2015 NMSBA SCHOOL LAW CONFERENCE

Transcription

1 2015 NMSBA SCHOOL LAW CONFERENCE NETWORK SECURITY, DISTRICT POLICIES ON INTERNET USE, AND THE LAW Andrew M. Sanchez David A. Richter Cuddy & McCarthy, LLP 1

2 FEDERAL LAWS The Family Educational Rights and Privacy Act (FERPA) 20 U.S.C. 1232g Children s Online Privacy Protection Act (COPPA). 15 U.S.C 6501 et seq. Protection of Pupil Rights Amendment (PPRA) 20 U.S.C. 1232h Children s Internet Protection Act (CIPA) 20 U.S.C. 6801, 6777, 9134; 47 U.S.C. 254 Protecting Children in the 21 st Century Act Amendment* 47 U.S.C. 254(h) Cuddy & McCarthy, LLP 2

3 FERPA FERPA prohibits the unauthorized disclosure of personally identifiable information (PII) contained in students education records. When we think of education records we tend to think of real records the kind you would find collecting dust in a file cabinet. These days a student s PII is often contained in digital or electronic media. FERPA also is concerned with unauthorized disclosure of digital or electronic PII. Cuddy & McCarthy, LLP 3

4 WHAT IS PII? Specific identifiers such as name and address of a student, OR Other information that, alone or in combination would make it possible for someone in the school community to identify the student with reasonable certainty. Owasso Indep. Sch. Dist. v. Falvo, 534 U.S. 426 (2002). Cuddy & McCarthy, LLP 4

5 PII AS OTHER INFORMATION It might be difficult, if not impossible, for school districts to determine whether a particular document contains PII or could contain PII if it were to be used in combination with other information. Therefore, school districts may want to consider adopting policies that presumes all data generated by students, teachers, and staff related to students constitutes an education record. This seems especially wise when school districts are directing third-party technology providers with both information and instructions regarding how they should handle, use, and share the information. Cuddy & McCarthy, LLP 5

6 COPPA COPPA requires website operators to protect children s privacy and security online, including restrictions on marketing. COPPA the Federal Trade Commission (FTC) Rule enforcing it apply to: Operators of commercial websites and online services (including mobile apps) directed to children under 13 that collect, use, or disclose personal information from children, and operators of general audience websites or inline services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13. Fed Trade Comm n Bureau of Consumer Prot., Complying with COPPA: Frequently Asked Questions available at: Cuddy & McCarthy, LLP 6

7 PPRA What does PPRA do? PPRA is triggered whenever school districts use Internet - based educational services. PPRA provides that: A student may not be required to submit to a survey, analysis or evaluation that reveals information about the student s or family s political affiliations or beliefs; mental or psychological problems; sexual behavior; and many other topics, without the prior consent of the parent(s). School districts must develop policies in consultation with parents that address everything from the parent s right to inspection instructional materials to the right of the parent to inspect any instrument used in collection of personal information before the instrument is administered to the student. 20 U.S.C. 1232h(c)(1). Cuddy & McCarthy, LLP 7

8 CIPA The Children's Internet Protection Act (CIPA) was enacted by Congress in 2000 to address concerns about children's access to obscene or harmful content over the Internet. CIPA imposes certain requirements on schools or libraries that receive discounts for Internet access or internal connections through the E-rate program a program that makes certain communications services and products more affordable for eligible schools and libraries. In early 2001, the FCC issued rules implementing CIPA and provided updates to those rules in Cuddy & McCarthy, LLP 8

9 CIPA CONTINUED Schools and libraries subject to CIPA may not receive the discounts offered by the E-rate program unless they certify that they have an Internet safety policy that includes technology protection measures. The protection measures must block or filter Internet access to pictures that are: (a) obscene; (b) child pornography; or (c) harmful to minors (for computers that are accessed by minors). Before adopting this Internet safety policy, schools and libraries must provide reasonable notice and hold at least one public hearing or meeting to address the proposal. Cuddy & McCarthy, LLP 9

10 CIPA AND PROTECTING CHILDREN IN THE 21 ST CENTURY ACT Schools subject to CIPA have two additional certification requirements: 1) their Internet safety policies must include monitoring the online activities of minors; and 2) as required by the Protecting Children in the 21st Century Act, they must provide for educating minors about appropriate online behavior, including interacting with other individuals on social networking websites and in chat rooms, and cyberbullying awareness and response. Protecting Children in the 21st Century Act requires school recipients of e-rate funding to adopt Internet Safety Policies that specify the school educates its students about appropriate online behavior. While the FCC does not require school recipients to specify the curriculum in their Internet Safety Policies, it is strongly recommended that schools keep records of the implementation of their chosen method(s) for educating students about appropriate online behavior. Cuddy & McCarthy, LLP 10

