Student Data Privacy and Security: Ramifications and Obligations after a Cyberattack

Recent Student Data Breaches

A recent cyberattack against the second largest school district in the nation, the Los Angeles Unified School District (LAUSD), resulted in the compromise of over 400,000 students and administrators’ private data. The incident resulted in a shutdown of schools during the first week of September. Among the possibly compromised data were student information systems (SIS), which contain some of the most sensitive information about children and families that School Districts typically possess. SIS data can include detailed, personally sensitive information, such as assessments, grades, class schedules, disciplinary records, and reports about disabilities, as well as socioeconomic and immigration statuses.

The attack was launched by a ransomware injection, which temporarily disabled systems of record and allowed hackers access and the ability to freeze out others. To LAUSD's credit, their team identified the breach extremely quickly, averting further disruption to much more crucial operational systems such as school bus fleet management platforms. Unfortunately, school districts have increasingly become targets of threat actors due to limited allocation of cybersecurity resources in already cash strapped districts.

 In May of this year, Chicago Public Schools (CPS)—the nation's third largest school district—also suffered a data breach compromising the private data of more than 500,000 students and staff. Not too long before that, a data breach of the New York City Department of Education (NYDOE), the nation's first largest school district, resulted in the possible compromise or unauthorized access of private data of more than two million current and former students across New York State. Threat actors gained access to sensitive information, such as students’ names, birthdays, and ethnicities and English-speaking, special-education and free-lunch statuses.

 If you're keeping track, that's three data breaches by the three largest school districts in the United States in the last six months affecting over three million students! If it's a challenge for the largest and arguably most well-funded school districts to keep their data secure, is there any hope for the 13,000 other smaller school districts in the country with significantly smaller budgets?

 Who's to Blame?

When it comes to the privacy of our most sensitive information and vulnerable populations, both the private and public sector are responsible.

It's still unknown (at this point) who was responsible for the most recent LAUSD ransomware ingestion. However, it could have been either a direct attack on the district or resulted from an indirect attack through a third-party vendor, as was the case with the CPS incident (whose privacy and security breach was later attributed to a third-party nonprofit technology vendor). It was the vendor who notified CPS that the company suffered a ransomware attack on servers used to store CPS student information spanning several years.

Similarly, the NYDOE's data breach, which is believed to be the single biggest cyberattack on a school district to date, was also the result of third-party vendor. Though not all details are known, it appears a simple lack of encryption, either in transit or at rest, may have played a key role in the incident.

 What Are the Legal Ramifications of a Student Data Breach?

1. Federal Law Ramifications/Obligations
2. State Law Ramifications/Obligations
3. Contractual Ramifications/Obligations

 A.     Federal Law Ramifications and Obligations

 Student data privacy laws on the federal level, such as the 1974 Family Educational Rights and Privacy Act (FERPA),  protect the privacy of student education records and apply to any educational institution receiving funds under the U.S. Department of Education. Updated in 2008-2011, FERPA also designated third-party vendors performing school functions as “school officials,” which applies to Education Technology (EdTech) vendors as well.

FERPA, grants parents certain rights regarding their children’s educational records, including access, inspection, correction and the ability to opt-out of publishing certain data. Educational institutions are prohibited from disclosing student data unless specific criteria  are met and must also maintain requirements and re-disclosure restrictions for third parties receiving student data. That said, FERPA is mostly a “spending clause” which is enforced by withholding federal funds allocated by the U.S Department of Education. To date, no district or vendor has been sanctioned for any violations under FERPA.

The Children’s Online Privacy Protection Act (COPPA), enacted in 1998, governs and prohibits the online collection, use, and disclosure of personally identifiable information (PII) from children under the age of thirteen without parental consent and primarily applies to operators of commercial websites and online services. COPPA has been in existence for over twenty-two years, and one of its primary goals is ensuring children's privacy is and continues to be protected in an increasingly digital world. Under COPPA, educational institutions are allowed to consent on behalf of parents for PII collected by EdTech vendors but are also required to impose restrictions on vendors as well as provide parents with transparency and opt-out options similar to FERPA.

