NACE Journal, November 2018
It seems like every time someone turns on the news, there is a report of a company being subject to a data breach. Companies like Yahoo, Equifax, Uber, Home Depot, and Sony have all been subject to either intentional “hacks” of data or unintentional disclosures of data without authorization.
In today’s world, educational institutions are challenged to maintain and protect student information while making it easily accessible. Educational institutions often rely on third parties to assist with this. Employers recruiting and hiring students face similar challenges. Consequently, both groups need to be aware of the limitations on their ability to share students' personal information with third parties. Additionally, it is essential that colleges and employers know how to safeguard protected data that are either stored internally or through a third party and what to do in the event of a potential breach.
The Family Educational Rights and Privacy Act (FERPA) protects a student's personally identifiable information (PII) found in education records from unauthorized disclosure. It also provides students the right to access their education records. FERPA defines education records as any records, files, documents, and other materials that 1) contain information directly related to a student; and 2) are maintained by an educational agency or institution or by a party acting for the agency or institution.
PII relates to any information that can identify a student's identity either directly, e.g., the student's name or a family member's name, or indirectly, e.g., the student's date of birth, place of birth, mother's maiden name, and so forth. Unless an exception is applicable, a student's PII cannot be disclosed without written consent. As a result, PII cannot be disclosed to a third-party provider without written consent unless the school official exception is applicable.
The school official exception allows schools to outsource its services or functions to third parties. FERPA allows educational institutions to disclose PII from education records to third parties so long as that party 1) performs an institutional service or function for which the agency or institution would otherwise use employees; 2) has been determined to meet the criteria set forth in the educational institution’s annual notification of FERPA rights for being a school official with a legitimate educational interest in the education records; 3) is under the direct control of the agency or institution with respect to the use and maintenance of education records; and 4) uses education records only for authorized purposes and does not re-disclose PII from education records to other parties, unless the provider has specific authorization from the educational institution to do so and it is otherwise permitted by FERPA. FERPA still governs the use of the PII once disclosed, meaning the educational institution is still responsible for its protection and must take steps to ensure PII is protected.
As a result, educational institutions need to take precautionary steps when outsourcing PII. An educational institution must enter into a written contract with the third party that is receiving the information. The agreement should include certain language that includes, but is not limited to, specifying the reason for the disclosure; any limitations on the third party’s ability to use the information; indemnification language, which protects the educational institution to the extent information is improperly disclosed or subject to a breach; and notification language, which requires the third party to immediately notify the educational institution of any breach.
It is also important for the educational institution to be transparent about the contractual process. Allowing the contract or agreement with the third party to be readily accessible to the students or their parents is one way to do this. Providing an explanation of the purpose and extent of the third party's use is also a helpful practice. The more information about the process presented to the parents and students, the better.
In addition, the educational institution needs to make sure the PII remains confidential. An educational institution must ensure that the third party with which it contracts has a plan to ensure data security and a written and detailed process to prevent data breaches. It is important that periodic privacy audits are conducted on third parties to guarantee the security of PII. Additionally, the institution should provide the least amount of student information to achieve its purpose for outsourcing in the first place.
In addition to FERPA, there are other regulatory requirements—affecting both colleges and employers—that come into play when an entity has access to personal data. Laws of individual states as well as federal law vary in terms of what information is protected and what the potential liability is if there is a data breach. For example, some states indicate that a combination of certain data, such as name, address, and Social Security number if disclosed simultaneously, would constitute a breach. Other states include e-mail addresses or phone numbers in the list of “protected information” when those data are disclosed in conjunction with other personally identifiable information.
If there is an internal breach of data, it is generally easy to discern the issue and the required response. Under most state laws or regulations, if a data breach occurs, an entity is required to immediately notify the affected individuals and provide information on the breach, which would include, but not be limited to, the date of the breach, the manner of the breach, and what remedial measures were taken in response to the breach. Some states (California and Delaware, for example) require the entity to provide identity-theft protection services to any impacted individuals.
The bigger issue arises when the breach comes from a third-party vendor. The initial question that arises is, Who is ultimately responsible for such a breach? As a general matter, both the vendor and the party that provided the initial information may be subject to potential liability for a breach. As with FERPA, most state and federal laws put the onus on the entity that collects the information to ensure that it is handled in a safe and confidential manner. Accordingly, in the event a breach occurs, the collecting entity would have responsibilities to notify the individuals of a breach and the pertinent information related to the breach.
As such, it is imperative that an organization conduct a detailed internal and external assessment of its own policies and procedures and those of any vendor it contracts with when dealing with personal protected information. The entity should conduct annual privacy and data protection assessments to analyze whether it has adequate procedures in place to protect personal information.
Prior to contracting with any third-party vendor, the entity should conduct due diligence on the vendor. This due diligence should include, but should not be limited to, reviewing any of the vendor’s confidentiality policies and procedures, determining who will have access to any protected information, and reviewing any third-party agreements that the vendor may have in which information is disclosed.
The parties should also enter into a written contractual agreement that contains certain requirements for the vendor. The requirements for the vendor include, but are not limited to, notifying the disclosing entity—that is, the school or employer—of any data breach and providing any and all requested information on the breach; notifying any affected individuals of a breach; indemnifying the disclosing entity for any damages or costs associated with a breach; maintaining cyber insurance policies, which may name the disclosing entity as a covered party (the disclosing entity should also have such insurance); and destroying or returning any data at the end of the agreement. (Note: In general, merely providing the vendor with access to the data does not give ownership of the data to the vendor; however, the question of ownership should be specifically spelled out in the agreement, along with any stipulations as to how, when, and for what purposes the vendor can use the data.)
Once an agreement is entered into, it does not end the disclosing entity’s responsibilities. The entity should routinely perform audits of the vendor’s protocols and ensure that there have not been any breaches during the term of the agreement. Merely requiring a vendor to report a breach in the agreement does not mean the vendor will do so if one occurs.
As with an internal breach, if an entity is made aware that a vendor’s data have been breached, the entity will generally be required to notify affected parties of the breach and provide information related to the breach. It is recommended that if a breach occurs, legal counsel is consulted to determine the appropriate response.
Policies and Procedures
As a general matter, it is imperative that both colleges and employers understand their obligations under the law when handling protected personal data and information. Merely because an entity ships the information out to a third-party vendor does not relieve it of its obligations under the law. Both colleges and employers must ensure that they have policies and procedures in place not only to protect data internally, but also to protect data provided to external entities. The policies and procedures should also indicate what to do in the event of a breach.
Outsourcing information to a third party is not a new practice, but it is one to which colleges and employers need to pay close attention. Data breaches occur to large and small companies alike, and the consequences are not small.