11 WHAT HAPPENS IF YOU VIOLATE THE KEY PROVISIONS OF CIPA AND PROTECTING CHILDREN IN THE 21 ST CENTURY ACT? The Universal Service Administrative Company (USAC) which administers the Universal Service Fund (USF) could institute an action seeking recovery of e-rate funds. Cuddy & McCarthy, LLP 11

12 NETWORK SECURITY Network Security [security policies, implementing software, and the role of hardware] Internal Security vs. External Security Internal Security: a host of measures adopted to prevent individuals a school district allows to access its network from engaging in unauthorized or unlawful activity on the network. External Security: a host of measures adopted to prevent the inadvertent disclosure of sensitive or confidential information (think PII) and the unauthorized access of such information by anyone on the internet. Cuddy & McCarthy, LLP 12

13 PRACTICAL CONSIDERATIONS: CLOUD COMPUTING, STUDENT PRIVACY, AND THE LAW Cloud Computing is the delivery of on-demand computing resources everything from applications to data centers over the internet on a pay for use basis. Kinds of Clouds Software as a Service (SaaS) Software hosting Platform as a Service (PaaS) Application development or deployment Infrastructure as a Service (IaaS) Data hosting Cuddy & McCarthy, LLP 13

14 PROCUREMENT OF COMPUTER-BASED SERVICES AND DATA SERVICES Technology advances: Becoming paperless educational system Computer-based everything Data storage Where does the information go? Who has access to it? Who is responsible for it s safekeeping? Can you audit compliance with contracts for services or data storage? Cuddy & McCarthy, LLP 14

15 PRIVACY Why do we care about privacy? Data mining by companies like Google and Microsoft. Advertisements based on search engine history, Facebook, etc. Search cloud storage for trends and commonality to sell. State law precludes release of identifiable lists of students, faculty or staff for direct marketing of goods or services by telephone or mail except for legitimate educational purposes as defined by PED. NMSA 1978 Section (damages and attorneys fees awarded for violation.) Cuddy & McCarthy, LLP 15

16 PRIVACY CONTINUED Not knowing how much regulated data is on or accessible by: Mobile devices and clouds or used by school employees or transferred to cloudbased file sharing applications. Unsecured student and employee mobile devices. Cuddy & McCarthy, LLP 16

17 CONTRACTS WITH THIRD-PARTIES OFFERING CLOUD COMPUTING SERVICES School district owns its data exclusively. What the provider will do to protect the school district for data loss, unauthorized disclosure and changes and theft. Set forth the provider s responsibility in the event of a data breach. Address the unique data confidentiality requirements of the school district in detail (FERPA, IPRA etc.). Cuddy & McCarthy, LLP 17

18 CONTRACTS CONTINUED Provide for an effective privacy and security audit. Limit the provider s use of data to solely what is necessary for its fulfillment of its obligations under the contract. Specifically exclude the provider from any data mining of student/parent or employee and school district data or allowing third parties or affiliated parties to do so. Exclude all other collateral commercial uses of student/parent, employee and school district data. Cuddy & McCarthy, LLP 18

19 CONTRACTS CONTINUES TO CONTINUE School District must be able to access its data in a specific format when it is needed for audits, investigations and litigation. Provider will not be allowed to modify or destroy the school district s data, the school district should be able to control when its data is destroyed, duplicated and preserved. Restrict the provider from storing the data to the United States where the laws protecting data enforceable. Outside countries may allow data mining. Cuddy & McCarthy, LLP 19

20 BEWARE: CONTRACT LANGUAGE Beware of deals, programs or additional services to be purchased to provide data privacy and security from the provider who can do it under contract at no additional cost. Beware of indemnification provisions in user agreements, requiring the school district to indemnify the provider if it has data breach or security breach or releasing the provider from liability for its own negligence. Beware of dispute resolution provisions barring litigation and requiring arbitration. Beware of dispute resolution provisions providing that if there is litigation it will be limited to the home state of the provider or some other jurisdiction outside of New Mexico. Cuddy & McCarthy, LLP 20

21 QUESTIONS Cuddy & McCarthy, LLP 21

22 CONTACT INFORMATION Andrew M. Sanchez (505) David A. Richter (505) Cuddy & McCarthy, LLP 22