It should come as no surprise that educational institutions are among the top targets for hackers and purveyors of personally identifiable information. In 2017, only the financial and healthcare sectors had more data breaches. Yet despite the looming menace of increased cyber-attacks, federal regulation of student data remains woefully inadequate. The Family Educational Rights & Privacy Act (“FERPA”) was enacted back in 1974, when the Internet was still a gleam in ARPANET’s eye and Jeff Bezos was only ten years old, and it has not been amended since 2001. It certainly protects (or tries to protect) student data from unwarranted disclosure or use, but it and the regulations that implement it do not meaningfully protect student data from theft or destruction. More importantly, FERPA fails to address, except in a few narrow situations, what kinds of obligations third-party contractors have vis-à-vis the student data that they collect and use. However, because FERPA has no preemption provisions, its mandates are a floor, not a ceiling; this means that states can step in and enact more stringent rules and regulations.
Enter the State of New York, and more specifically the New York State Education Department (“NYSED”). Last week, NYSED published proposed regulations concerning the access, use, disclosure and protection of not only student data, but teacher and principal data as well. While a full analysis of the proposed regulations is beyond the scope of a blog post, the effect that these regulations will have on third-party contractors is worth a closer look.
First, the regulations define a “third-party contractor,” in pertinent part, as “any person or entity, other than an educational agency [basically schools, school districts and NYSED], that receives student data or teacher or principal data from an educational agency pursuant to a contract or other written agreement for purposes of providing services to such educational agency, including but not limited to data management or storage services, conducting studies for or on behalf of such educational agency, or audit or evaluation of publicly funded programs.” The term includes for profit and non-profit organizations. If an entity is provided with student, teacher or principal data, it will be considered a third-party contractor, bound under the provisions of its contracts with educational agencies, to maintain that data in accordance with federal and state law and the agencies’ privacy policies.
Next, the regulations mandate the creation of a “parent’s bill of rights” to be published on the educational agency’s website. This bill of rights must contain a list of all third-party contractors who receive student, teacher or principal data and must include (1) the exclusive purposes for which the student data or teacher or principal data will be used by the third-party contractor, (2) how the third-party contractor will ensure that the subcontractors, etc. will abide by all applicable data protection and security requirements, (3) the duration of the contract, including the contract’s expiration date and a description of what will happen to the student data or teacher or principal data upon expiration of the contract, (4) how the accuracy of any collected data may be challenged, and (5) where the data will be stored and how it will be protected, including encryption technologies used.
Additionally, all third-party contractors must have a data security and privacy plan that complies with New York law and that outlines how the contractor will comply with all applicable privacy and data security requirements over the life of the contract and that includes a requirement that all contractor personnel with access to sensitive data receive training on the laws governing the protection of the data before gaining access.
As for specific privacy and security requirements, NYSED has adopted the National Institute for Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity Version 1.1 (the “NIST CSF”) as the standard for data security and privacy for educational agencies, and third-party contractors are required to adopt technologies, safeguards and practices that align with this standard. These contractors must also promptly notify each educational agency with which it has a contract of any breach or unauthorized release of personally identifiable information in the most expedient way possible and without unreasonable delay but no more than seven calendar days after such discovery of such breach. They must also cooperate with the educational agencies and law enforcement when such a breach occurs. If the breach was the fault of the third-party contractor, it pays all breach notification costs.
Finally, each breach or unauthorized release of student data or teacher or principal data by a third-party contractor shall be punishable by a civil penalty of the greater of $5,000 or up to $10 per student, teacher, and principal whose data was released, up to a maximum of $50,000. NYSED’s Chief Privacy Officer may also, after a suitable investigation, order the third-party contractor be precluded from accessing personally identifiable information from the affected educational agency for a fixed period of up to five years and require the contractor to provide additional training (at its own expense) to its employees. If the CPO determines that the contractor knowingly or recklessly allowed the breach, it may also (1) preclude the contractor from accessing student data or teacher or principal data from any educational agency in the state and/or (2) order that the contractor not be deemed a responsible bidder or offeror on any contract with an educational agency that involves the sharing of student data or teacher or principal data, both for a fixed period of up to five years.
Given the ubiquity of educational data breaches, it is to be hoped that most educational technology vendors are already doing the kinds of things contemplated by these regulations. If they are not, they may have a long compliance road ahead of them before NYSED implements these regulations in about five months.