State AG’s Ramping Up Enforcement of Student Data Privacy with new Landmark Settlement

Odia Kagan
Fox Rothschild LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Fox Rothschild LLP

The Attorney’s General of Connecticut, California and New York reached a $5.1 million settlement with Illuminate Education, for failing to implement proper information security measures to protect data of students that it was holding.

What should companies that provide services to School Districts or otherwise process Personal Information of school students keep in mind in view of this?

This the first enforcement under Connecticut’s Student Data Privacy Law (from 2016) and may signal a trend for more focus on student privacy enforcement, both from the Connecticut Attorney General and from those in other States. It also cites other laws pursuant to which the enforcement was conducted: Connecticut Unfair Trade Practices Act, Connecticut Safeguards Law, Conn. Gen. Stat. § 42-471 and Connecticut’s Data Breach Notification Law, which shows that similar fact patterns could be enforced against by regulators even in States that do not have dedicated student privacy laws.

While data breach and other information security incidents are common, this settlement is interesting in that it takes an “FTC-like” approach and requires the company to enter into a detailed, prescribed privacy and information security compliance program.

Particularly interesting, is that some of the obligations have a data privacy focus and require the Company to undertake compliance measures that even companies that have a compliance program geared toward compliance with the California CCPA, may not have in place (These are set off in bold typeface below):

The Company was ordered to:

  • Data minimization and purpose specification: Not collect Personal Information except for a specified, legitimate purpose(s) and to not further process or use such Personal Information in any manner either beyond or incompatible with such purpose(s).
  • Access Controls: Implement and maintain appropriate controls to manage access to and use of all employee and contractor accounts with access to Personal Information.
  • Authentication: Implement and maintain reasonable policies and procedures requiring the use of authentication as appropriate in accordance with industry standards.
  • Privileged Access Management: Implement and maintain reasonable controls to secure use of privileged credentials, such as through a privileged access management tool or reasonably equivalent technology.
  • Data Security Risk Assessments: Perform at least annual risk assessments to identify, assess and remediate risks to the security of Personal Information.
  • Penetration Tests: Over the next five (5) years perform at least annual penetration tests to identify, assess and remediate security vulnerabilities.
  • Data Protection Agreement: Provide to prospective School Districts a data protection agreement, with specific requirements – which exceed those in the California /GDPR DPAs that clients may be using.
  • Notice of Material Changes: Not collect, share, disclose, or permit collection of Personal Information in any manner that is inconsistent with or is beyond the scope of the relevant data protection agreement or contract with the School District.
  • Unique Personal Identifiers: Not collect, share, disclose, or permit collection of Unique Personal Identifiers except for a legitimate business purpose.
  • Right to Delete: Process all requests from the School District to delete student data and provide confirmation of the deletion to the School District) (with some exceptions).
  • Due Diligence: Implement, maintain, and document a process for selecting and retaining Third-Party Service Providers capable of safeguarding Personal Information before sharing information with them.
  • Written Contracts: Enter into written agreements or contracts with service providers, with requirements along the lines of those under CCPA/GDPR.
  • Contract Retention: Retain its contracts with Third-Party Service Providers, during their term and for five (5) years thereafter, along with documentation showing their commitment to comply with their obligations re: the data.
  • Monitoring: Implement and maintain policies and procedures to monitor Third-Party Service Providers’ collection of Personal Information.
  • Inconsistent Collection Practices: Take appropriate action against any Third-Party Service Provider collecting Personal Information in a manner inconsistent with its own privacy policy, the provider’s privacy policy, and/or the terms of any written agreement or contract it may have with it.
  • Information Security Assessment: obtain an information security assessment and report from a third-party assessor.

The coordinated approach by the three Attorney’s General may be a signal of increased enforcement in the future. When coupled with the detailed obligations, with a strong privacy focus, and the specific requirements for vendor management – vendors that process Personal Information of students may want to take a new look at their compliance posture and take proactive steps to mitigate their risks.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Fox Rothschild LLP

Written by:

Fox Rothschild LLP
Fox Rothschild LLP
Contact
more
less

What do you want from legal thought leadership?

Please take our short survey – your perspective helps to shape how firms create relevant, useful content that addresses your needs:

Fox Rothschild LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide