Michelle Hon Donovan

Privacy and Security Challenges for Distance Learning

Partner, Duane Morris LLP

Download Slides

Read the Transcript

Thank you for that wonderful introduction. That was really kind of you. Always a pleasure to present with you and to do these things with you, Chris, really thank you for inviting me. I’m going to get right into it, because we’re very short on time.

Today we want to talk about some of the privacy and security challenges that we have seen with regards to online learning. And this includes people who are doing distance learning, but also our beauty schools that are starting to implement more EdTech into their curriculum.

And so we’re going to talk about some of the issues that we’ve seen, some of the law that applies to that and what are some best practices to address those issues.

There’s me and my contact information. If anybody has any questions, we probably won’t have time at the end, so let’s just jump into it.

So one of the first things that started with COVID was that everybody started doing Zoom classrooms and of course, everybody wanted to know, can we record our virtual class sessions? And for various purposes, right? Do we want to use it for people who missed the class? Can we use it for other class sessions, etc. So, can you record classroom Zoom or whatever online classroom?

The department provided some clarifying guidance on this issue. What they said was that “Video recordings of virtual classroom lessons only qualify as an ‘educational record’ under FERPA if they directly relate to a student or are maintained by the institution, by a party acting on its behalf.”

The general rule is that if the recording includes only the instructor or faculty member, it is not a student record and FERPA protection would not limit your use of this. So if all you’re doing is recording an instructor, you don’t have student participation, you don’t have students commenting or speaking or shown in the recording, then you can record and use this for any purpose.

Now, if the recording includes students speaking or asking questions, making presentations in any manner that makes it possible to identify the student or if the video records any other personally identifiable information, then this segment containing that student or personal information likely constitutes a protected educational record.

And those educational records can only be used as permitted by FERPA or in whatever manner that is allowed via written consent from the student. So just be very careful if you want to record to keep that in mind.

Some other legal considerations is that there are some states that have, like California, a constitutional right of privacy, and this is what they call a reasonable expectation of privacy. It might be implicated if the recording and subsequent use or disclosure of the recording violates a consumer’s reasonable expectation of privacy. Now that’s not an absolute right to privacy. It’s whatever is considered reasonable. So arguably, students’ reasonable expectation of privacy that they won’t be recorded without notice and consent.

Additionally, certain state wiretapping laws require what they call two-party consent, which means that you cannot record any confidential communication without the consent of all the parties to the conversation.

So, recording a class without the consent of all participants may be considered a wiretapping violation depending on whether you are a single or two-party consent state.

The best practice is basically to only record classes if the person is recording in the recording as the instructor, and there is no student participation.

If for some reason you absolutely have to have a record with students participating, consult with your legal counselor, make sure you have the appropriate consent and that any use of the recording is compliant with FERPA.

The next issue that we came up was the online proctoring. I’m just going to say online proctoring, but also EdTech. EdTech exploded at the beginning of 2020, it was already something that was being implemented widely, but it really just absolutely exploded when COVID happened.

One of the things is that there are a lot of legal implications and best practices that are covered and overlap. What we’re going to do is we’re to talk about those together. I’m going to raise the issues for each one. And then we’re going to talk about which laws apply in best practices together. So let’s get started.

Online Proctoring

First, our concerns regarding online proctoring. Depending on the nature of the online proctoring systems, many of these companies actually collect a lot of sensitive and highly regulated personal information. This might include the driver’s license, the biometric data such as facial recognition and typing patterns, in mouse movements, as well as video recording.

Now, this information is being used to verify the student’s identification. Sometimes random scans are also performed throughout the exam to prevent another test taker from jumping in.

Basically they can randomly video or scan you and make sure that after the testing has recorded, somebody else hasn’t slipped in to actually take the exam, for example. So any sort of discrepancies or suspicious activities can then be flagged and recorded for closer inspection. And sometimes it’s all automated so you may not even be aware that it’s happening.

