So far, it appears that 2021 will be at least as challenging for most institutions as 2020 was; this includes educational institutions. Given the increased use of remote learning and communication tools, school administrators should be aware of three broad trends in privacy and data security: ransomware, evolving state data privacy laws, and the potential for federal privacy action. All of these areas, especially combined with digital workflow and video streaming, pose potential issues for schools and universities.
Almost 1,700 schools and universities were attacked with ransomware in the US in 2020. Such an attack can disrupt access to (or damage) internal records, including private information of students, families, and employees. The attack itself, or the need to take systems offline to contain it, can also compromise the delivery of remote learning. Finally, such an attack can also lead to exfiltration of private information.
The costs associated with containment, investigation, and remediation, and the potential loss of classroom time, can be daunting. As will be discussed in more detail below, such an attack may also expose the school or system to claims for a data breach in an increasing number of states.
The absolute best way to cut a ransomware attack off quickly cannot be done once it starts. It requires planning ahead and having robust backup and recovery data and systems that can take over if the main network or its data is locked down due to a ransomware attack. Similarly, the best way to mitigate the cost of an attack also must be planned in advance: carrying cyber insurance that pays for data restoration, replacement equipment, and the costs of investigating and notifying individuals of any breach of their personal data. Business continuity planning and good insurance, together, can do quite a lot to mitigate damage and losses in the event of a ransomware attack.
STATE DATA PRIVACY LAWS
A new data privacy law took effect in California in 2020 that gives Californians certain rights in and to their personal data – which is very broadly defined – after it is collected by companies and other for-profit institutions. The law will be strengthened in 2023 by measures that were approved in the fall election. The law requires a very explicit notice to individuals in California – such as parents or adult students and, potentially, staff and administrators – of what data the regulated entity collects. It also gives those individuals extensive rights to see, require deletion of, and otherwise control the use of their data after its collection. The law does not apply to information already regulated by certain federal laws (such as HIPAA and GLBA), nor to non-profit enterprises. It does apply to for-profit entities of a certain size, however, and does not create an education exemption. In addition, the narrow exemption for federally-regulated data does not excuse a covered institution from compliance regarding any other data that it happens to hold. The law allows for hefty financial penalties if a data breach occurs where a company failed to take reasonable data security measures.
Several states introduced copycat legislation in 2020, many of which are likely to be reintroduced in 2021. Virginia already has introduced a House and a Senate privacy bill in 2021 that would enact many of the same items as the California law.
All schools should monitor closely the emergence of state copycat laws to understand whether the law in their state covers their school (or students from other states), what kind of data it covers, and what kinds of access/correction/deletion requests it must honor. Schools also should be sure to document their data security practices in real time, including by having a written information security policy and periodic training for relevant personnel.
POTENTIAL FEDERAL PRIVACY LAWS
With Democrats in control of both the executive and legislative branches for the next two years, it is entirely possible that the federal government will try to address privacy at the national level, either with a data privacy law like California’s or by passing some nationwide standard for what constitutes a data breach and what the penalties are. Alternatively, an agency like the FTC – now headed by a Democrat – could step in and try to create national privacy regulations to fill a perceived gap.
In theory, any such move could make compliance easier, by establishing a single national standard for what is considered private information, who has to do what to keep it secure and confidential, and what the penalties are for failing to do so. Much depends on whether Congress can act swiftly and effectively on a challenging and sensitive issue. Whether or not any federal privacy laws are passed, however, privacy compliance efforts are likely to become more complicated and less forgiving in the coming years, whether driven by state law, by contract, by insurance underwriting requirements, by rising consumer expectations, by increased security risks, or by other mechanisms. All institutions, whether public or private, non-profit or for-profit, are likely to experience increased demands for robust privacy and security protections. Taking account of that now in planning, budgeting, resource allocation, and other areas, will pay off down the road.