Private Postsecondary Schools and Data Privacy – It is so Much More than FERPA

By Jonathan Tarnow, Partner, Drinker Biddle & Reath LLP and Katherine Armstrong, Counsel, Drinker Biddle & Reath LLP

We are living in the midst of a data explosion. It is reported that more data has been created in the past two years than in the entire previous history of the human race.¹ A common framework used to characterize big data relies on the “three Vs,” the volume, velocity, and variety of data, each of which is growing at a rapid rate as technological advances permit the analysis and use of data in ways that were not possible previously.² Most entities double the amount of data they possess within 18 to 24 months.³

Yet most organizations do not know the full extent of what data they have, why they have it, where it is, or who has access to it, unless they are required by law to make such an assessment or have been the victim of some sort of data breach or cyberattack.

Postsecondary educational institutions are ripe with data and much of it is sensitive personal information such as student academic records, student and employee financial and health records, institutional financial records as well as alumni and donor records. And, postsecondary educational institutions are not immune from data breaches. Between 2017 and 2018, alleged Chinese hacking campaigns targeted 27 research institutions including MIT, the University of Hawaii, Penn State, Duke, and the University of Washington.⁴ In March 2019, applicants to Grinnell College, Hamilton College and Oberlin College received an email offering them the opportunity to purchase their academic file for Bitcoin.⁵

Against this backdrop is a fragmented regulatory landscape to navigate, as the United States has no overarching data privacy or security law. Instead, there is a patchwork of different laws and regulations at the state, federal and international level, each applicable to different industries, types of data, or types of entities collecting and using the data. Sometimes more than one law and regulatory regime may apply to the same organization and data. While each of the applicable privacy and data security regimes involves significant detail and could warrant separate legal treatises, what follows is a high-level summary of the privacy and data security laws that most frequently impact U.S. postsecondary institutions.

Family Educational Rights and Privacy Act (FERPA)⁶

FERPA, enacted in 1974, is the federal privacy law that applies to education records. It applies to, among others, any educational agency or institution which receives funds under any applicable program administered by the U.S. Department of Education (ED), including Title IV federal student financial aid. As a privacy law, FERPA provides important rights for students and protects the privacy of students’ education records and all personally identifiable information (PII) contained therein. While FERPA generally regulates the use and disclosure of education records, it does not govern how institutions collect information. Although FERPA applies to all education records “maintained” by an institution with respect to a student, it does not impose any record retention requirements. Additionally, records created or received by an institution after an individual is no longer a student in attendance and which are not directly related to the individual’s attendance are excluded from FERPA.

Under FERPA, PII includes various personal identifiers, including information that alone or in combination is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty. PII under FERPA also includes information requested by a person who the institution reasonably believes knows the identity of the student to whom the requested education record relates.

FERPA protects the privacy of education records by broadly prohibiting disclosure without the prior written consent of the student.⁷

Specifically, an institution cannot disclose PII from education records without prior written consent unless an applicable exception permits disclosure and the institution has used reasonable methods to identify and authenticate the recipient’s identity before any information is disclosed. Some of the exceptions to FERPA’s general prohibition on non-consensual disclosures are disclosures to (1) accrediting bodies and State educational agencies; (2) other school officials with legitimate educational interests, which may include contracted entities performing outsourced services and functions; (3) other schools where student seeks or intends to enroll; (4) organizations contracted to conduct studies for or on behalf of the institution for purposes of testing, student aid, and improvement of instruction; (4) law enforcement authorities pursuant to subpoena; (5) appropriate persons related to a health and safety emergency; (6) parents in cases of alcohol or controlled substance use where a student is under age 21; and (7) parents of students who are dependents for tax purposes. In addition, PII that has been properly designated as “directory information” can be disclosed without written consent. It is important to note, however, that the “directory information” exception does not automatically apply even if information is “directory” in nature. Rather, an educational institution must, within regulatory allowances, affirmatively designate specific information from education records as “directory information.” In addition, students must be provided with an annual notice and students forever retain the right to opt-out or opt-in.

FERPA also requires institutions to provide students with the opportunity to inspect and review their education records, unless such right has been waived in writing by the student, and to request that information be corrected if inaccurate, misleading or in violation of the student’s rights of privacy.

