With the beginning of the fall semester, it is a good time for a reminder that educational institutions possess a trove of sensitive information and must take substantial steps to protect their data. In July 2019, Hawaii P-20 Partnerships for Education announced the discovery of unauthorized access to the database of Graduation Alliance, a contractor in charge of developing “My Future Hawaii,” a college and career-planning portal for public and charter school students in Hawaii. The announcement advised that student information such as name, birthdate, gender, race, and permanent and mailing addresses may have been exposed, and more than 70,000 student records may have been affected. On September 6, 2019, the University of Hawaii announced that notwithstanding the unauthorized access, the completed data incident investigation did not reveal any evidence that data was stolen.
Following discovery of the data incident, the My Future Hawaii website was shut down and the University of Hawaii notified Graduation Alliance that its contract would be terminated, as Graduation Alliance failed to implement certain data protection measures that were terms of the contract. The University of Hawaii stated that it is exploring other options to provide the same services that My Future Hawaii was intended to provide.
The University of Hawaii was wise to include data protection measures as terms within its vendor contract with Graduation Alliance. Including in a contract the minimum data security measures that a school wants its vendor to impose is a good way to create one or more remedies, including but not limited to termination of the contract, for the school in the event that the vendor fails to follow through with implementing the promised data security measures. It is a good practice to include terms in the vendor contract prohibiting the vendor from using student or other sensitive information for any reason beyond providing the service for which the vendor was hired and requiring the vendor to expeditiously dispose of the data in accordance with any applicable laws once the vendor’s use of the data has concluded. The vendor’s breach response policy, as well as any additional measures particularized for the school’s needs, should be discussed during the negotiation stage, and the vendor’s responsibilities relating thereto should be included in the vendor contract.
A school can never completely eliminate the risk that a vendor will suffer a data breach. However, by requiring vendors to impose rigorous data protection measures and incorporating them as terms in its vendor contracts, a school can take substantial strides to limit the risk.