AG Hood Requires Education Assessment Company to Strengthen Cybersecurity Measures after Data Breach

March 8, 2019

Attorney General Jim Hood announced today that he reached an agreement with Questar Assessment, Inc., a testing vendor, to strengthen their cybersecurity measures following an investigation into a data breach involving student information in North Mississippi.

Questar Assessment, Inc. recently entered into an Assurance of Voluntary Compliance (AVC) with the State of Mississippi in which the company agreed to take certain steps to increase their cybersecurity. Between December 30, 2017, and January 1, 2018, an unknown person accessed Questar’s records from 2016 tests, which included student names and ID numbers, for 490 students at Tupelo Middle School, 72 at Tupelo High School, and 101 at Jefferson County Junior High. Questar notified the Mississippi Department of Education (MDE) on January 19, 2018, and MDE and Questar worked together to notify students and their families.

“While we don’t know why the hacker accessed the information, fortunately, so far, we do not have evidence that the student information was taken and used maliciously. Questar has voluntarily cooperated with us to address our concerns regarding the company’s cybersecurity,” General Hood said. “It’s important that state agencies contract with companies who prioritize safe handling of student data and personal information.”

The AVC requires the following of Questar:

  • Comply with the Mississippi Consumer Protection Act
  • Promptly notify the MDE and law enforcement of any breach of security resulting in an unauthorized release of student’s personal information
  • Coordinate with MDE to notify students and parents of any breach
  • Follow a Comprehensive Information Security Program including the following:
    • Designate a Chief Information Security Officer (“CISO”)
    • Conduct an annual risk assessment and implement safeguards pursuant to the assessment
    • Train employees on privacy and cybersecurity
    • Regularly test effectiveness and improve accordingly
    • Select and retain service providers capable of safeguarding students’ personal information
  • Revoke all terminated Questar and MDE employees’ network access within two business days of said termination
  • Encrypt student’s personal information or use alternative effective controls in any instance where encryption is not feasible (which shall be documented)
  • Appoint a Patch Supervisor who shall be responsible for timely implementing security updates and security patch management
Bookmark the permalink.