04.15.2020

As educational institutions around the state react to COVID-19, the use of online technology has become a central feature of the educational experience for students, teachers and administrators.  The increasing prevalence of technology is leading to increased reliance on third parties to assist with the delivery of educational services remotely. 

Prior to contracting for the use of any online resources for distance education purposes, educational institutions must evaluate the vendors’ contracts.  Such contracts often include online terms of use and privacy policies.  Vendors offering these online services tend to approach educational institutions with template contracts or “click-through” agreements that favor the vendors, and often do not include the legal protections that educational institutions require.  It is necessary for educational institutions to review and negotiate the contract terms to ensure that all data protections and privacy levels that school districts must comply with are properly represented in such contracts.  There is no template or standard contract that applies to all cloud computing situations.  Administrators should also expect contractual differences due to the type of service being offered, such as standard instruction, special education, or psychological counseling.

In reviewing and evaluating a vendor’s contract, educational institutions should always keep in mind the phrase, “If we have to do it, the vendor has to do it.”  Regardless of where educational institutions’ data is stored, educational institutions remain responsible for the security of their data.  Thus, any contract with a vendor must require the vendor to protect the educational institution’s data, at least to the same level as required of the educational institution.  In allocating responsibilities, the educational institution should consider the following issues.

Relevant Laws

Data privacy, security and safeguarding laws that concern the use and disclosure of personally identifiable information still apply to educational institutions even if a vendor is storing that information.  These may include the Family Educational Rights and Privacy Act (FERPA), which protects student data; the Children’s Internet Protection Act (CIPA), which addresses children’s access to obscene or harmful materials; the Student Online Personal Information Protection Act (SOPIPA), which limits website operators from compiling and using personal information of a minor for marketing purposes; the Children’s Online Privacy Protection Act (COPPA), which protects the privacy of children under the age of 13 when collecting personal information; as well as other state and federal consumer protection and privacy laws.  Moreover, Education Code Section 49073.1 requires educational agencies and third parties to include specific provisions regarding the security, use, ownership and control of student records in their contracts.  While each of these laws may not be applicable in all cases, if the contract covers information affected by these laws, the educational institution must require the vendor to comply with them.  More information about these laws and student privacy issues in implementing distance education can be found in our prior Alert https://www.aalrr.com/newsroom-alerts-3660. As previously discussed in that Part I Alert, educational institutions should also be working with legal counsel to create or update their online distance education policies if they have not done so already.  We encourage educational institutions to ensure that the distance education policies and notices that they are using are personalized to meet their individual needs, including corresponding with the educational institution’s existing policies and the best practices and legal requirements discussed in this Alert.

Access and Control of Data

Educational institutions must also confirm that the data being stored by these vendors is accessible to the educational institution.  Educational institutions must have access and control over their data in order to make sure that it remains protected and to permit student and parent access to personal data upon request.  To ensure that data is accessible and in a usable format, educational institutions should include language in their contracts that guarantees access to usable data.  Contracts should also specify that educational institutions retain ownership of all of their data and limit how vendors may use that data.

Document and Data Retention

Contracts should also address e-discovery issues to ensure that vendors comply with litigation holds and discovery requests.  Contracts should also include language regarding document retention laws and policies, so that vendors are aware of and must comply with the educational institution’s own policies as well as any legal requirements.  Subpoena response procedures are critical to allow educational institutions to comply with subpoena requirements and timelines.  Similarly, California Public Records Act compliance should be included so that vendors are aware of the requirements and the statutory timelines for compliance.  Educational institutions should require and be comfortable with vendors’ data backup, archiving, and disaster recovery procedures.  Additionally, the timeline and process for the return of data after the termination or expiration of a contract should be clearly spelled out. 

The contract should limit where educational institutions’ data is stored and require that the contract terms and requirements apply to any successor companies that may take over and/or replace the vendor.  Furthermore, educational institutions should consider whether to allow institutional data to be stored on outside servers.  

Transfer of Data

As the transfer of data through the Internet increases, it has become more common for data to be stolen through computer malware, viruses, hacking or stealing actual computer devices including laptops, tablets, smart phones and thumb drives.  As a result, identity theft has become one of the fastest growing crimes in California.  The Information Practices Act of 1997 requires companies to notify individuals when unencrypted data breaches disclosing personally identifiable information occur or face significant statutory penalties and civil liabilities.  Additionally, depending on the type of data or personal information lost, certain federal laws might apply, such as the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act.   As a result, educational institutions should require data encryption for all personally identifiable information.  Cyber risk, data breach and interruption insurance should also be considered, so that if a breach or loss does occur, the educational institutions have some added safeguards in place.

Liability Concerns

As noted above, vendors often provide template contracts to customers, including educational institutions.  These contracts often are made up of multiple documents and may reference websites that contain additional terms of service that must be reviewed by the educational institution and revised if they contain unacceptable terms.  Such contracts generally include limitations on the vendor’s liabilities, as well as broad disclaimers of warranty.  Multiple documents can be confusing and inconsistent, and the warranty and liability limitations can undermine the protections that educational institutions need for their data.  The contracts often indicate that any online terms of service can be changed or modified at the will of the vendor. 

As a result, the price of a contract often does not equate with the potential risk and liability an educational institution accepts when allowing a third party to have access and control over the educational institution’s data.  This is a significant concern when the services are provided at little or no charge.  Thus, regardless of the size of the contract, educational institutions should carefully review all documents, websites and attachments to any contracts proposed by vendors to confirm that all of the data protections noted above are included and that those protections are not modified, weakened, or limited by the contract language.  Particularly as educational institutions are acting quickly to implement new means of providing high quality educational programs to their students in response to COVID-19 closures – often by increasing or changing the various online services and vendors with whom they are doing business – it is important that they remain mindful of the complex legal issues implicated by such uses.  We recommend that educational institutions work closely with their internal IT experts and legal counsel to assess third party contracts and requirements to address these issues as in integral component of the transition to distance learning.

AALRR’s Education Law Technology Group and Data Privacy and Security Team has extensive experience in counseling educational institutions, companies, governmental entities and individuals in contracting for services and proper protections.  Our attorneys have helped clients with their technology issues, including handling internal and external data breaches and thefts, as well as adapting to distance learning platforms in connection with COVID-19. 

This AALRR publications is intended for informational purposes only and should not be relied upon in reaching a conclusion in a particular area of law. Applicability of the legal principles discussed may differ substantially in individual situations. Receipt of this or any other AALRR presentation/publication does not create an attorney-client relationship. The Firm is not responsible for inadvertent errors that may occur in the publishing process.

©2020 Atkinson, Andelson, Loya, Ruud & Romo