In 2014, University of Maryland President Wallace Loh made a desperate appeal to the Senate to support legislation that would force businesses to more aggressively address the cybersecurity issues that cost his university millions of dollars. His request fell on deaf ears as the bill died.
Since then a slew of security breaches and malicious data hacks have hit educational institutions, including K-12 districts and their technology providers. Most recently, one of the most widely-used education technology companies, Edmodo, had records for over 77 million users compromised.
In the absence of legal recourse and protection, lawyers and researchers are encouraging educators to defend themselves—starting at the negotiating table. They point to vendor contracts as the frontline of these efforts, noting that schools can and should demand better transparency around privacy protection, cybersecurity practices and even pricing terms. By doing so, schools can save themselves headache—and possibly billions of taxpayer dollars.
The Cost of Privacy Breaches
When a privacy breach is found, schools and districts have to follow protocols that can be costly in terms of time and money. Laws regarding school data breaches vary vastly, from notification timelines to organizational responsibilities. For example, while one district might only require users to be notified by email, others demand school physical letters be sent out. Some districts also make schools report to credit agencies and offer reparations in the form of a credit monitoring service.
Parents are the sometimes last to know. Often they read about these incidents on the news before receiving official notice from the district or company. “We were victims of the FAFSA breach,” says Rachel Stickland, a mother of two, referring to an incident reported in April in which the records up to 100,000 financial aid applicants may have been stolen. “Now we are victims again with Edmodo.” She adds: “A lot of these free edtech products are integrated into the classroom before you have a chance to know about them. There is a lot of pressure for schools to use these services.”
Stickland is the co-founder of Parent Coalition for Student Privacy, an organization that recently released a toolkit that informs parents about the data being collected through schools and vendor tools, and their rights in the event of a security breach.
When Stickland first learned about the FAFSA breach, she scrambled to protect her son's information, but she found the process too stressful and even risky as she was asked to send sensitive information like social security cards and birth certificates via online platforms or through the mail. After the Edmodo breach, which she heard about first from news reports, she felt at a loss.
Rachel was not the only parent looking for a way to protect her child, and neither is Edmodo the only edtech company to be hit by security issues. In April, a cybersecurity researcher found that Schoolzilla had inadvertently exposed personally identifiable student data (including social security numbers) for more than a million users. Fortunately, the company confirmed that no one else had accessed that data. Still, the incident left in its wake some costly follow-up communication and legal work for school administrators.
While the companies scrambled post-attack to patch-up the problems with their servers, most users are simply served with an apologetic email leaving them to fend for themselves. No wonder, then, that many parents feel surprised—and powerless.
“My biggest concern is not the email address or password. He wrote his personal thoughts on and opinions about things on Edmodo. I am not sure who would purchase these things, but they can see it,” says Stickland.
There’s little legal recourse that parents can take as the federal legislation that gave families rights to student privacy, The Family Educational Rights and Privacy Act (FERPA), created in 1974, has not been updated in years. “Under FERPA parents cannot sue [the company or school district], it does not provide a private right of action,” says Matthew Johnson, a privacy lawyer who specializes in education technology. “The only way FERPA can be enforced is if someone files a complaint to the Department of Education (ED).”
Johnson notes that filing a complaint with ED could have grave implications for schools, causing them to lose federal funding. Vendors can also be barred from contracting with the school districts, but he notes that these consequences have never been invoked under the statute.
“FERPA was not written with the intent of dealing with a modern-day data breach, and that’s why you see a lot of calls from a lot of parties to amend and update FERPA,” says Johnson. He notes that local pressures have caused individual states to take up privacy issues through local legislation, and as a result penalties and cost vary vastly.
According to a study commissioned by IBM and conducted by the Ponemon Institute, a data breach cost the responsible party an average of $246 per account. In the education sector, whether the district or the vendor bears that burden depends on contracts and who is to blame for the breach fault, says Johnson. If a teacher was careless with passwords and that led to a breach, then all cost associated with the breach could fall on the school or district.
“Contracts used to be silent about a school’s role in a data breach. It wasn’t something that was actually contemplated when they were drafting the agreement,” explains Johnson. “Which is a bit of an issue when you are trying to figure out which rights each party has after the fact, and that is a more difficult situation for everyone involved.”
Researching Price Gouging
Another group hoping to bring more attention to contracts is the Technology for Education Consortium(TEC), a nonprofit that aims to bring more transparency to the procurement process for K-12 edtech services. In March the group released a report that claimed school districts could save at least $3 billion if their vendors charged customers at a consistent and transparent rate.
The report noted edtech companies such as Renaissance Learning seemingly charged districts at random for the same products, noting tens of thousands in price differences where random “discounts” were applied without clear consistency.
“There is no way for districts to look anywhere and see how much [other] licenses cost, and you cannot get a price or quote till you go through a procurement process,” says Hal Friedlander co-founder and CEO of TEC. “Often the price is not in the contract, and usually smaller districts feel like they get the worst deal.” Friedlander explained how districts would see links in contracts (where prices should be) leading to “rabbit holes” of information.
Since there is no legislation against these practices, Friedlander has created a tool (a sort of Glassdoor for districts) where he hopes districts can share prices that they pay for edtech products. His organization has also reached out to schools to compare contracts from vendors.
“Is it possible for for-profit companies to do business with school districts in a way where both sides get the advantage?” asks Friedlander. “To be frank, companies have more money for lawyers, more money for marketers, more money to hire staff members to pitch products and school districts are outgunned in a way. There is no way they can win in a deal.”
LeeAndra Khan, a middle school principal at Brooks Middle School in Chicago, echoes Friedlander’s frustration, noting that the limited resources offered to school districts, coupled with inadequate training on education technology products, can lead to well-meaning educators making rash purchasing decisions.
“Working in the district you are really under the gun to address the areas of growth,” says Khan. That pressure can cause schools, principals and teachers to acquire products without a thorough plan or understanding of the product’s capabilities.
Khan notes that although some districts have lawyers who review purchase agreements, some vendors go to teachers and principals directly, many of whom are not equipped to negotiate with suppliers. “I wonder about people knowing the wealth of a district,” says Khan. ”Before I was a principal, I wrote a plan for a six-million dollar grant, and I call them poverty pimps because it’s almost like they can smell the money, people start cold calling you.”
Khan understands that vendors sometimes approach teachers directly to get a foothold in schools—and possibly find an evangelist who can help evangelize the product to fellow teachers or administrators. She thinks professional development covering contract review and negotiations could help but points out that most districts lack the budget for it.
“You definitely can be taken advantage of,” says Khan. “I don’t know for sure if that has ever happened to me, but then again, how would I know?”
Matthew Johnson echoes those sentiments, noting that providing school employees with training on privacy expectations from vendors, cybersecurity threats, and operational precautions could save districts millions. “It is important to be able to assess what vendors’ privacy practices are. Do they have a privacy policy that appears to have been well thought out and written to reflect what they do and don’t do with data?”
He hopes this type of training can help bring some parity, in favor of schools, during the contract negotiation process. He already sees improvements. “The other question asked more often is: ‘What are you doing and what are we doing in a contract provision to reduce the likelihood of something going wrong?’” says Johnson. “[Schools] are never going to take it down to zero because ultimately they still work with people, and people make mistakes.”