There is no private right of action under FERPA, meaning that alleged violations cannot be addressed through student or parental litigation. Rather, the Supreme Court has determined that only ED may enforce FERPA and impose sanctions for violations of its requirements. Upon investigating FERPA violations, ED may require corrective action or, potentially, terminate eligibility to receive funds administered by the Department, including but not limited to Title IV federal student aid.

Health Insurance Portability and Accountability Act (HIPAA)⁹

HIPAA was enacted in 1996 to, among other things, govern how PII is maintained and protected by the health care and health insurance industries. It generally covers patient records and PII maintained by health care providers, health plans and health care clearinghouses. The U.S. Department of Health and Human Services (HHS) has enacted a Privacy Rule, a Security Rule, and Enforcement Rule and a Breach Notification Rule to implement HIPAA.

There are some confusing intersections between FERPA and HIPAA if a school provides health care to students in the normal course of business, such as through a health clinic or school nurse, or the school conducts any covered transitions electronically in connection with health care service. Additionally, specific types of “treatment records” maintained by a school are not considered “education records” under FERPA, but likely are covered under HIPAA. For example, if a school operates a health clinic that is open both to students and to non-students (including family members of the students), it must comply with HIPAA with respect to the health records of non-student patients. With respect to patients that are also students, records that do not qualify as “treatment records” under FERPA will be subject to HIPAA, but all other records will be subject to FERPA and not HIPAA. If the health records involve persons who are both students and employees, it is necessary to examine whether the health services are provided solely because of the student’s status and do not constitute “treatment records” then the records are covered by FERPA, but not HIPAA. However, if a student is a patient in a university hospital, the hospital records would be covered by HIPAA and not FERPA, because the health services of the hospital are unrelated to the individual’s status as a student.¹⁰

HIPAA is enforced by HHS’ Office for Civil Rights. Violations of HIPAA can include monetary penalties and often require a corrective action plan.

Gramm-Leach Bliley (GLBA)¹¹

GLBA was enacted in 1999 and requires that financial institutions, broadly defined, disclose their information sharing practices to their customers and to safeguard their customers’ nonpublic personal information. Financial institutions include many entities that may not normally describe themselves that way and includes entities that are “significantly engaged” in providing financial products or services. Postsecondary education institutions participating in Title IV federal student aid programs are “financial institutions” under the GLBA, and ED has recently issued Dear Colleague Letter guidance reminding schools of that fact.¹²

The GLBA Privacy Rule¹³ requires that an initial privacy notice be provided to customers at the time the customer relationship is established.

Subsequent notices are required to be provided annually unless certain exemptions apply. The notices describe the institution’s information data sharing practices and generally allows consumers to opt-out of the sharing of information with non-affiliated third parties. In addition, the GLBA Safeguards Rule requires institutions to create a written information security plan that describes their program to protect customer information. The plan should be appropriate to the entity’s size and complexity, the nature and scope of its activities, and the sensitivity of the customer information it handles, and in all cases must:

• Designate one or more employees to coordinate its information security program;
• Identify and assess the risks to customer information in each relevant area of the operations and evaluate the effectiveness of the current safeguards for controlling these risks;
• Design and implement a safeguards program, and regularly monitor and test it;
• Select service providers that can maintain appropriate safeguards; and
• Evaluate and adjust the program in light of relevant circumstances or the results of testing and monitoring.

To assist with GLBA compliance, ED has encouraged postsecondary educational institutions to review and understand NIST SP 800-171 which sets forth federal data security standards for non-classified information, including internal control, incident response, risk assessment and training requirements.

The GLBA is generally enforced by the Consumer Financial Protection Bureau (CFPB) and the Federal Trade Commission (FTC). Violations of GLBA can include both civil penalties and injunctive relief. The recent Equifax settlement¹⁵ with the FTC, the CFPB and 50 states and territories included violations of the Safeguards Rule. Equifax agreed to pay at least $575 and up to $700 million as part of that global settlement. With respect to postsecondary educational institutions, it also is important to note that the GLBA requirements are part of each institution’s Title IV Program Participation Agreement. Further, ED has interpreted provisions of the Student Aid Internet Gateway Agreement, which is required of all Title IV participating institutions, to include a 24-hour breach notification requirement with respect to student data. An institution’s failure to comply with GLBA thus could have consequences on its continued Title IV federal student aid eligibility.

