Data breach causes company to strengthen cyber-security

TUPELO, Miss. (WCBI) – A data breach involving student information in North Mississippi caused Attorney General Jim Hood to reach a new agreement with testing vendor Questar Assessment, Inc. about strengthening its cyber-security.

Between December 30, 2017 and January 1, 2018 an unknown person accessed Questar’s 2016 test records. The information accessed included student names and ID numbers for 490 students at Tupelo Middle School, 72 at Tupelo High School, and 101 at Jefferson County Junior High.

Questar notified the Mississippi Department of Education on January 19, 2018. Students and their families were notified shortly after by Questar and MDE.

Questar recently entered into an Assurance of Voluntary Compliance with the state of Mississippi to take certain steps to increase their cyber-security.

The AVC requires the following of Questar:

• Comply with the Mississippi Consumer Protection Act
• Promptly notify the MDE and law enforcement of any breach of security resulting in an unathorized release of student’s personal information
• Follow a Comprehensive Information Security Program including the following:
  • Designate a Chief Information Security Officer (CISO)
  • Conduct an annual risk assessment and implement safeguards pursuant to the assessment
  • Train employees on privacy and cyber security
  • Regularly test effectiveness and improve according
  • Select and retain service providers capable of safeguarding students’ personal information
• Revoke all terminated Questar and MED employees’ network access within two business days of said termination
• Encrypt student’s personal information or use alternative effective controls in any instance where encryption is not feasible (which shall be documented)
• Appoint a Patch Supervisor who shall be responsible for timely implementing security updates and security patch management