So, all this information is actually part of the student record and it raises issues related to surveillance, wiretapping and the collection of biometric information, which is a special category of information that is protected. I got off my slides, I apologize for that.

EdTech Concerns

All right, so EdTech concerns. So what are the biggest concerns we have with EdTech as an overall failure to implement privacy and security controls? There was a report done by a non-profit called Common Sense and they call it their EdTech Privacy Report.

And this report showed that:

Only 20% of EdTech companies actually met their minimum privacy standard.

It’s a pretty bad report card. So part of the issue is that a large number of these tech providers are startups and just don’t prioritize compliance. Additionally, these tech companies are not familiar with the highly regulated Education Sector and the limitations on how information can be used, collected and maintained.

Now, in some instances, we’re also seeing schools adopting technology that was not intended to be used in the Education Sector. You might recall that when Zoom was first implemented, they had some issues because they didn’t anticipate some of the uses that it would be used for.

Now, this is all problematic because these companies are frequently handling student education records and other highly sensitive data.

So let’s talk about what laws apply to both online proctoring and EdTech, and online proctoring is basically just another version of EdTech, right? So, here are the laws.

We have FERPA, we have potentially a constitutional right to privacy, Wire Tapping Laws, the California Consumer Privacy Act, or what we call the CCPA, if you are collecting information from California consumers, Breach Notification Laws, Biometric Privacy Laws, and of course FERPA always applies.

FERPA

So let’s talk about FERPA. This is the big elephant, it’s always in the room. So is it okay to use this technology under FERPA? The answer is yes. Use of this third party technology is permissible under the FERPA school official exception.

However, you can’t just say that it falls out of the exception, you need to make sure that all the elements are met. So we’ve kind of outlined them here for you.

You have to perform it as an institutional service that the institution would otherwise use its own employees to provide. It has to meet the criteria for being a school official with a legitimate educational interest. That’s important, that’s the educational interest test. Then, the use has to be kept under the direct control of the institution. And, it can only be used essentially for the same purpose that the school could use it for. And it cannot be redisclosed to other parties, unless those other parties also fall under an exception or you get consent, of course.

So this last point tends to be the most problematic and schools need to ensure that the companies they’re using actually comply with FERPA. And we’ll discuss how to do that in just a few slides.

Constitutional Rights and Wire Tapping

Constitutional rights and wire tapping, so we’ve mentioned this before as well in the recording. So you need to make sure that all technology does not violate a student’s reasonable expectation of privacy and that you have consent to record. And this includes providing advanced notice of the possible recording.

You also need to make sure that third parties have appropriate controls to limit who can access the information, how the information is used and it’s not disclosed to any third parties.

And then lastly, all data collection use and sharing should be properly disclosed in your privacy policy. This puts the students on notice and sets the groundwork for what might be considered a reasonable expectation of privacy.

So if it’s disclosed in your privacy policy, you have the… You can take the position that it wasn’t reasonable because you disclose the fact that you were going to be recording and collecting this information. We’ve seen several class action litigations and the privacy sphere in the last year, many of which are based on a failure to disclose information or failure to properly disclose use, and sharing of that information. So, important to make sure that your privacy policies have been updated to reflect that.

And we’ll talk about that a little bit more later as well. So the other question is which company’s privacy policy you’re going to use, and that will depend on the situation and the relationship between the student and either the institution or the third-party vendor. That’s a question you need to ask, again, maybe consider consulting legal counsel on that.

California Consumer Privacy Act

So I’m going to go over very, very quickly, the California Consumer Privacy Act, because it doesn’t apply to all schools. It only applies to a small percentage of our beauty schools because it only applies to for-profit businesses.

They collect personal information from California consumers that also meet any one of the following three criteria: Your annual gross revenue exceeds $25 million; you collect, sell, share, receive personal information from more than 50,000 consumers, California consumers; or you derive 50% or more of your annual revenue from the sale of personal information. So if those don’t apply, you don’t have to worry about this, but if it does apply, there’s a couple of things you need to address, if you’re using this type of third-party technology.