Telephone Consumer Protection Act (TCPA)¹⁶

Since its enactment in 1991, the TCPA has restricted telephone solicitations (i.e., telemarketing) and limited the use of automatic dialing systems, artificial or prerecorded voice messages, SMS text messages, and fax machines. It also specifies technical requirements for autodialers, voice messaging systems and fax machines, principally requiring identification and contact information of the entity using the device to be contained in the message. The Federal Communications Commission has issued rules¹⁷ that require that commercial calls must obtain prior express written consent to place telemarketing calls to landline or wireless subscribers. A call is considered a telemarketing call if it is intended to encourage the purchase of goods or services at some point in the future.

Unlike some of the other laws discussed in this article, TCPA permits direct lawsuits by consumers including class actions, and in recent years there have been several TCPA suits and class actions against postsecondary educational institutions and their marketing agents. Any postsecondary educational institution engaged in telemarketing of any kind, or using third party marketing firms that do the same, must take appropriate steps to ensure ongoing TCPA compliance.

Fair Credit Reporting Act (FCRA)¹⁸

The FCRA was enacted in 1970 and regulates consumer credit reporting agencies and consumer credit reports, and requires that users of such reports (including any postsecondary educational institutions) have a permissible purpose to obtain the report and provide adverse action notices if negative credit actions are taken. In addition, those that furnished consumer credit report information are required to furnish accurate information.

The Fair and Accurate Credit Transaction Act of 2003 amended the FCRA and required the promulgation of a number of rules including the Red Flags Rule.¹⁹ The Red Flags Rule applies to both financial institutions and some creditors. It requires the development and implementation of identity theft prevention programs and involves a four-step process:

• Identify relevant red flags, such as suspicious patterns or practices that indicate the possibility of identity theft;
• Detect red flags;
• Prevent and mitigate any identity theft; and
• Update the program as necessary.

The FCRA is enforced by a number of federal agencies and there is also a private right of action for some violations. The Red Flag’s Rule is consistent with other data security regimes.

New York Cybersecurity Regulations²⁰

The New York Division of Financial Services (NYDFS) promulgated the first comprehensive cybersecurity regulations in the United States in 2017. The regulations apply to any entity required to be licensed by the NYDFS, with limited exceptions for smaller entities or entities that do not collect and maintain personal information. In postsecondary education, the NYDFS licensure requirement may arise from institutional loan programs, which in turn would require compliance with the agency’s cybersecurity regulations. Those regulations require that all covered entities establish a cybersecurity program, based on a risk assessment, that:

• Identifies internal and external cyber risks;
• Implements defensive infrastructure with written policies and procedures;
• Detects cybersecurity events;
• Includes a plan for recovery from cybersecurity events; and
• Fulfills applicable regulatory reporting obligations.

Covered entities are required to certify compliance annually and the NYDFS enforces the regulations.

The European Union’s General Data Protection Regulation (GDPR)²¹

The GDPR became effective on May 25, 2018, and is a comprehensive privacy law with extraterritorial reach. It empowers EU “data subjects” – i.e., not only EU citizens or residents but anyone physically present within the EU – with robust rights concerning their personal data. The GDPR also requires entities to create internal infrastructures concerning recordkeeping and vendor oversight, with significant fines for noncompliance. Postsecondary educational institutions in the U.S. may be subject to the GDPR under several circumstances, including but not limited to when they communicate with EU data subjects, offer distance learning programs to persons located within the EU, or operate study abroad programs or branch campuses in the EU.

The GDPR broadly applies to personal data and includes any information relating to an identified or identifiable natural person.

It regulates any entity established in the EU and all entities globally that process personal data of EU data subjects. “Processing data” under the GDPR includes collection, storage, retrieval, use, disclosure by transmission dissemination or otherwise making data available. The GDPR limits the purposes for which personal data may be collected. Specifically, the entity collecting the data, or “controller,” may only collect data pursuant to one of six specified legal bases: consent, performance of a contract, compliance with a legal obligation, vital interest, public interest, or legitimate interest.

The GDPR also imposes a number of other requirements. For example, entities that process sensitive data must appoint a data protection officer that reports to the highest levels of management. In addition, data controllers must maintain detailed records on all data processing activities and entities must conduct “Data Privacy Impact Assessments” when the processing of data creates a high risk for data subjects such as large-scale processing or processing of sensitive data. In addition, data subjects have the right not to be subject to a decision based solely on automated processing that produces legal effects concerning the data subject. EU data subjects have the right to receive notice when data is collected about them, as well as to request and obtain copies of data held about them, request that inaccurate data be corrected, and to request that data be deleted.

