Last week, The Wall Street Journal reported that Pearson, maker of educational programs such as aimswebPlus, suffered a data breach revealing information concerning students from more than 13,000 schools and universities. The report details that Pearson learned of the breach in March 2019 and that student names, dates of birth and email addresses were revealed, but assessment information and grades were not disclosed. The impacted system did not include Social Security numbers or financial information. Pearson is offering impacted customers free credit monitoring, as a precaution.
Connecticut law requires boards of education to enter into contracts with contractors, such as Pearson, that operate Internet-based programs and maintain or have access to student data. These contracts must include ten specific provisions, one of which must detail the steps the contractor will take in the event of a data breach. Connecticut law additionally requires contractors to notify boards of education of a data breach within thirty or sixty days, depending on the information disclosed, and requires boards of education to notify impacted students and parents within two business days of receiving notice of a data breach from a contractor. Many school district contracts, however, include shorter notification requirements for contractors, which allows schools to notify students and families in a timely manner.
More information concerning student data privacy requirements in Connecticut can be found through the Commission for Educational Technology.