Data breaches have happened, and will continue to happen, to all different types of entities, including private businesses, charities, government offices, and schools. In a recent article for Law.com, Frank Ready examined student data privacy in Illinois following the disclosure of a recent Chicago Public School (CPS) data breach.
Legislators have recognized the need to protect student data and have taken steps to regulate this area to accomplish that goal. Accordingly, there are numerous federal laws governing student data privacy, and more than 100 state laws on the topic. In Illinois, the Student Online Personal Protection Act (SOPPA) is the only school-specific state law regulating how schools handle data privacy/security. Briefly, SOPPA exists to protect the privacy and security of student data collected by educational technology companies, and seeks to ensure that any collected data is used for beneficial educational purposes. It prohibits these companies from certain activities, such as engaging in targeted advertising based on collected data, using collected data to amass profiles of students, and selling or renting student information. Additionally, Illinois schools must also comply with Illinois’ data breach notification act, just as any private business would.
The question of liability following a school data breach was also a focus of Mr. Ready’s article. The CPS incident involved a breach through a third-party vendor. As I noted in my comments to Mr. Ready, both the school and/or the vendor that mishandled the data, may be liable for damages incurred by students whose data was exposed during a data breach. The school may be liable to the students since the school collected the data and had a duty to protect that data. The vendor may then be liable to the school for mishandling data it was hired to process. When hiring a third-party vendor, the contract between the school and vendor should always clearly address the liability of the two parties in the event of a data breach.
If you have any questions regarding student data privacy in Illinois, or data privacy/security generally, please contact Tim Hayes at McKenna Storer.