To carry out their missions, schools are required to collect and hold a wide range of personally identifiable information ("PII") and protected health information ("PHI") data concerning students, parents, faculty and employees, including Social Security numbers, date and place of birth, student education records, medical information and health records, and financial information. Given this wide range of PII/PHI ("Protected Data"), schools are subject to a variety of laws that often have separate compliance and reporting requirements if this data is subject to a cyberattack or data breach. For example, schools could maintain healthcare data that is subject to the Health Insurance Portability and Accountability Act ("HIPAA"), student education records that are covered by the Family Educational Rights and Privacy Act ("FERPA"), and financial aid data that is subject to federal or state banking laws all of which have different compliance and breach notification requirements. As a result, schools face unique complexities concerning compliance with data security laws. In light of the vast variety of data held by educational institutions, they are a prime target for cyberattacks. For example, schools have fallen victim to "ransomware," where an unauthorized user holds the institution's data hostage until payment is made. Similarly, students and faculty have become a target for "phishing emails," where an unauthorized user uses a seemingly legitimate email to trick the reader into clicking onto an attachment or link that will lead to infection of, or access to, the school's network. As unauthorized users become more sophisticated and laws place greater obligations on data collectors, such as
schools, to guard the Protected Data of students, parents, faculty and staff, schools must be proactive about implementing data security procedures and incident response plans. This alert provides an overview of the laws and regulations concerning data security under which schools may have legal obligations. There is a myriad of possible laws that may require reporting or notification. Therefore, it is important to have the assistance of a legal professional experienced in the coordination and implementation of data security procedures and incident response plans, and also to be one of the first responders in the event of a possible unauthorized disclosure. 1. How do data security incidents occur? Unauthorized access to Protected Data can take several forms and does not always require malicious intent: Cyberattack. A cyberattack occurs when an
unauthorized user accesses the system network and may copy, manipulate or remove data. Oftentimes, this involves a malicious intent to misuse the data, and can occur through phishing emails, ransomware or other sophisticated means. Data Breach. An individual, usually a disgruntled employee or student, uses inside knowledge and information to penetrate information technology systems to cause harm to the institution or to take or manipulate data for personal gain or other motives. For example, as grades and transcripts are electronically stored, schools have seen an increase in data breaches where the intruder is a student or parent. Yes, parents have faced criminal charges for gaining unauthorized access to a school's information technology systems to manipulate their child's grades. Inadvertent Disclosure. Commonly, employees may inadvertently share data with third parties. Such disclosure may be a reportable incident requiring notice to potentially affected persons. Examples of inadvertent disclosure include: Losing an unencrypted electronic device that has
Protected Data; Sending an email containing Protected Data to
the wrong recipient; or Providing medical or educational data about a
student-athlete to an unauthorized user in the course of coaching or training. Improper Disposal. An unauthorized user may access Protected Data when it is not properly disposed of. This may occur when a phone or other personal device is turned in to a provider or third party without first "wiping" data from the device, or where a faculty member stores Protected Data about students or parents on an unsecure home computer or personal device, which is later given to someone else without removing the data.
2. What are the legal requirements to consider with respect to a data security incident?
Unauthorized disclosure of Protected Data can trigger violations of, and certain obligations under, state and federal law, and possibly even international law.
FERPA. The Family Educational Rights and Privacy Act of 1974 applies to schools that receive federal funding and governs the collection and use of student Protected Data. FERPA contains certain
security compliance requirements, in addition to particular requirements in the event of unauthorized disclosure. Violations of FEPRA can result in, inter alia, the withholding of federal funds for the school. HIPAA. If the school is engaged in an eligible healthcare transaction, it could be considered a covered entity under the Health Insurance Portability and Accountability Act of 1996. Unauthorized disclosure of HIPAA Protected Data requires notice to the affected student (or parent/guardian if the student is a minor) and the United States Department of Health and Human Services. Banking Laws. For those schools that charge tuition and offer financial aid and/or are regulated under banking laws, unauthorized disclosure of Protected Data involving certain financial information may trigger a violation of, or reporting under, banking laws. These laws contain notice requirements to financial regulators, as well as students and parents who may be impacted. State Consumer Protection Laws. State consumer protection laws also require notification in the event of unauthorized disclosure. However, many states define differently what is considered unauthorized disclosure or a breach, and what data may be impacted to trigger reporting and notification obligations. State notification is based upon where the potentially impacted person resides. This can require a complex analysis for schools that have students who reside out of state. International Laws. For those schools that collect the Protected Data of international students (even though they do not have an overseas campus), recent amendments to European Union regulations can require schools to maintain compliance with the
EU's General Data Protection Regulation ("GDPR"). The GDPR requires that the school, as data collector, implement certain measures of protection before collecting the Protected Data of citizens residing in EU member-states.
3. What can a school do today to improve data security and privacy?
- Put data protection issues at the forefront with the school's administration, and work together to make data protection a coordinated effort between administration and information technology professionals. Similarly, implement an open and routine avenue for communication of data protection concerns with employees in the event of a possible inadvertent disclosure.
- Maintain an insurance policy that would cover cyberrelated losses. Select a plan based on risk assessment.
- Work with a legal professional to determine the laws applicable to your school to ensure compliance.
- Create an incident response plan and review it with legal counsel. Enforcement of the plan and routine testing are just as important as having the plan itself.
- Have strong and properly worded contracts with outside vendors concerning the legal obligations in the case of an unauthorized disclosure of their systems.