First, you need to ensure the data collection use and sharing as appropriately disclosed in your privacy notices. This includes the initial notice that has to be done at, or prior to, the point of collection. And then a second notice that has to be done in your privacy policy.

Second, you’re going to have to make sure that these companies are going to be what we call service providers as defined under the statute. So, in order to qualify as a service provider, you need to make sure that the required contractual clauses are included in all your agreements with these third-party tech providers and that the use, sharing, and maintenance of the information is limited to the purpose for which you’re contracting or the service to which they’re providing, and are otherwise compliant with the law.

And then finally you have to figure out how to handle the consumer requests that are allowed under the statute and make sure that your service providers are here to provide reasonable assistance. Because a lot of times that they’re holding the data that the consumers are requesting to know or to delete.

So, sometimes they have self-help tools, but most times you’re going to need some kind of contractual obligation to provide reasonable assistance.

Privacy Policies

And then let’s talk more, a little bit again, about privacy policies. So several states have laws that say to the extent that you collect personal information online, or through an online service, through your website or online service, you have to disclose that information in your privacy policy.

That’s not just your website, if you’re providing online instruction or collecting information through an online EdTech learning environment, then you need to disclose that in your privacy policies. And what we’ve found is that a lot of schools who were previously traditionally brick and mortar, with a very static webpage, suddenly shifted to more online learning or EdTech learning haven’t updated their privacy policy.

So if you haven’t done that, homework for today is to go back and make sure that your privacy policy is accurate. So, what is required? Requires commercial websites and online services to post a policy that describes the categories of personally identifiable information collected, the categories of third parties with whom you share information and how… Oh, I’m sorry. I deleted the wrong sentence here. It’s supposed to also say how you’re going to use the information.

Some also may require how to notify, how you’re going to notify users of material changes, the policy has an effective date. California’s law also has two unique things. This is the California online privacy protection act or CalOPPA. We love our acronyms.
How do you respond to browser’s “do not track signal” or any such mechanisms, which the answer is generally you don’t, and the possible presence of other parties that might be conducting online trafficking on their site. So that’s a California specific.

Breach Notification and Biometric Privacy Laws

So what else could apply? Breach notification and biometric privacy laws. Many of these tech companies are collecting sensitive personal information that is subject to breach notification laws.

So you need to be able to address upfront: who’s going to be responsible, if there’s a breach, for drafting and sending the required notice? Who’s going to pay for that notice? Who’s going to pay for the cost of remediation? And who’s going to provide the required identity theft protection services that were required under most laws? Whether, and to what extent, you’re going to be indemnified for any third-party claims as a result of a breach? And whether, to what extent you will be indemnified for any cost of any government investigations or fines?

So as you may know, if you have a breach to any Title IV program data or anything related to that, you’re required to give immediate notice to the department of education of that breach. And they will be calling to ask additional questions. Who’s going to cover the cost of that?

To the extent that biometric information is collected, you need to be aware that there are a couple of biometric privacy laws, particularly in the state of Illinois, that if you were collecting biometric information from consumers in Illinois, this may apply.

And we also expect other states to be passing similar laws, because this is considered particularly sensitive information. And these laws basically say that you can’t collect this information without consent, and you can only keep it for as long as you absolutely need it, as long as absolutely necessary. And in any event you must delete upon request.

So that’s what laws apply. So here’s our best practices for this. First of all, before entering into any agreements with tech companies, you need to be asking the following questions:
What personal information is being collected?
How are they handling consent, if consent is needed?
How are they protecting the information?
What kind of information, what kind of data security controls do they have in place?
How long are they keeping the information?
How is the information being used by the company?
How is the information going to be shared with third parties, and if shared, what are they doing to protect the data, to ensure third-party compliance with all the laws that we just discussed?

So that’s what you need to have. That’s part of your diligence. You need to understand exactly what is happening with that data, how they’re using it, how they’re protecting and how they’re sharing it.

