On October 1st, several New York school districts posted new data security and privacy policies to their website to comply with the state’s new student privacy regulation, Part 121. Although New York has had a student privacy law (Education Law §2-d) on the books since April 2014, Part 121, which became effective on January 29, 2020, serves as the law’s implementing regulations and elucidates the baseline data privacy and security requirements set forth by Education Law §2-d. According to the New York State Education Department, Part 121 provides “guidance to educational agencies and their third-party contractors on ways to strengthen data privacy and security to protect student data and annual professional performance review data.” EdTech companies should prepare for a wave of school and district requests to significantly amend contracts to comply with the new regulations.
Part 121 requires new contractual, security, and training requirements, unlike those required by any other state. Some key changes include
- Broadening the definition of “third-party contractor”
- Defining “commercial or marketing purpose”
- Requiring data security and privacy plans for every contract involving personally identifiable information (PII), which must include a plan implementation of the National Institute of Standards and Technology (NIST) cybersecurity framework and HIPAA-level encryption standards as well as plans for training employees and “assignees” on relevant state and federal privacy laws
- Clarifying enforcement procedures
To help edtech companies understand the new requirements of Part 121, below is a brief overview of student privacy regulations in New York and an overview of key changes, including the new security requirements, who must comply, and how the law will be enforced.
BACKGROUND: STUDENT PRIVACY LAWS IN NEW YORK
In 2014, lawmakers across the country introduced 110 student privacy laws, resulting in 30 new laws. Many of these laws took what Data Quality Campaign calls a “prohibitive approach,” by trying to prevent or halt “collection of a certain type of data (e.g., biometric data) or a certain data use (e.g., predictive analytics).” New York followed this trend, passing two laws that year. One of these laws was Subpart K of the 2014–2015 state budget, which specifically governed third parties that provide data storage and dashboard services.
The second was Education Law §2-d, a much broader student privacy law governing state and local privacy and security practices, with multiple implications and requirements for third parties. This law created a new position in the state’s department of education, the chief privacy officer (CPO), who has broad powers to investigate and punish violations of the law. The CPO was also tasked with creating regulations before any enforcement could take place. Part 121 provides these regulations for Education Law §2-d.
The framework of Education Law 2-d and Part 121 differs substantially from student privacy legislation in other states. For example, no state requires HIPAA level encryption in addition to adherence to the NIST Framework, and only one other state student privacy law protects teacher and principal data in addition to student data.
BREAKING DOWN PART 121
Who is subject to the law?
The law applies to third-party contractors and defines the term as “any person or entity, other than an educational agency, that receives student data or teacher or principal data from an educational agency under a contract or other written agreement for purposes of providing services to such educational agency.” This language adds several layers of complexity to compliance requirements. For one, “any person or entity” presumably encompasses not just companies, but also academics and researchers that access student, teacher, or principal data. Additionally, the term “contract or other written agreement” now includes clickwrap agreements, downloaded applications, and “other technologies in which a user must agree to terms and conditions before using the product or service.” Whether third-party contractors must include a Data Security and Privacy Plan in clickwrap agreements remains an open question.
What activities does the law prohibit?
Education Law §2-d prohibits the use of PII for commercial or marketing purposes, but the law did not define the terms “commercial purpose” and “marketing purpose”; the new regulations define these terms for the first time. The regulations define the terms to mean “the sale of student data; or its use or disclosure for purposes of receiving remuneration, whether directly or indirectly; the use of student data for advertising purposes, or to develop, improve or market products or services to students.” This definition potentially includes a wide range of practices, introducing potentially impracticable burdens for companies seeking to comply with student privacy laws across the nation. Notably, the Education Department clarified that when schools contract with a photography or yearbook company and the company notifies students and families about their services, it will not violate the prohibition on “commercial or marketing purposes” so long as these activities fall under the “exclusive purpose for which the contract was put in place.” Notifying students and parents is considered part of the photography or yearbook company’s service to a school.
What are the law’s new security requirements?
The law also requires edtech companies to develop a data security and privacy plan, and the regulations require school districts to approve these plans before entering into contracts. Since 2014, companies have been required to employ HIPAA-level encryption standards to protect data “while in motion or at rest.” In addition to the HIPAA encryption standard, Part 121 now requires companies and districts to “adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework.”
During the notice and comment period regarding Part 121, many commenters argued that introducing the NIST Framework to the education setting would be impracticable since the standard was not specifically designed for education use-cases. In response, the New York State Education Department noted that the standard “is intended to be tailored to different sectors,” and its flexibility supports application in education settings. The department selected the NIST standard because it is “credible, durable, enforceable, understandable and supportable.”
Company data security and privacy plans must describe how the company’s data security and privacy practices align with relevant local, state, and federal data security and privacy contract requirements, including the NIST Framework and HIPAA encryption standard. Schools and districts must approve edtech companies’ data security and privacy plans, and contracts must include the plans.
Developing a plan that meets Part 121’s requirements requires foresight into how subcontractors might interact with protected data: if companies use subcontractors, the plan must describe how the company will use them and “manage those relationships and contracts to ensure [PII] is protected.” Additionally, educational agencies must require companies to have plans for ensuring “that the subcontractors . . . will abide by all applicable data protection and security requirements.”
Finally, the plan must outline how employees and assignees will be trained on “federal and state laws governing confidentiality of [protected] data” before accessing protected data. Although this law does not define it, an “assignee” is often an entity or person to whom contractual rights are transferred. Here, the term likely refers to situations in which subcontractors handle certain company obligations or if the company undergoes a merger or restructuring.
How are the law and the new regulations enforced?
The New York State Education Department’s CPO is responsible for creating regulations and enforcing the law. With a CPO in office and the regulations in effect, enforcement is on the horizon. The law provides the CPO with broad investigative powers: they can require third parties to testify and submit documents, and can “visit, examine, and inspect the third-party contractor’s facilities and records” when investigating alleged §2-d violations. If the CPO determines that a third-party contractor has violated §2-d, the third party has 30 days to submit a response after receiving notice of the violation. If, after reviewing the response, the CPO still believes the third party has violated the law, the CPO can take action in several ways:
- Preclude the violating third party from accessing PII or protected data from the education agency for up to five years or bidding on education contracts involving protected data for up to five years. This penalty is similar to the five-year ban that can be imposed under the Family Educational Rights and Privacy Act (FERPA).
- Require the third party to immediately conduct data confidentiality training for all employees who come into contact with protected data.
- Choose not to penalize the third party if the breach or unauthorized release occurred “without intent, knowledge, recklessness or gross negligence.”
- Assess monetary penalties. Penalties for a §2-d violation are assessed per “violation of any provision . . . by a third party contractor or its assignee.” The maximum penalty for a §2-d violation is $250,000. Whether the fines may be aggregated per set of violations or whether $250,000 is the maximum limit for a particular violation of the law is unclear.
NEXT STEPS
Now that the regulatory requirements are in effect, companies should operationalize the new security standards as soon as possible and establish data security and privacy plans that meet the law’s requirements. Although educational agencies were required to have data security and privacy policies in place by October 1, 2020, many published their policies on their websites well before the deadline. Additionally, the state’s CPO published answers to FAQs about the law and regulations and developed a model data privacy addendum that districts statewide may adopt.
Companies should be prepared to explain how their practices align with school policies by ensuring that their data security and privacy plans meet the regulatory requirements. Further, companies should take stock of how subcontractors fit into the equation: now that contracts must include specific information about subcontractors, companies must be able to explain how they will ensure that subcontractors protect student data, as well as certain teacher and principal data. Companies should also ensure that annual privacy training includes subcontractors that interface with protected data.
New York’s student privacy requirements diverge from most other state student privacy laws and will require a measured, thoughtful approach. Companies should remember that schools and districts are also working to comply with the new Part 121 requirements. By keeping communication lines open, both companies and schools will forge a new path towards protecting student privacy.
KEY REFERENCES AND RESOURCES
- Education Law §2-d
- NYCRR Part 121
- NYSED’s Frequently Asked Questions for DPOs
- RIC One’s Data Privacy Security Initiative Resources
