Illinois, like most states, has a law that addresses school districts’ responsibilities for addressing bullying in schools. With the growing presence of cyber-bullying, as of January 1, 2015, Illinois modified section 27-23.7 of the School Code, Bullying Prevention, to include specific references to cyber-bullying. While schools are adopting cyber-bullying policies and are required to have a procedure to investigate such incidents, are students’ passwords on social media websites fair game? There appears to be tension between the Bullying Prevention statute and certain exceptions in the Illinois Right to Privacy in the School Setting Act (School Privacy Act), which permits secondary schools to request social media passwords if there is a potential violation of a school policy. Thus, school districts’ compliance with the new amendments to the Illinois School Code may be more complicated than previously thought.


When the Illinois governor in August 2014 announced the passage of the amendment to the School Code section 27-23.7 (105 ILCS 5/27-23.7), which includes references to cyber-bullying, it was touted as passed “to help ensure that Illinois students aren’t bullied through electronic means whether they are at school or home.” Legislators asserted that this “law gives educators more tools to discipline and prevent out-of-school cyber-bullying when it hurts others’ ability to learn at school.”

This amendment requires schools to address cyber-bullying when it “causes a substantial disruption to the educational process or orderly operation of a school.” School districts had been required since 2012 to have a policy or procedure that includes “a process to investigate whether a reported act of bullying is within the permissible scope of the district's or school's jurisdiction.” School districts’ policy for investigating incidents of bullying per the Illinois School Code must include “taking into consideration additional relevant information received during the course of the investigation and the reported incident of bullying” and complying with “federal and state laws and rules governing student privacy rights.” The amendment to the Illinois School Code makes it clear that schools can take action against students for cyber-bulling if comments on a social media website impact a student’s right to an education.

Anti-bullying Policies

The concern being debated is not whether Illinois schools have an interest in protecting their students from online harassment but whether they can do so without violating other student rights, in particular the School Privacy Act. The School Privacy Act, which went into effect in January 2014, prohibits schools from requiring students or their guardians “to provide a password … to gain access to the student’s account on a social networking website …” 105 ILCS 75. While the School Privacy Act makes it clear that a school district has a right to monitor usage of its own electronic equipment and school email accounts without requiring a student to provide a password, the School Privacy Act also clearly notes that it is not applicable “when a post-secondary school has a reasonable cause to believe that a student’s account on a social networking website contains evidence that the student has violated a school disciplinary rule or policy.” Thus, it appears that school districts are permitted to amend their anti-bullying policy to allow for the request of a student’s social media password if there is an incident of cyber-bullying that the school district is investigating.

In general, there have been limited challenges in the court system to the Illinois School Code with respect to anti-bullying policies. Most recently, inMalinksi v. Grayslake Cmty. High Sch. Dist. 127, 2014 IL App (2d) 130685 (Ill. App. Ct. 2d Dist. 2014), the court recognized the flexibility individual schools have in responding to bullying. The court noted that an anti-bullying policy “may afford a school district with the  discretion to determine whether bullying has occurred, what consequences will result, and any appropriate remedial actions.”

As noted in Malinksi and in the earlier decision of Hascall v. Williams, 2013 IL App (4th) 121131 (Ill. App. Ct. 4th Dist. 2013), “an anti-bullying policy is not required to mandate a particular response to a specific set of circumstances.” School officials are provided with discretion in addressing incidents in school by balancing competing interests: “the confidentiality of his information source, the appropriate level of punishment, the concerns of all the children's parents, the  impact of his decision on the student body generally – and make a judgment as to what balance to strike among them.” What the Malinksi and Hascall decisions recognize is that school districts have flexibility when addressing bullying, which likely also applies to dealing with cyber-bullying. As noted above, Illinois school districts are required to have in their anti-bullying policy an investigation procedure that requires the gathering of as much relevant information as possible with respect to the bullying incident, balanced with compliance with student privacy rights. While some school districts may wish to investigate issues of cyber-bullying by requesting a student’s social media password, schools are not required to do so.

Courts in other states recognize that a school administrator has a right to review and consider information on social media sites if such bullying behavior impacts a student’s right to education. See Fennell v. Marion Indep. Sch. Dist., 2014 U.S. Dist. Lexis 120033, 52 (W.D. Tex. Aug. 28, 2014) (Texas court notes that a school could consider posting on Facebook and Twitter in addressing a student’s concerns about bullying);Lindsey v. Matayoshi, 950 F. Supp. 2d 1159 (D. Haw. 2013) (Hawaii court upheld the suspension and later expulsion of a student based on, among other things, incidents of bullying in person and online). Even if asking for such password is permissible pursuant to a school district’s policy, parents may still object to a school’s right to access such information. The School Privacy Act makes no mention of a procedure regarding a dispute over a school district’s application of its right to such passwords, though it notes that if there is a violation of the School Privacy Act, the school district or its agent can be found “guilty of a petty offense.”  105 ILCS 75  Thus, with the breadth of options in investigating cyber-bullying, including requesting a student’s password, school districts may want to proceed carefully even if certain actions are permitted by the School Privacy Act.

Practice Point

School officials are custodians of students, and states have adopted rules and regulations that give school officials even more power to protect students from bullying. A growing number of states have added specific cyber-bullying language to their anti-bullying laws, codifying the notion that school officials have the discretion to act to protect students from bullying based on incidents outside of school. While cyber-bullying continues to remain an issue, school officials when confronting such incidents should try to maintain a balance between gathering as much information as they can and protecting a student’s right to privacy. Courts in Illinois and other states have recognized that there is some nuance in investigating bullying incidents. The Illinois law is very broad as to what is needed in a school district’s policies with respect to steps for an investigation of bullying. This breadth gives the school districts options in their investigation and courts have not yet found that an investigation is invalidated for not being thorough if a school district does not request a student’s social media password. Requesting a student’s password for a social media site may be permissible, but not always necessary for a school district to protect students against cyber-bullying.