Illinois schools must comply with the Student Online Personal Protection Act by July 1, 2021. While many schools may not have been aware of this deadline or have been pushing compliance down the road, the coronavirus pandemic has put SOPPA compliance in a new light. Illinois schools are quickly realizing that their contractual relationships with educational technology companies and the use of student data are issues that must be addressed immediately. Therefore, this coming summer provides schools a unique opportunity to both get in compliance with SOPPA early and prepare for an uncertain fall semester.

• The Second Half Of The 2019-2020 School Year Caught Many School Districts By Surprise

On April 20, 2020, the Chicago Tribune published an article titled “Illinois districts were urged to prepare e-learning plans for students in case of emergency. Most didn’t do it.”  This article reports that many Illinois school districts were, understandably, caught off guard by the coronavirus quarantine in the second half of the 2019-2020 school district. While preparing for remote learning was a pressing issue prior to the quarantine, many schools, for a variety of reasons were unprepared when remote learning became a necessity:

Long before the coronavirus pandemic shut down Illinois schools, state education officials encouraged school districts to prepare to teach remotely. But most of the state’s 852 school districts didn’t have e-learning plans in place when schools closed in mid-March, a ProPublica Illinois-Chicago Tribune analysis has found.

In describing the weeks since remote learning has become a way of life, many school districts have struggled with various online applications, learning tools and getting students adjusted to their new classrooms:

Many of those districts have found themselves scrambling to figure out how best to teach students when they can’t be face to face. They have had to search for the best online platforms — Google Meet or Zoom or Flipgrid or Seesaw? — and try to determine how many students lacked internet service while districts that had already established the logistics have been able to pivot more easily into actual instruction.

Over the last couple of weeks, many school districts, their teachers and their students have needed to learn how to use remote learning tools after remote learning had started. Of course, while e-learning tools have made remote learning possible while people have been ordered to stay at home, these ed-tech applications also provide Google and a number of other tech companies with unlimited access to sensitive student data.

While schools have made significant progress shifting to remote learning, schools will need to take a closer look at how student data was protected during the coronavirus pandemic and what steps need to be taken this summer to shore up security. The legislative intent behind SOPPA fits the current situation perfectly:

Schools today are increasingly using a wide range of beneficial online services and other technologies to help students learn, but concerns have been raised about whether sufficient safeguards exist to protect the privacy and security of data about students when it is collected by educational technology companies. This Act is intended to ensure that student data will be protected when it is collected by educational technology companies and that data may be used for beneficial purposes such as providing personalized learning and innovative educational technologies. 

Indeed, SOPPA may provide the best guidelines for schools to take a closer look at protecting student data and relationships with ed-tech companies during and after the quarantine.

• Schools Should Begin Planning For E-Learning In The Fall of 2020

The central point of the Chicago Tribune’s April 20th article is that many schools and students were unprepared when they shifted to remote learning. There is further evidence that schools may be in the same position next fall if they don’t immediately take steps to prepare for a remote learning environment. Many colleges are already looking at how the coronavirus pandemic may impact the 2020-2021 school year. For example, “…the University of Arizona said it remains hopeful the fall semester would include a return to campus:”

“We are cautiously optimistic that the fall semester will be able to launch with the normal face-to-face campus experience, but of course we will prioritize the health and well-being of our community in making that decision…”

And, colleges and universities are not the only schools struggling to figure out what this fall may look like for students. For example, the Washington State Superintendent of Schools, Chris Reykdal, has acknowledged that “[s]hort of a vaccine, which people continue to tell us is 12-18 months away, we have to figure out if it’s safe to come back even in the fall.” Similarly, the spokesperson for schools in Fort Wayne, Indiana commented: “[t]his could just keep going on, and we may not start in the fall.”

Given this uncertainty, schools may face a limited opportunity this summer to prepare for remote learning and be ready to address the uncertainties this fall. And, in deciding how to prepare for an uncertain fall semester, Illinois schools should start with SOPPA.