Terms of Service

So in terms of best practices, we want you to be looking at the terms of service or whatever contractual agreement that you are entering into with these companies. So here are some key areas to discuss.

Data ownership. You should always own educational records. They should not have any rights to this data whatsoever. That is imperative under the law.

So, also, you need to have protections as to how the data can be collected, used, and maintained, and what limitations you have will depend on which of those laws apply. There are different limitations based on FERPA, based on state privacy laws, such as CCPA, biometrical laws, etc. So you need to make sure that is all outlined and detailed in the agreement.

If this is an educational record, you need to have an acknowledgement in your contracts, that acknowledges the fact that they are receiving FERPA data and that they have their own obligations as a school official to maintain and use that data in compliance with FERPA law and regulation, and also get warranties that they will delete that information within a certain period of time, once it’s no longer needed, or once the contract’s been terminated.

To the extent that you are providing what we call sensitive data. So that financial aid data, social security numbers, driver’s license, biometric information, all that sensitive data. You really need to have explicit information security requirements.

And again, it’s not enough just to have these requirements. You really have to do due diligence, it’s required under the law. So making sure you’re doing diligence, asking those questions, and then sufficiently papering what information security they have in place to protect that information from unauthorized disclosure.

Additionally, we want to explicitly set out what happens in the event of a breach and how notifications are going to be handled so that everybody’s aware of their obligations upfront, because after the fact nobody wants to handle it, no one wants to pay for it.

Also, indemnification for breach or failure to comply with these laws. Indemnification is tricky because everyone wants to limit it, particularly EdTech companies. So this is kind of a fight you have, and we often have to make compromises, but you should have some form of indemnification at least to insurance limits if nothing else.

So what happens to the data, if you switch providers and otherwise terminate the services? How is your data going to be transitioned or transferred between this provider and another provider?

Again, once the relationship goes bad, nobody wants to play in the sandbox together anymore. And so you need to have contractual provisions in place that say you are required to provide a reasonable assistance in transitioning this data to a new provider.
Last, if CCPA applies, you have to have those required contractual clauses to make sure that they are service providers. All right, so really don’t jump into contracts. This is a lot. Make sure that you’re doing due diligence and you have the right protections in place before you go forward.

2020 Cybersecurity Risks

So I want to talk briefly about some of the security risks that we saw in 2020. Cybersecurity criminals were definitely taking advantage of additional vulnerabilities that arose during pandemic.

Cyber attacks increased by over 400%.

So, I want to talk about two key threat actors that are being heavily utilized by cyber criminals of 2020, so that you’re aware of what’s happening. So we’ve seen this more than ever, these cyber criminals are taking advantage of human error through phishing attacks and more sophisticated use of ransomware.

A phishing attack is when… This typically employs social engineering to steal user credentials and gain access to your system. So according to the Verizon data breach report, during the pandemic phishing attacks accounted for over 67% of all breaches last year.

Sophisticated, targeted ransomwares are also being seen. Ransomware is a type of malicious software or malware that uses encryption to deny access to a computer or a system until the ransomware is paid.

One trend that we’re seeing is not only an increase of malware, but an increase of data-stealing ransomware. The department has actually issued a security alert on this advising that they’re seeing an increase in active ransomware campaigns as well.

I think I am getting close to running out of time, so let me just give you some very quick tips. There are a couple of things that you need to do.

Obviously, you need to have a comprehensive security program. You need to train and build a security culture. This means training at higher and often throughout the course of the year, so that security becomes part of your culture. Much like we feel like protecting student records from disclosure is part of our culture, security needs to be done the same way.

And then if you haven’t done so, make sure that you implement multi factor authentication on all your systems that contain sensitive data and student records. The department has said that this should be implemented by all schools. And it’s one of the number one ways that you can easily block these sophisticated attacks using the phishing attacks. So that is your second thing of homework is go… especially Office 365 has a very easy way of implementing multi factor authentication. So, if you haven’t done so please go and implement that. Here’s some resources on privacy and information security they’re all public and free that we wanted to provide for you to share.

And, that will be it.