Pearson, plc, which does business as Pearson Clinical Assessments, and NCS Pearson, Inc., are named in a proposed class action lawsuit that claims the companies failed to secure students’ data from a security breach.
According to the case, the defendants’ AIMSweb online student progress monitoring system was hacked in November 2018, compromising the accounts of over 13,000 schools. The breach allegedly exposed to unauthorized parties the names, dates of birth, email addresses and other personally identifiable information (PII) of thousands of students. Pearson was notified of the hack by the FBI in March 2019, yet failed to take adequate steps to rectify the damage caused by the breach, according to the case.
Despite Pearson’s claim that “[p]rotecting our customer’s [sic] information is of critical importance to us,” the lawsuit argues that the defendants neglected to offer credit monitoring to those affected by the breach until four months after being made aware of the incident. Furthermore, the complaint states that in spite of the defendants’ stated concern, Pearson never directly informed affected parties of the breach. From the case:
“What’s more, Pearson did not bother to notify students or parents directly, but rather left that sordid task to the various schools and school districts, again, belying their ‘critical’ concern that the overall risks inherent with the additional passage of time.”
According to the complaint, Pearson “systemically failed to provide adequate security” for PII on AIMSweb by neglecting to implement industry standard cybersecurity protocols. The case contends that students have been put at an “imminent, immediate, and continuing risk of harm” as a result of Pearson’s negligence and requests the defendants take additional steps to secure personal information in the future. In particular, the suit demands that Pearson ensure that “the storage of data or documents containing personal and financial information is not accessible online, and that access to such data is password-protected.”
The lawsuit seeks an injunction requiring the defendants to send individualized notices of the breach to those affected and pay for three years’ worth of credit monitoring for proposed class members.