Takeaways

Educational Institutions use Software as a Service platforms to facilitate operations, but doing so carries significant risk that needs to be carefully managed. Strong vendor oversight, tight contracts, and incident response planning are critical to protecting personal data down the chain.

Related links

Five Privacy Issues Higher Education Institutions Should Consider Monitoring

FAQs for Schools and Persons Affected By the PowerSchool Data Breach

An EdTech vendor whose platform is used by thousands of educational institutions recently experienced a significant cybersecurity incident impacting millions of students.  The incident left customers of the platform legally and reputationally exposed—and answering difficult questions in their local communities.  This incident is not unique and highlights the importance of vendor management to effective data protection programs.

  1. The Education Technology Sector Is a High-Value Target

Lesson: Educational institutions possess a wide range of data and have become trendy targets for attack.

Educational institutions maintain large volumes of personal data related to their students and their families, as well as their teachers and other employees. These troves of data—which may be subject to federal laws like The Family Educational Rights and Privacy Act (FERPA), as well as state reasonable safeguard and breach notification laws—have made educational institutions attractive marks for cyber attackers.  So too has their reputation for underinvesting in their data security programs.  

  1. Third‑Party Contractor≠ Reduced Liability

Lesson: Educational institutions remain legally and reputationally exposed even when their vendor stores data on their behalf.

While engaging a vendor can, in some ways, simplify the process of protecting data—because the vendor handles the logistics and incurs the costs of maintaining administrative, physical, and technical safeguards to secure that data—this is not a set it and forget it situation.  Even if the vendor stores all of the data at issue, the educational institution will be the party statutorily obligated to notify and report in the event of a breach and will likely be a defendant or subject of ensuing litigation or regulatory investigation. In other words, educational institutions can outsource the function of handling their data but cannot outsource the consequences if it’s handled improperly.

  1. The Scope of Data Covered by Data Protection Laws Is Broad

Lesson: Even breaches of less “sensitive” data create meaningful risk.

Reports indicate that the data accessed in the recent breach included names, email addresses, student IDs, and messages.  Although these data elements are less “sensitive” than SSNs, financial account information, or medical information, their breach may still trigger notification and reporting obligations under state data protection laws, like New York Education Law § 2-d.  Thus, educational institutions cannot safely assume that the disclosure of “lower risk” data eliminates legal or operational exposure.  Instead, they must conduct a thorough analysis of the incident and carefully assess resulting obligations.

  1. Operational Resilience is Necessary to Avoid Operational Disruption

Lesson: Operational disruption is a key privacy risk multiplier.

The breach occurred around final examinations for many educational institutions, disrupting students and educators alike.  It also forced operational staffs to rapidly navigate technological, availability, and continuity challenges. Operational resilience, like data backups and well-crafted and -rehearsed incident response plans, are essential to minimizing the harm caused by these incidents.

  1. Strong Risk Management Requires Continuous Vendor Monitoring

Lesson: Constant diligence is required.

Vetting vendors prior to engaging them is critical to an effective management program.  So too is carefully reviewing vendor agreements to ensure they include key data protection provisions.  But vendor management doesn’t end at the time of engagement.  Instead, it’s an ongoing process that should include, among other things, exercise of audit rights, monitoring of vendor subcontractors, and periodic revisiting of vendor agreements.  Use of vendors is unavoidable, as are vendor breaches.  Where educational institutions have control, though, and can mitigate risk, is through diligent oversight of those vendors.

***

For additional information about managing the vendors that manage your data, please contact Jackson Lewis’ Privacy, AI & Cybersecurity team.