This summer, Pearson notified a handful of Illinois school districts that its AIMSweb 1.0 Platform had experienced a data breach that impacted over 13,000 account holders nationally. The breach may have resulted in third-party access to student names and, in some cases, birth dates and email addresses; no educational, assessment, or other personal information was affected. While the relative impact of this breach was low, it highlighted once again the vulnerability that schools face to breach of data systems, many of which contain highly personal information on students and staff. 

What is a Data Breach?

The Privacy Technical Assistance Center (PTAC) of the U.S. Department of Education defines a data breach as “any instance in which there is an unauthorized release or access of Personally Identifiable Information or other information not suitable for public release.”   A breach can occur at an educational institution that stores its data on site or through a third-party, like a cloud service provider.  A data breach can result from a variety of sources, including hackers attacking a school’s data system, an employee inadvertently sending data to a third-party or leaving a password list out in public, or a security system that does not adequately protect against access.  While some cases, like the Pearson breach, result in only limited information being exposed, schools face the risk of a breach that exposes significantly more sensitive information like student’s social security numbers, medical information, and educational records.  Whether malicious or unintentional, all breaches can be dangerous if they leave sensitive data vulnerable to public access. 

What Are A School’s Legal Responsibilities?

While FERPA does not require educational institutions to adopt specific security controls, it does require the use of “reasonable methods” to safeguard student records.  Schools should make sure that data systems are adequately protected and that risk assessments are conducted regularly to identify and remediate any vulnerabilities.

If a breach does occur, schools are often confused about when and how to notify impacted students.  FERPA does not have a requirement that parents and students be notified of a breach but does require that any release of student data be recorded in the student record.  Illinois law does require notification when specific data elements are released, particularly social security numbers, so schools should consult with counsel if a breach occurs to determine whether notification is required.  Finally, for Post-secondary institutions, Title IV Participating Institutions are subject to Gramm Leach Bliley Act (GLBA) data security requirements and, pursuant to the Participation Agreement, are required to report data breaches to the Federal Student Aid office of the U.S. Department of Education. 

While notification is not always legally required, schools may want to consider notifying their communities of a breach when it occurs so that parents and students in order to maintain trust and transparency and so that impacted individuals can take protective action.  For example, in the case of the Pearson breach, Pearson is offering free credit monitoring for a year for all students impacted by the release.   

What Should A School Do to Prepare?

PTAC recommends that all schools have a data breach response plan that will enable school officials to detect, respond to, and recover quickly from any breach.  PTAC identifies the core components of a breach plan as:

1. An approved policy that sets forth when the policy applies, the roles and responsibilities of staff, standards to measure the level of breach, reporting, and remediation.
2. A plan tailored to the organization that sets forth the steps necessary to implement the policy, including incident response from reporting, initial response, notification, and remediation. 
3. A procedure document that implements the plan and sets forth the specific actions that are a part of the response effort.

PTAC recommends that the data response plan and procedure be tested in advance of a breach to ensure that the school is prepared.  PTAC also provides a detailed checklist to help educational organizations be fully prepared which includes not only the data response plan but also auditing data systems, running risk assessments, monitoring for data leakage and loss, and training staff regarding data security.

What Should A School Do to Reduce Liability?

While schools face the risk of their own data systems being breached, as the Pearson breach demonstrates, educational institutions face the additional risk of breach of data shared with third-party educational vendors.  We recommend that schools always include a data agreement in any contract in which student data is being shared and/or generated with a third-party vendor.  This data agreement should contain specific breach provisions, including a timeframe for breach notification by the vendor, a process for investigation, and indemnification by the vendor of the school of any costs that result from the data breach.  In this way, schools can mitigate liability and make sure that students are protected.

While recent history has made clear that there are no institutions safe from data breach, schools can take preventive steps to ensure that, if a breach does occur, it is responded to quickly and effectively.