The Family Educational Rights and Privacy Act of 1974 (“FERPA”) is a federal law that aims to protect sensitive student information. Educators are required under FERPA to make sure no unauthorized person gains access to certain information from student education records.
With the mass transition to online learning, cybercriminals are on the prowl more than ever for student personally identifiable information (“PII”) which can include a student’s name, social security number, address, and date of birth. Just one slip up can lead to a hacker stealing hundreds to thousands of students’ records that are now available online. On top of students’ and parents’ personal data being stolen, each school that violates FERPA is subject to penalties.
Here are 5 things to help a teacher be prepared to fight against possible cyberattacks.
There has been a significant increase in phishing scams since the dramatic shift to online learning. Phishing emails, which are emails from hackers with fake links or attachments that download malware when clicked, have increased by 40% during the coronavirus pandemic, according to a recent study out of Italy.
A popular phishing scam involves cybercriminals posing as employees of the World Health Organization (“WHO”) and sending information regarding the virus. These emails then contain dangerous malware that can take over computer systems and steal sensitive data. However, the WHO has released helpful information to prepare individuals who may be targeted. If you receive an email from someone who claims to be from the WHO, verify the identity of the sender before responding.
Always check the email address to see if it is official (@who.int); check the link before you click (‘https://www.who.int’); and do not fall for the sense of urgency hackers use in their emails to put you under pressure. The World Health Organization will: never ask for your username or password to access safety information, never email attachments you didn’t ask for, and never conduct lotteries or offer prizes, grants, certificates, or funding through email.
Another harmful scam involves emails that attempt to schedule virtual meetings. Cybercriminals have registered domains pretending to be Zoom, Microsoft Teams, and Google Meet-related URLs. They then seem more legitimate and can more easily fool recipients into downloading malware that causes a serious data breach. In an online school setting, students or even teachers are expecting these links and are less likely to carefully verify them.
Alert students of the potential for hackers and let them know what email to expect If you receive an email or meeting notification that makes you panic, reach out to other trustworthy people like coworkers and supervisors to confirm the content of the suspicious email. Similarly, the school’s IT departments should be expecting these increasing attacks and should develop multiple levels of security and educate employees on how to properly follow security protocol.
FERPA requires schools to get consent before sharing information about students. Schools should figure out what student information they might need to share throughout the school year before classes begin to properly ask for consent from parents or students during the school registration period. For example, when registering students for virtual class platforms, it typically requires student names, email addresses, and more. When partnering with a new tech company, read the terms of service for all new technology implemented to understand what student information is required to use it. When asking for consent, teachers should be transparent with parents about what this information will be used for.
There are two exceptions that allow educators to share student information without consent. The directory information exception covers certain basic student information contained in an education record of a student that would not generally be considered harmful or an invasion of privacy if disclosed. Educators can share this information, called “directory information,” without consent as long as parents are notified and can opt-out. Each school designates what is considered directory information and can include a student’s name, phone number, email address, and grade level.
The school official exception allows schools to share PII without consent if the tech company performs an institutional service that would normally be a job for the school’s employees and if the school directly controls how the new company uses and keeps student records. Third-party vendors, like Google, sometimes list in their terms of service that they should be considered a school official.
However, while there are exceptions to consent, it’s always a best practice to still ask for consent to avoid any confusion or concerns from parents. Parents have the right to report a school if they think teachers are not following FERPA. Also, certain companies may require in its terms of service that information of students under a certain age requires direct consent anyway, even if under federal law a school would be able to share that information.
Educators should understand what information is protected under FERPA and what is considered an education record, especially with the transition to remote learning and the availability of PII in digital formats.
To be considered an education record protected under FERPA, the record must be both:
For a record to be directly related to a student, it must focus on the student as the main subject, not just accidentally include one. Typically, if a student is the main focus of a photo, it is probably considered directly related to that student and would be protected under FERPA, if it is also maintained by the school. If the student is captured only as part of the background of a photo or video, it is most likely not directly related and can be shared without violating FERPA.
This means an ID photo or a recording of a student presentation would probably be considered directly related to a specific student, while surveillance videos and public school events, like sporting events, concerts, and theater performances, would not. This also means that video recordings of classes can be shared with other students enrolled in that class, as long as there is no PII discussed during the class. If a teacher is teaching a virtual class where students will be presenting or participating on camera frequently, like debate, the teacher should require consent prior to class to avoid any issues.
Even if a record is directly related to a student, a school must also maintain the record for it to be considered an education record under FERPA. The U.S. Supreme Court in Owasso Indep. Sch. Dist. No. I-011 v. Falvo, 534 U.S. 426, 433 (2002) used the definition of maintain, “to keep in existence or continuance; preserve; retain,” as a guide when figuring out whether something is maintained under FERPA.
A typical example of a maintained record is a paper filed centrally within the school’s student records system. Examples of records not maintained by a school include peer-graded assignments because the information is created and maintained by another student, letters of recommendation because the student normally receives and keeps a record of it, and photos taken by spectators at school events because the school does not have a copy.
With the shift to online learning, an easier and more engaging way to post assignments and updates to your students is to take advantage of social media as a learning tool. However, before creating an account or posting anything on the internet about your class or students, it is crucial that a teacher find and review their school’s social media guidelines and practices.
A teacher should never use their personal account, and instead, create a separate account for professional use and modify the settings to enhance the privacy of their students. The best way to limit the access of information posted on social media is to make the account itself “Protected” or “Private.” This gives a teacher greater control over who they let follow the account and who can see posts. Teachers should also take the time to instruct their students on what types of information they are allowed to post, or a teacher could decide to disable comments and be the only one in control of the information.
Students are not the only ones who should understand what information can be posted on social media. Before posting, teachers should make sure there is no student PII in the post, including handwriting, completed student assignments, photos, or videos of students as the direct subject (be sure to check the file name), and that they turned off location services. However, if teachers receive parental or student consent prior to making a social media account, they can have more flexibility with their posts.
Finally, here are some tips on how to adjust virtual classroom settings to make sure hackers do not launch a successful attack.
For students who do not want to consent to their child participating in online learning, a school should consider giving an option which requires that those students cannot have their video or audio enabled.
Request a teacher training session from Besnoy Law to learn more about how to follow FERPA guidelines.
Amy Weiss is a Summer Associate for Besnoy Law P.C., where she conducts legal research on the evolution of privacy laws including FERPA, CCPA, GDPR, and HIPAA. Her passion for ad tech and privacy came while working in broadcast, print, and digital media organizations. As a digital marketing strategist for a media buying agency, Amy developed best practices for protecting personal information when creating targeted ad campaigns using platforms such as Facebook and Google. Amy is currently a rising 2L at the Benjamin N. Cardozo School of Law and is on the executive board for the Intellectual Property Law Society as its IT/Software Chair. She is also a Staff Editor on the Cardozo Arts and Entertainment Law Journal.