[BreachExchange] Massive Data Breaches, Billions in Wasted Funds: Who Is Holding Edtech Vendors Accountable?

[Destry Winant]

https://www.edsurge.com/news/2017-05-24-massive-data-breaches-billions-in-wasted-funds-who-is-holding-edtech-vendors-accountable

In 2014, University of Maryland President Wallace Loh made a desperate
appeal to the Senate to support legislation that would force businesses to
more aggressively address the cybersecurity issues that cost his university
millions of dollars
<http://www.diamondbackonline.com/news/national/article_e7166604-b561-11e3-bf6c-0017a43b2370.html>.
His request fell on deaf ears as the bill died.

Since then a slew of security breaches and malicious data hacks have hit
educational institutions, including K-12 districts and their technology
providers. Most recently, one of the most widely-used education technology
companies, Edmodo, had records for over 77 million users compromised
<https://www.edsurge.com/news/2017-05-11-hacker-steals-77-million-edmodo-user-accounts>
.

In the absence of legal recourse and protection, lawyers and researchers
are encouraging educators to defend themselves—starting at the negotiating
table. They point to vendor contracts as the frontline of these efforts,
noting that schools can and should demand better transparency around
privacy protection, cybersecurity practices and even pricing terms. By
doing so, schools can save themselves headache—and possibly billions of
taxpayer dollars.

The Cost of Privacy Breaches

When a privacy breach is found, schools and districts have to follow
protocols that can be costly in terms of time and money. Laws regarding
school data breaches vary vastly, from notification timelines to
organizational responsibilities. For example, while one district might only
require users to be notified by email, others demand school physical
letters be sent out. Some districts also make schools report to credit
agencies and offer reparations in the form of a credit monitoring service.

Parents are the sometimes last to know. Often they read about these
incidents on the news before receiving official notice from the district or
company. “We were victims of the FAFSA breach
<https://www.nytimes.com/2017/04/06/us/politics/internal-revenue-service-breach-taxpayer-data.html?mcubz=2>,”
says Rachel Stickland, a mother of two, referring to an incident reported
in April in which the records up to 100,000 financial aid applicants may
have been stolen. “Now we are victims again with Edmodo.” She adds: “A lot
of these free edtech products are integrated into the classroom before you
have a chance to know about them. There is a lot of pressure for schools to
use these services.”

Stickland is the co-founder of Parent Coalition for Student Privacy
<https://www.studentprivacymatters.org/>, an organization that recently
released a toolkit
<http://www.commercialfreechildhood.org/sites/default/files/PTSP_Complete_English.pdf>
that informs parents about the data being collected through schools and
vendor tools, and their rights in the event of a security breach.

When Stickland first learned about the FAFSA breach, she scrambled to
protect her son's information, but she found the process too stressful and
even risky as she was asked to send sensitive information like social
security cards and birth certificates via online platforms or through the
mail. After the Edmodo breach, which she heard about first from news
reports, she felt at a loss.

Rachel was not the only parent looking for a way to protect her child, and
neither is Edmodo the only edtech company to be hit by security issues. In
April, a cybersecurity researcher found that Schoolzilla
<https://www.edsurge.com/news/2017-04-20-schoolzilla-file-configuration-error-exposes-data-for-more-than-1-3m-students-staff>
had inadvertently exposed personally identifiable student data (including
social security numbers) for more than a million users. Fortunately, the
company confirmed that no one else had accessed that data. Still, the
incident left in its wake some costly follow-up communication and legal
work for school administrators.

While the companies scrambled post-attack to patch-up the problems with
their servers, most users are simply served with an apologetic email
leaving them to fend for themselves. No wonder, then, that many parents
feel surprised—and powerless.

“My biggest concern is not the email address or password. He wrote his
personal thoughts on and opinions about things on Edmodo. I am not sure who
would purchase these things, but they can see it,” says Stickland.

There’s little legal recourse that parents can take as the federal
legislation that gave families rights to student privacy, The Family
Educational Rights and Privacy Act (FERPA), created in 1974, has not been
updated in years. “Under FERPA parents cannot sue [the company or school
district], it does not provide a private right of action,” says Matthew
Johnson, a privacy lawyer who specializes in education technology. “The
only way FERPA can be enforced is if someone files a complaint to the
Department of Education (ED).”

Johnson notes that filing a complaint with ED could have grave implications
for schools, causing them to lose federal funding. Vendors can also be
barred from contracting with the school districts, but he notes that these
consequences have never been invoked under the statute.