In general, SOPPA governs the relationship between schools, students/parents and “Operators.”  SOPPA defines “Operators” as “the operator of an Internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application with actual knowledge that the site, service, or application is used primarily for K through 12 school purposes and was designed and marketed for K through 12 school purposes.” In short, moving toward SOPPA compliance will force schools to take a look at their contracts with ed-tech companies and closely analyze how student data is transferred to third parties. This focus on educational technology companies makes SOPPA requirements the perfect place for schools to start this summer to prepare for next fall.  Further, schools will get a jump start for the July 1, 2021, mandatory deadline to comply with SOPPA.

Learn more at www.tresslerllp.com/soppa, or contact Tressler attorney Todd Rowe at trowe@tresslerllp.com.

The post This Summer Provides A Unique Opportunity For Student Data Privacy appeared first on Privacy Risk Report.

Understandably, there has been a lot of information concerning the novel coronavirus and its impact on insurance, business and, of course, people.  However, there has not been much discussion on what happens if there is a cyber event over the next couple of weeks as the world deals with the COVID-19 pandemic.  A cyber security breach during the novel coronavirus pandemic could sever the one thread connecting remote employees to their place of work.

While it is still early, there should be little dispute that the current pandemic will have a profound impact on the workplace, which, in turn, will have a profound impact on the use of data. Commentators have already offered the following concerning the new workplace:

If the future of work requires restructured workplaces, redefined roles, rapid learning, and reserves of trust—and it does, organizations are being challenged to do all that and more as they address the coronavirus pandemic. While we have long spoken about VUCA (volatile, uncertain, complex, and ambiguous) environments, we are finally and undoubtedly facing one.  In the span of a few weeks, the world’s economy traveled a path from cautious observation and common-sense health advisories to massive cancelations, business shutdowns, and work from home mandates. JPMorgan, AT&T, Google, Amazon, Nike, Facebook, among many, many more are hustling to virtualize business operations as social distancing continues to be the best practice to “flatten the curve” of contagion. 

Coronavirus, it turns out, might be the great catalyst for business transformation. 

Without a doubt, once we get through this pandemic, we will need to address how the new workplace impacts privacy.  The two most immediate concerns may be the opportunities for hackers and how regulations will be impacted by the overwhelming health and economic concerns.

1. The Pandemic May Provide Opportunities For Hackers

While there are a number of uncertainties during this unprecedented situation, we have been able to piece together some information concerning our world in March of 2020:

• We are in pandemic caused by the novel coronavirus;
• In response to the pandemic, people are working from home transferring information without the security measures found in the workplace;
• The pandemic has created turmoil in the world’s financial and employment markets; and
• Workers are feeling not secure, which may lead to snap decisions.

Unfortunately, these four factors give rise to the perfect environment for opportunistic hackers.  Data collectors may want to take the following approach in the coming weeks:

• Protect data transfers. In the coming weeks, as the pandemic unfolds, employee training or discussions on data safety will be key.  Data collectors should remind their new remote workforce of the emerging risks they face in transferring data.

• Prepare for outages. There are new limitations on communicating with a remote workforce.  Data collectors should consider what their business may look like if there is an international, national or local outage that would cut this limited access even further.

• Think about permanent solutions for the new workplace. The remote workforce will be able to return to their traditional workplaces at some point.  Data collectors should think about what safeguards should be put into place if workers start working remotely more frequently.

Not surprisingly, we have already seen hackers target vital businesses that are essential during the coronavirus pandemic.  German newspapers have reported that “Cyber criminals have launched a distributed denial-of-service (DDoS) attack against German food delivery service Takeaway.com (Liefrando.de), demanding two bitcoins (about $11,000) to stop the flood of traffic.”  Commentators warn this may not be the end of cyber attacks:

Security experts anticipate these types of acts, intended to exploit essential services in times of crisis, will continue as restrictions due to COVID-19 remain in place. “Deplorably, we will likely see a further avalanche of cyberattacks targeting most susceptible online businesses,” says ImmuniWeb founder and CEO Ilia Kolochenko. As a result, many organizations may be forced to pay cybercriminals or invest in DDoS protection services to defend against advanced attacks.

Clearly, this will be a continuing threat over the next few weeks.

