Legal Issues in IT | October 2013 Digital Edition
How Little Data Breaches Cause Big Problems For Schools
Strict state laws leave little room for error when it comes to securing student information. Fortunately, beefing up data security policies does more than safeguard students.
Outside a typical American middle school, papers were blowing around in the wind beside a garbage container. A student, seeing the papers, grabbed some and read about the special needs assessment for a seventh-grader named Kevin, including his IQ score, psychological assessment data, behavioral information, and family history. Some time later, the prying student and his friends were passing Kevin's private information around the school. It doesn't take a career educator to guess what happened next: Over the next few weeks, students relentlessly taunted Kevin, calling him "stupid," "dumb," and "retarded." They might just as well have applied the first of those adjectives to their school. In one careless stroke, the school's poor data security practices had led to the direct harm of one of its students.
Unfortunately, this cautionary tale isn't apocryphal. Part of a very real case out of Minnesota, it not only points out the ethical need to secure student data, but highlights the legal implications of failing to do so. Kevin's family sued the school district, and at the trial court, the jury returned a verdict that found the district liable for $60,000 in past damages and $80,000 in future damages--and also awarded more than $45,000 in legal fees to the family (although the legal fees were later reduced on appeal).
These days, schools across the country are being held to a rigorous legal standard for data security--one that leaves little room for error, but substantial room for legal liability. It's an age where a missent e-mail with student data can represent enormous liabilities, and a lost laptop can cause concern and dramatic newspaper headlines.
Of course, such accidental breaches are only part of the story. Students also actively try to hack into school networks. The number and scope of data breaches in schools can be alarming, and the examples are plentiful. In fact, there is so much data to secure, and so much room for error in securing it, that the US Department of Education has stepped in and created the Privacy Technical Assistance Center to help educational institutions with data privacy, confidentiality, and security practices. Among the center's resources is the Data Breach Response Checklist, an exhaustive document developed in part to help protect schools and districts, because, as the ED readily admits in the checklist, "efficient incident handling will also help reduce organizational liability."
In some cases, the data that puts schools at risk in the first place is not entirely under their control. A report out of the Fordham University School of Law found that states collect far more data than is required under federal law, often storing it in robust student information systems maintained at the state level. The data systems themselves were also poorly regulated because the states lacked policies on retention and purging. Overall, the study found that "many states provide obscure, incomplete, or difficult to decipher information about their data practices and programs."
While the study mostly examined state-level data systems, local data systems rely on these state student information data contracts, and information is often shared between local and state datasets. Furthermore, local officials are mostly responsible for data input into these vast systems, which makes them accountable for any future breach that may occur as a result of improper data sharing.
Policy in Place
The existing law governing data security in schools begins with the federal Family Educational Rights and Privacy Act (FERPA), which requires schools to keep student records private, only sharing them with parents or guardians. Thus, the law demands systems that are both open (to guardians) and closed (to everyone else), with the onus on the school to determine which rule applies for a given request.
FERPA does not, however, contain strong liability provisions against schools for data breaches. Instead, the liability for such unsecured data rests in state law. A state law claim was at issue in the case from our earlier example, which was prosecuted under the Minnesota Data Practices Act. This state law contains both remedies and penalties for violations, permitting the kind of monetary jury award that was ultimately reached.
But not all state laws resemble Minnesota's, and local school officials should be familiar with the laws governing their state. Data security laws and breach reporting requirements may vary substantially on matters like the entities protected, the data types covered, the breach notification requirements, and the penalties permitted. In fact, the vast variability in these laws extends to four states that have no such legislation at all. (The national law firm Mintz Levin has published this helpful 50-state summary as a useful starting place to research your own state laws.) For schools, understanding the potential liability under these laws is important for a number of reasons.
First, schools should have a data breach response policy formed specifically to comply with the legal requirements in these laws. Second, cybersecurity liability may not be covered through a school's existing insurance policies, and schools in states with statutes permitting direct lawsuits by children, parents, or the public against the school may want to consider additional coverage. Third, other governmental bodies, such as the state attorney general, may have oversight and enforcement responsibilities to the local school, and school officials need to understand how to respond to requests for information or enforcement actions.
While most states have not legislatively examined school or educational data at the preK-12 level in particular, the tide may be changing as some states respond with stricter data security laws specifically aimed at schools. For instance, in the summer of 2013 Oklahoma passed the "Student DATA Act," which places tougher standards on the state department of education to regulate how data is shared and with whom. Specifically, the law limits any data sharing with entities outside of the state of Oklahoma except under certain specified circumstances--a provision that could drastically limit which cloud providers schools can do business with. The proliferation of such school-specific data security laws might represent a new era in state involvement with student records security.
A Reasonable Defense
At the local level, data security still largely involves passwords and other basic data-security measures. These are still extremely legally important steps. Standard practices to protect data and systems, such as filtering, security software, e-mail encryption, security patches, antivirus software, limited network connectivity, and monitoring servers for hacking attempts may shield or lessen a school's liability in the event of litigation (as well as meet ethical obligations to your students). Most server operators will tell you that their networks are attacked by a variety of threats on a semi-regular basis, and it does take active management to protect the integrity of any digital network.
Beyond protecting students and school interests, these security measures have substantial legal importance, and all data-security actions should be well documented. In the event of a breach and subsequent litigation, these measures and procedures will form the core of the school's defense. In a new and rapidly developing legal area such as school data security, the law has a tendency to rely on what is known as the "reasonableness standard," which basically judges the school's actions against the steps a reasonable person or technology administrator would have taken in a similar circumstance.
Private, and potentially class-action, tort (injury) claims may be brought against the school, and in such cases both the proactive implementation of security measures and the meticulous documentation of these steps will be critical in avoiding potential legal liability. This area of law is extremely underdeveloped at the moment, particularly in regard to schools, but litigation in Maine permitting a consumer tort and breach of contract claim (in this case against a grocery chain that compromised customer credit cards), as well as increasing attention from class-action attorneys on the subject, certainly should give school administrators reason enough to reexamine and reinforce their local data protection measures and procedures.
Additionally, I would highly recommend broadening the conversation on this issue within your local networks. Consider holding a school Data Security Symposium, such as this recent event for school and district leaders in western New York. Although there is little current legal guidance, the good news is that schools have the opportunity to get ahead of the issue before mass litigation and regulation ensue. By being proactive and procedural, and by working together, school officials can mitigate their potential liability and also help to define how schools can responsibly secure data into the increasingly technologically complex future.