When I founded Kickboard several years ago, one of the first things I did was work with legal counsel to develop a privacy policy and terms of service for the company. Back in those days, the edtech ecosystem was dominated by the big players and there were very few startups, which meant that there weren’t a lot of resources for early stage companies trying to navigate the space. Districts also weren’t asking about FERPA compliance during the sales process, so it wasn’t an issue that our first set of policies were pretty boilerplate and could have applied to any cloud-based software company.
While there’s now no shortage of advice on finding a co-founder, finding product market fit, and raising capital, there remains a shortage of practical advice and resources for early stage companies in the area of data privacy and security best practices.
I’m pleased to share that, as of today, Kickboard is leading the industry by “open sourcing” its privacy policies and processes. While each company--and their policies--are different, we hope to move beyond transparency for our own customers and share our approach more widely so earlier-stage companies can benefit. Here are some examples of what early-stage edtech companies must do, should do, and can wait to do, in order to protect the privacy and security of student data.
The usual disclaimers apply: I am not a lawyer, and this post should not be considered legal advice, nor should the linked documents be repurposed as boilerplate policies. Each company is different and requires a unique set of legal documents tailored to their particular business, user type, and data set.
Must Do:
1. Find legal counsel with experience in K-12 education. Your legal counsel should eat, sleep, breathe FERPA and COPPA (and possibly HIPAA) and should make it a priority to stay up to date with relevant state and federal legislation in order to proactively advise on the implications of these bills on your business.
2. Craft a Privacy Policy that does not require a law degree to decipher. Here’s Kickboard’s Platform and Service Privacy Policy as an example. Writing a legally dense policy and then adding cute captions in the sidebar to “translate” the policy is insufficient - your customers will still be bound to the main policy, so you’re still requiring them to read it in full. One of the most important aspects of your Privacy Policy is providing notice about what you do with PII, and if your policy is too hard to understand, regulators and judges are less likely to give you credit for providing that notice.
3. Recognize that a rigorous privacy policy is essentially a bright and shiny “KEEP OUT” sign, but doesn’t do any good if you actually – or apparently – “leave the door unlocked” to your systems. Start with the basics, such as encrypting all Personally Identifiable Information (PII) in transit using SSL (including all user logins and student rosters). The most likely source of a data security breach of your systems will be from code that handles user input – reviewing this code is the best place to concentrate scarce resources.
4. Require all employees to read, sign, and comply with your Data Access Policy. This policy should include restricting internal access to client data. Only those employees who have direct access to customers should have access to client data--think helpdesk, trainers, and customer success managers, and then only on a need to know basis. Engineers should not be using copies of live customer data in their development environments. And of course, sales representatives should never demo using copies of live customer data.
Should Do:
1. Use sales conversations as an opportunity to educate buyers about privacy and security issues. One way we do this at Kickboard is by actively sharing the CoSN Privacy Toolkit with customers and training our sales team so that they’re able to answer CoSN’s suggested “Questions to ask your vendors” with confidence and accuracy. But also be sure to make clear that districts and schools also play an important role in maintaining security of materials once they leave your system, and consider adding cautionary reminders when users are downloading student data.
2. Require all employees to complete Data Privacy and Security Training on at least an annual basis in order to reinforce that everyone is responsible for being a good steward of client data. For example, Kickboard started off 2015 with our annual training.
3. Create a Data Breach Investigation Process and a method for reporting data breaches. Recognize that when we’re talking about data breaches, we’re not just talking about the unlikely and malicious database hack, we’re talking about a client unintentionally (and non-securely) emailing your helpdesk with a student roster they want to upload to your site. Your employees need a straightforward method of reporting data breaches, so you’re prepared if and when one happens.
4. Get familiar with standards for information security management such as PCI, SSAE, and ISO/IEC 27001 – these approaches are as much about documenting security as implementing it, so unless your application requires it, you’ll likely want to postpone trying to fully comply with them. But start the learning curve now, and you’ll also pick up some useful ideas for driving your internal, informal security review process.
Can Wait to Do:
As a CEO of a cash-strapped startup with a laundry list of things you need to do simply to keep the business afloat, what can you safely wait to do until you’re more established?
1. Wait to hire full-time, in-house General Counsel until your legal needs are steady and predictable month to month. In the meantime, see “Must do #1” and negotiate a reasonable hourly or per-project rate.
2. Wait to hire a Chief Privacy Officer. As an early stage company, everyone needs to focus on execution, and this title will be considered an expensive figurehead if you bring them on too soon. But do make sure that someone in your organization is the designated "go to" person if there's a data security breach.
3. Wait to sign the Student Privacy Pledge. Sure, 100+ companies have already signed it, so it’s easy to blindly jump on the bandwagon and assume that having your logo on the list of signatories will drive more business. But if you’re focused on the must do’s and should do’s above, that will carry much more weight than a signature on a voluntary pledge. There’s already evidence, as highlighted by the New York Times, that some signatories may not be in full compliance with the pledge, so it remains to be seen how much that will impact the credibility of the pledge, despite signatories’ best intentions.
4. It’s hard to recommend when to conduct a formal security audit and certification, because every business is different. This is one of those expensive items that, realistically, you’re not going to be able to afford right away but need to be aware of as you expand into states whose laws require such audits.
As an industry, it is critical that we work together to ensure student data privacy and security remains top priority. That starts with more transparency around the actual policies and processes in place in companies large and small. The risks of opening ourselves to scrutiny are worth the reward of feedback that can lead to improvement, not just for Kickboard, but for the benefit of the industry at large. And consider this just the beginning of the list - I invite you to add additional best practices in the comments below.