2. The Pandemic May Cause Privacy Regulations To Get Dialed Back.

A couple of months ago, business, insurers and governments were starting to get the hang of this privacy thing.  Previously, the biggest concern was compliance with privacy regulations such as the California Consumer Privacy Act (“CCPA”).  (By the way, a number of organizations are now calling for the delay of the enforcement of the CCPA: https://www.ciodive.com/news/CCPA-coronavirus-extension/574547/)  That was, of course, until the coronavirus pandemic sent workers home.

Being just a few weeks into the pandemic, we can be sure that privacy law will be profoundly impacted when deadlines are extended and the data is used by millions of workers that have moved offsite.  After the pandemic, we will need to watch deadlines and be ready to modify compliance with privacy law.

If the adoption or enforcement of privacy regulations is delayed by the coronavirus pandemic, we may see data collectors struggle to find guidance for proper data and storage and collection.  Looking at case law may fill this void left by relaxed deadlines and requirements.  For example, data collectors may look to decisions such as the March 26, 2018 opinion in Hopper v. Schletter Inc., 17-cv-01, 2018 WL 1472485 (W.D. North Carolina 2018) as an example where a court was prepared to hold employers liable if they disclose their employees’ information by mistake. And, if courts around the country adopt the reasoning in Hopper, employers can expect to have their cyber security protocols closely scrutinized after the coronavirus pandemic.

Further, the facts giving rise to the incident in Hopper are instructive to remote workplaces.  On April 19, 2016, the defendant in Hopper, Schletter Group, sent a letter advising its employees and former employees that Schletter had sent its employees’ W-2 forms by mistake to a third-party after it fell prey to a phishing scam. Schletter offered credit monitoring and identity theft protection to those impacted. After the plaintiffs filed a lawsuit seeking alleged damages as a result of this incident, Schletter filed a motion to dismiss the complaint. The District Court denied Schletter’s motion to dismiss the plaintiffs’ claims for negligence and breach of implied contract, invasion of privacy and violations of North Carolina’s Unfair Trade Practices and Privacy Acts. The District Court, however, dismissed the breach of fiduciary duty claim.

As an initial step, the District Court discussed all the warnings it believed Schletter had about phishing scams before it fell prey. In finding Schletter had ample notice of the potential for an incident, the District Court listed various FBI warnings, IRS alerts, articles and examples available of emails used in similar scams that it believed Schletter should have been aware of before the incident. After discussing all the ways the District Court believed the Defendant should have been aware of this scam, the District Court stated that “[d]espite the widespread prevalence of spoofing aimed at obtaining confidential information from employers and despite the warnings of the 2016 tax season W-2 email scam, [Schletter] provided its employees with unreasonably deficient training on cyber security and information transfer protocols prior to the Data Disclosure.” The District Court called Schletter’s preparation and response into question.

The District Court provided the following examples of how it believed Schletter failed to properly train its employees:

• How to detect phishing and spoofing emails and other scams including providing employees examples of these scams and guidance on how to verify if emails are legitimate;
• Effective password management and encryption protocols for internal and external emails;
• Avoidance of responding to emails that are suspicious or from unknown sources;
• Locking, encrypting and limiting access to computers and files containing sensitive information;
• Implementing guidelines for maintaining and communicating sensitive data; and
• Protecting sensitive employee information, including personal and financial information, by implementing protocols on how to request and respond to requests for the transfer of such information and how to securely send such information through a secure file transfer system to only known recipients.

Based on this reasoning, the District Court concluded “[t]he Data Disclosure was caused by the Defendant’s failure to abide by best practices and industry standards concerning the security of its computer and payroll processing systems.” In further support of its conclusion, the District Court listed the various ways it found Schletter had failed to implement the proper security measures to protect the W-2s.

It will be interesting to see if courts are going to give data collectors a “pass” for lapses in cyber security once the coronavirus pandemic has come to an end.  Even though cyber security may be in flux, there is still a significant amount of guidance for data collectors.

The post Where Do We Begin? Two Immediate Threats to Cyber Security During the Coronavirus Pandemic appeared first on Privacy Risk Report.