COPPA is enforced by the Federal Trade Commission (FTC) and sanction actions are generally directed towards operators of commercial websites and services. In May of 2022 the FTC released a Policy Statement on Education Technology as it pertains to COPPA in response to growing concerns over the mismanagement of children's privacy in remote learning and the expanding use of K12 EdTech platforms across the nation. In releasing the Policy Statement, the FTC noted that "kids shouldn’t have to surrender their privacy rights to do their schoolwork or attend class remotely."

COPPA violations are treated as unfair and deceptive acts or practices under the FTC. To date, all resolved FTC enforcement actions under COPPA have resulted in settlements involving assessment of fines and/or Consent Decrees regarding the handling of children’s PII. State-level Attorney Generals may also bring civil actions under COPPA to provide relief, including injunction, enforced compliance, damages, restitution and other compensation.

 B.     State Law Ramifications and Obligations

In addition to state Attorney Generals’ ability to enforce federal regulations under COPPA, state laws vary widely on the obligations directed at both educational institutions (state agencies) and third-party vendors (EdTech) alike. Between 2013 and 2018, forty states and the District of Columbia passed approximately 125 separate laws addressing student data privacy. Only a handful of states remain without some sort of law regulating student data and laws that do exist generally regulate vendors, educational institutions or both.

For example, there are requirements for both third-party vendors and educational agencies under New York’s student data privacy statute, N.Y. EdLaw § 2-d.. In the event of a breach, vendors are obligated to “promptly notify each educational agency . . . of any breach or unauthorized release of personally identifiable information in the most expedient way possible and without unreasonable delay but no more than seven calendar days after such discovery of such breach.”

In turn, educational agencies are required to then “notify the Chief Privacy Officer of the breach or unauthorized release no more than 10 calendar days after it receives the third-party contractor’s notification.”

Here, educational agencies are responsible for directly notifying affected parents, eligible students, teachers and/or principals of security incidents involving affected data within fourteen calendar days of the breach discovery. In instances where a breach is attributable to a third-party contractor, the vendor is then required to reimburse educational agencies for the full cost of notifications.

Going further, New York State Department of Education’s Chief Privacy Officer is tasked with investigating breaches and has the authority to impose civil penalties on the third-party contractor of $5,000 or greater or up to $10 per student. The Chief Privacy Officer is also required to issue an annual report on (1) data privacy and security activities and progress; (2) the number and disposition of reported breaches, if applicable; and (3) a summary of any complaints of possible breaches of student data or teacher or principal annual professional performance review data.

Contrastingly, states without specific student data breach notification obligations revert to general state data breach notification requirements. For instance, in California, similar to New York, state agencies are obligated under California Civil Code Section 1798.29 to directly notify residents within the most “expedient time possible and without unreasonable delay” of any data breach. Further, breaches affecting more than 500 residents—as was the case with the most recent LAUSD incident—are also required to be submitted to the California Attorney General’s office. 

 C.     Contractual Ramifications and Obligations

Educational institutions in states without specific student data privacy regulation or that have statutes that are silent on educational institutions or vendors obligations after a breach involving student data usually rely on the contractual requirements negotiated between districts and vendors. Some jurisdictions, such as California, New York, Colorado, Utah and Illinois, have mandatory contractual requirements that its educational institutions must incorporate when contracting with third-party vendors. Those requirements include but are not limited to privacy and security related provisions such as (1) establishing ownership of student data; (2) detailed descriptions on how a third-party vendor shall ensure the security and confidentiality of student records; and (3) establishing data breach notification procedures.

  The Bottom Line

When it comes to the security and privacy of sensitive student data, both the public and private sectors are directly responsible for ensuring our most vulnerable populations are protected. If you’re involved with an educational institution or private organization lacking adequate information, training and materials, there are resources available. Connect Safely, a California-based nonprofit is dedicated to educating the public about online safety, privacy, security and digital wellness and also publishes an Educators Guide to Data in collaboration with the Future of Privacy Forum (who administers the Student Data Privacy Pledge). The U.S. Department of Education also has panoply of resources for  educational institutions and vendors alike. While nothing can completely thwart the resilience of threat actors, a bit of self-diligence can go a long way.

This article has been published in PLI Chronicle: Insights and Perspectives for the Legal Community, https://plus.pli.edu.