It should come as no surprise that educational institutions are among the top targets for hackers and purveyors of personally identifiable information. In 2017, only the financial and healthcare sectors had more data breaches. Yet despite the looming menace of increased cyber-attacks, federal regulation of student data remains woefully inadequate. The Family Educational Rights & Privacy Act (“FERPA”) was enacted back in 1974, when the Internet was still a gleam in ARPANET’s eye and Jeff Bezos was only ten years old, and it has not been amended since 2001. It certainly protects (or tries to protect) student data from unwarranted disclosure or use, but it and the regulations that implement it do not meaningfully protect student data from theft or destruction. More importantly, FERPA fails to address, except in a few narrow situations, what kinds of obligations third-party contractors have vis-à-vis the student data that they collect and use. However, because FERPA has no preemption provisions, its mandates are a floor, not a ceiling; this means that states can step in and enact more stringent rules and regulations.
What to Know About ED’s New Stance On Data Breach Reporting
It’s no longer optional for colleges and universities to report data breaches to the U.S. Department of Education — yet the agency has not clearly defined its expectations. Here’s what institutions should be aware of.
5 simple rules for FERPA contracting compliance
Colleges and universities frequently hire third-party vendors to provide services that involve student data—cloud storage, online education delivery, and online grade books to name a few. Although the arrangements are common, they can run afoul of the Family Educational Rights and Privacy Act (20 U.S.C. § 1232g; 34 CFR Part 99) (FERPA) and other data privacy best practices. Colleges and universities should contemplate privacy and security issues when contracting with third-party vendors and include language in the service agreement that identifies exactly what information is being shared and protects how the information can be used in the future.
Department of Education model student privacy terms for app and online educational service agreements
The U.S. Department of Education is urging institutions to include privacy protections that reach beyond the Family Educational Rights and Privacy Act (FERPA) in contracts with app and other online educational service providers. Guidance from the Department’s Privacy Technical Assistance Center (including model contract terms and a basic employee training video) provides insight on…