The GDPR is enforced by data protection authorities in each of the EU member states. Violations of the GDPR can subject entities to large fines ranging from €10-20 Million or 2-4% of the entity’s global gross revenue, whichever is higher. Thus, a postsecondary educational institution in the United States should review all of its points of contact with EU member states or persons who are located in the EU, and take necessary measures to comply with GDPR requirements.

California Consumer Privacy Act (CCPA)²²

On Jan. 1, 2020, the CCPA takes effect as the first comprehensive privacy law in the United States. Unlike the GDPR that applies to all types of entities, the CCPA applies only to for-profit entities conducting business in California and that (1) has annual gross revenues greater than $25 million; (2) annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes personal information about more than 50,000 consumers, households, or devices; or (3) derives 50% or more of its annual revenues from selling consumers’ personal information.

The CCPA governs the collection and use of personal information about California consumers or households, with “consumer” broadly defined as any natural person who is a California resident including customers, prospective customers, website visitors, etc. “Personal Information” similarly is broadly defined to include any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Personal information also specifically includes “education information,” which is defined as any information subject to FERPA.

The CCPA provides consumers with a number of rights with respect to their personal information, specifically the rights to:

• Notice when personal information is collected;
• Access personal information;
• Request that business not sell personal information;
• Request that a business delete personal information; and
• Not to be discriminated against if exercise rights.

Under the CCPA, notice must be provided at or before the point when personal information is collected, and the notice must describe the categories of personal information collected and the purposes for which the information will be used. In addition, the business’s website notice must describe the categories of personal information collected in the preceding 12 months and the purpose for collection, the categories of sources from which personal information, the categories for third parties with whom personal information is shared and the categories of personal information that is disclosed for business purposes. Finally, the notice must describe the categories of personal information sold to third parties or a statement that the business has not sold personal information.

Upon receipt of a verifiable request, businesses are required to provide consumers with access to the data that has been collected about them as described above. The California Attorney General is working on regulations that will provide guidance as to what is a verifiable request and what specific pieces of information must be provided to consumers.

Consumers also have the right to request that their data be deleted and such requests must be accompanied by a verifiable request. It is important to note that the CCPA does not require deletion of data if the data is needed to detect security incidents, protect against deceptive or fraudulent activity; debug to identify and repair errors that impair functionality; exercise free speech, ensure the right of another to exercise free speech or another right; comply with California Electronic Communications Privacy Act; engage in public or peer-reviewed scientific, historical or statistical research in the public interest; comply with a legal obligation; or otherwise internally use the consumer’s personal information in a lawful manner that is compatible with the context in which it was collected.

Finally, the CCPA allows consumers to request that their personal information not be sold. The term “sale” is broadly defined to include virtually any sharing of data, but there are two important exceptions: (1) data sharing with a service provider as long as the contract prohibits the service provider from further using the data, and (2) data sharing at the direction of the consumer. The request that a company not sell personal information does not require a verifiable request as is a request for access or deletion. In addition, a business may contact the consumer at the expiration of 12 months and provide incentives for them to allow that consumer information be sold.

Although the CCPA will become effective on Jan. 1, 2020, the California Attorney General will not bring enforcement actions until at least July 1, 2020. The CCPA permits the California Attorney General to seek penalties of $2,500 per violation and $7,500 for intentional violations, as well as injunctive relief. It also includes a private right of action for data breaches that allows individual consumers to seek penalties of $100-750 per consumer per incident, actual damages the consumer harm exceeds that range, and injunctive and declaratory relief.

Conclusion

Although a number of sector-specific privacy laws such as FERPA, the FCRA and even HIPAA have existed for decades, what is new is the proliferation of more comprehensive privacy and data security regimes such as the NYDFS cyber regulations, the GDPR, and the CCPA. There is no doubt that concerns about the creation, use, maintenance, and disclosure of personal information across all industries will continue to increase, leading to new laws and regulations. During this past year, there were comprehensive privacy bills considered in several state legislatures, but none other than the CCPA were enacted into law. There have been numerous data privacy bills, including but not limited to proposed revisions to the FERPA, introduced in Congress.

Given the myriad of privacy and data security requirements, developing a compliance program may be daunting.