“FERPA was not written with the intent of dealing with a modern-day data
breach, and that’s why you see a lot of calls from a lot of parties to
amend and update FERPA,” says Johnson. He notes that local pressures have
caused individual states to take up privacy issues through local
legislation, and as a result penalties and cost vary vastly.

According to a study commissioned by IBM and conducted by the Ponemon
Institute <https://www.ibm.com/security/data-breach/>, a data breach cost
the responsible party an average of $246 per account. In the education
sector, whether the district or the vendor bears that burden depends on
contracts and who is to blame for the breach fault, says Johnson. If a
teacher was careless with passwords and that led to a breach, then all cost
associated with the breach could fall on the school or district.

“Contracts used to be silent about a school’s role in a data breach. It
wasn’t something that was actually contemplated when they were drafting the
agreement,” explains Johnson. “Which is a bit of an issue when you are
trying to figure out which rights each party has after the fact, and that
is a more difficult situation for everyone involved.”

Researching Price Gouging

Another group hoping to bring more attention to contracts is the Technology
for Education Consortium <http://techedconsortium.org/>(TEC), a nonprofit
that aims to bring more transparency to the procurement process for K-12
edtech services. In March the group released a report
<https://marketbrief.edweek.org/wp-content/uploads/2017/03/How_School_Districts_Can_Save_Billions_on_Edtech.pdf>
that claimed school districts could save at least $3 billion if their
vendors charged customers at a consistent and transparent rate.

The report noted edtech companies such as Renaissance Learning seemingly
charged districts at random for the same products, noting tens of thousands
in price differences where random “discounts” were applied without clear
consistency.

“There is no way for districts to look anywhere and see how much [other]
licenses cost, and you cannot get a price or quote till you go through a
procurement process,” says Hal Friedlander co-founder and CEO of TEC.
“Often the price is not in the contract, and usually smaller districts feel
like they get the worst deal.” Friedlander explained how districts would
see links in contracts (where prices should be) leading to “rabbit holes”
of information.

Since there is no legislation against these practices, Friedlander has
created a tool (a sort of Glassdoor for districts) where he hopes districts
can share prices that they pay for edtech products. His organization has
also reached out to schools to compare contracts from vendors.

“Is it possible for for-profit companies to do business with school
districts in a way where both sides get the advantage?” asks Friedlander.
“To be frank, companies have more money for lawyers, more money for
marketers, more money to hire staff members to pitch products and school
districts are outgunned in a way. There is no way they can win in a deal.”

LeeAndra Khan, a middle school principal at Brooks Middle School in
Chicago, echoes Friedlander’s frustration, noting that the limited
resources offered to school districts, coupled with inadequate training on
education technology products, can lead to well-meaning educators making
rash purchasing decisions.

“Working in the district you are really under the gun to address the areas
of growth,” says Khan. That pressure can cause schools, principals and
teachers to acquire products without a thorough plan or understanding of
the product’s capabilities.

Khan notes that although some districts have lawyers who review purchase
agreements, some vendors go to teachers and principals directly, many of
whom are not equipped to negotiate with suppliers. “I wonder about people
knowing the wealth of a district,” says Khan. ”Before I was a principal, I
wrote a plan for a six-million dollar grant, and I call them poverty pimps
because it’s almost like they can smell the money, people start cold
calling you.”

Khan understands that vendors sometimes approach teachers directly to get a
foothold in schools—and possibly find an evangelist who can help evangelize
the product to fellow teachers or administrators. She thinks professional
development covering contract review and negotiations could help but points
out that most districts lack the budget for it.

“You definitely can be taken advantage of,” says Khan. “I don’t know for
sure if that has ever happened to me, but then again, how would I know?”

Matthew Johnson echoes those sentiments, noting that providing school
employees with training on privacy expectations from vendors, cybersecurity
threats, and operational precautions could save districts millions. “It is
important to be able to assess what vendors’ privacy practices are. Do they
have a privacy policy that appears to have been well thought out and
written to reflect what they do and don’t do with data?”

He hopes this type of training can help bring some parity, in favor of
schools, during the contract negotiation process. He already sees
improvements. “The other question asked more often is: ‘What are you doing
and what are we doing in a contract provision to reduce the likelihood of
something going wrong?’” says Johnson. “[Schools] are never going to take
it down to zero because ultimately they still work with people, and people
make mistakes.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170524/b151ec11/attachment.html>