Unauthorized Disclosure and Access to Protected Student Records: What School Districts Should Consider to Ensure the Protection of Sensitive Data

There has been a spike in data security breaches during recent years, including unauthorized access to and release of student records. The New York State Education Department (“NYSED”) and the Office of the New York State Comptroller (“Comptroller”) stress that adequately safeguarding confidential information regarding students and their families is of the utmost importance. The Comptroller and NYSED both emphasize the need for school districts and vendors providing information technology services (“IT”) to adhere to federal and state laws regulating data protection and to include security protocols in their contracts aimed at avoiding the unauthorized disclosure and release of protected information.

The Family Educational Rights and Privacy Act (“FERPA”) restricts the disclosure of personally identifiable information (“PII”) contained in students’ education records by any means, including oral, written or electronic, without the written consent of the student’s parent or eligible student, except in limited situations. Personally identifiable information is defined to include, but not be limited to the following:

(a) The student's name;

(b) The name of the student's parent or other family members;

(c) The address of the student or student's family;

(d) A personal identifier, such as the student's social security number, student number, or biometric record;

(e) Other indirect identifiers, such as the student's date of birth, place of birth, and mother's maiden name;

(f) Other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty; or

(g) Information requested by a person who the educational agency or institution reasonably believes knows the identity of the student to whom the education record relates.

Encrypted or anonymized data that does not identify any particular student or cannot be linked to a specific student does not fall within the definition of PII and, therefore, is not protected data under FERPA.

FERPA requires schools entering into contractual relationships with third party vendors to ensure such agreement or contract includes a data security and privacy plan outlining state, federal, and local data security and privacy requirements. The plan must also include a signed copy of the parents bill of rights for data privacy and security as well as training requirements for third party contractors' employees on confidentiality of and access to protected student data. Additionally, FERPA extends the obligation to safeguard student records to third party contractors directing them to (1) limit access to student records only to those employees who require such access as a part of their work responsibilities; (2) not to use protected student records for any purpose other than is expressly authorized under the agreement or contract; (3) not to disclose any PII without written permission of the parent or eligible student, unless such disclosure is required by statute or court order; (4) maintain reasonable administrative, technical, and physical protocols; and (5) use encryption technology to protect data from unauthorized disclosure.

On September 19, 2024, NYSED announced that the Education Department’s Privacy Office had collected $287,000.00 in penalties from two technology companies whose operations violated student and parent data privacy protection. The first technology company that was fined provided cloud-based athletics and activities office management software that assists school districts with creating and maintaining activities schedules, rosters, and calendaring, and managing sports and activities events. The Privacy Office found that the company had published student and parent PII in YouTube videos used for product demonstration purposes. These videos stayed on the YouTube channel for nine months and collected 66 views in total prior to being removed. The company paid a $120,000.00 penalty for violating student data protection and agreed to conduct training for its employees to avoid further violations and potential data breaches.

The second company offers school safety software through the implementation of visitor management and emergency systems platforms. The company’s employees discovered that the software had vulnerabilities that could lead to data breaches and compromise the cloud-stored records. Even though there is no evidence that any of the cloud-stored records were accessed by unauthorized parties, the company was required to pay $167,000.00 in fines. Moving forward, the company is required to annually notify those school districts with which it contracts of all records stored on its platform and integrate data breach reduction practices into the services they offer.

The Commissioner of Education commented on these two student data violations stating the following: “School districts must be able to trust that the technology platforms and software they utilize have safeguards in place to protect the privacy of student and parent data. Unfortunately, these two companies fell short, compromising the personally identifiable information of minors and their guardians. I commend the Department’s Privacy Office for investigating these cases and holding those responsible accountable.”

The obligation to secure student PII is the responsibility of both school districts and contracted vendors who have access to the protected student records. In its June 7, 2024, audit, the Comptroller, reminded the school district of its affirmative obligation to safeguard sensitive student data.

The Comptroller recently conducted an audit of a charter school and determined that the school officials failed to adequately secure student data to help protect it from unauthorized access and did not develop an IT contingency plan.

The investigation showed that the charter school has been using two cloud-based applications to access, store, and share student information. The school data is accessed through shared application folders and the Student Information System (“SIS”) respectively. An increased risk of unauthorized access and use of student-sensitive information resulted from employees not knowing how to adequately store student PII in shared application folders, which allowed PII to be viewed by other employees who did not require access to that information in order to perform their job duties. The company’s cloud-based application also permitted modification of PII by employees who should have had limited, view-only permissions in regard to the records.

The specific findings of the Comptroller were as follows:

• The officials did not properly secure student PII and private and sensitive information ("PPSI” – usually defined as PII, which if lost, stolen, or disclosed could cause a severe impact on critical functions, employees, customers, third parties, or other individuals or entities) which had created an increased risk of unauthorized access to student private data;

• School employees did not have guidance on how to properly identify and secure sensitive student data;

• Three out of six tested users of the cloud-based application used for School operations stored student-sensitive data without adequate protection; and

• 12 out of 125 users of cloud-based SIS had excessive or unnecessary access to view and modify sensitive student data.

Among the key recommendations to enhance the security of student PII and PPSI were: (1) to adopt, review, and revise, if necessary, the data classification policy where data is assigned different levels of protection like “Sensitive,” “Confidential,” and “Public,” and communicate it to employees; (2) to ensure that all access to sensitive student data is based on needs and job responsibilities; (3) to develop a written IT contingency plan – a school’s recovery strategy in case of unexpected event in order to secure and recover data; and (4) to ensure annual training on data privacy, classification of data and security awareness is provided to offices, teachers, staff, and administrators who have access to PII and PPSI. In addition, the Comptroller suggested the school require its IT vendors to provide a data inventory or mapping that identifies software applications that can access student records at various levels to ensure security by its IT team.

School districts should monitor the security of PII and properly supervise employees who have access to this data. The contractual agreements with the vendors providing services that have direct or indirect access to student PII and PPSI require careful scrutiny from the schools and periodic review of security protocols. Please reach out to our office if you need assistance with issues relating to the safeguarding PII maintained by your district or the vendors you work with.