The first step is to determine what law(s) apply to the institution’s data and data practices, and to reconcile any potentially competing laws. An institution should then map its internal data flows, meaning to determine what personal information is collected, why it is collected, how it is used, who has access to it and with whom it is shared. It is also important that an institution understand its external data flows, which involves reviewing service provider and other third party contracts. Depending upon the applicable legal regime(s) and the particular data flows, an initial compliance action item may be to update or creating consumer-facing policies and website privacy policies. When it comes to privacy and data security compliance, it is important to both “do what you say and say what you do.”

While complying with existing laws and staying abreast of current regulatory trends is important, perhaps even more critical to educational institutions is to retain the trust of students, staff and the public, which means being good stewards of personal data. It can be very difficult to re-establish trust after it has been breached. As Mike Tyson once famously said, “Everyone thinks they have a plan until they get punched in the face.” Having a thorough understanding of applicable privacy and data security requirements, and adopting appropriate data policies and procedures, goes a long way to avoiding such an occurrence.

Resources

1. https://www.forbes.com/sites/bernardmarr/2018/05/21/how-much-data-do-we-create-every-day-the-mind-blowing-stats-everyone-should-read/#7aa442a160ba
2. FED. TRADE COMM’N, BIG DATA: A TOOL FOR INCLUSION OR EXCLUSION? UNDERSTANDING THE ISSUES (Jan. 2016) https://www.ftc.gov/system/files/documents/reports/big-data-tool-inclusion-or-exclusion-understanding-issues/160106big-data-rpt.pdf
3. https://www2.deloitte.com/content/dam/Deloitte/il/Documents/financial-services/fatca_faqs_fsi_services.pdf
4. https://www.wsj.com/articles/chinese-hackers-target-universities-in-pursuit-of-maritime-military-secrets-11551781800?mod=hp_lead_pos1
5. https://www.wsj.com/articles/hackers-breach-college-applicant-databases-seek-ransom-11552003816
6. 20 U.S.C. § 1232g et. seq.; 34 C.F.R. Part 99
7. In the case of a student that is neither at least 18 years of age, or not attending a postsecondary institution, parental rather than student consent is required.
8. Gonzaga University v. Doe, 536 U.S. 273 (2002)
9. Public Law 104-191.
10. U.S. Department of Health and Human Services and U.S. Department of Education Joint Guidance on the Application of the Family Educational Rights and Privacy Act (FERPA) And the Health Insurance Portability and Accountability Act of 1996 (HIPAA) To Student Health Records (November 2008), available at https://www2.ed.gov/policy/gen/guid/fpco/doc/ferpa-hipaa-guidance.pdf.
11. 15 U.S.C. § 80.
12. See https://ifap.ed.gov/dpcletters/GEN1612.html.
13. 16 CFR Part 313: Privacy of Consumer Financial Information Rule under the Gramm-Leach-Bliley Act.
14. 16 CFR Part 314: Standards for Safeguarding Customer Information.
15. https://www.ftc.gov/enforcement/cases-proceedings/172-3203/equifax-inc
16. 47 U.S.C. § 227.
17. 47 C.F.R. 64.1200.
18. 15 U.S.C. § 1681 et. seq.
19. 16 C.F.R. 681
20. https://www.dfs.ny.gov/docs/legal/regulations/adoptions/dfsrf500txt.pdf
21. https://gdpr-info.eu/
22. https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375

JONATHAN D. TARNOW advises clients on a wide range of education law matters involving the U.S. Department of Education, accrediting bodies, state agencies and other government regulators. He has extensive experience advising public, non-profit and for-profit institutions of higher education on the statutory and regulatory requirements of federal student financial aid programs under Title IV of the Higher Education Act. He has represented institutions in Title IV compliance reviews and audits, including administrative hearings and appeals related to findings of non-compliance. He also counsels educational institutions and third-party service providers on federal and state laws governing student records retention and student data privacy. Jonathan is a partner in the firm’s Government and Regulatory Affairs Group and a member of the Education Team and the Privacy and Data Security Team.

KATHERINE E. ARMSTRONG assists clients with compliance matters related to federal, state and international privacy and data security laws. With more than 30 years of consumer protection experience at the Federal Trade Commission (FTC), she provides clients with an in-depth perspective and working knowledge of the FTC its policymaking efforts and enforcement activities. She works with clients on issues arising under the EU General Data Protection Regulation, the California Consumer Privacy Act, the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act and the New York Cyber Regulations. She also advises clients on advertising and marketing issues and other matters regulated by the FTC. Katherine is a United States Certified Information Privacy Professional (CIPP-US).