the first student data breach and, unfortunately, it won’t be the last. Every day, schools collect and share our children’s computer data, usually without our consent or even our knowledge.”
 
Concluded Lisa Rudley, co-founder of NYSAPE, “I hope that NYSED moves quickly to advise districts and schools on how to best protect and secure personal student data.”
 
In the meantime, parents, teachers, and district administrators and school staff may want to consult the privacy language in the model vendor contract developed by the Massachusetts Student Privacy Alliance.
 
NYSAPE is a grassroots coalition with over 50 parent and educator groups across the state.

Scroll to Top