Three Privacy and Cybersecurity Considerations for Edtech Vendors

Looking to capture market share? Develop a keen awareness of these factors. 

GUEST COLUMN | by Sarah Hutchins, Robert Botkin, Laura Lashley, and Adam Setzer 

The demand for education technology (edtech) has exponentially increased over the last several years. According to Learn Platform, edtech usage has doubled since 2020 thanks to remote and online learning. Some market analysts project the edtech industry growing from $250 billion to over $600 billion by 2027. While trying to keep pace with the growing market size, vendors looking to capture market share must be keenly aware of the data privacy obligations, cybersecurity requirements and breach response protocols required for their clients. 

‘As in other parts of our economy and our society, information security is a key component of running a successful business. In the edtech sector, it becomes even more crucial due to both the variations in legal requirements as well as the sensitive nature of student data.’

If you are an edtech vendor, you may be subject to the Child Online Privacy and Protection Act (COPPA), Family Education Rights Protection Act (FERPA), and a myriad of state privacy, student privacy and data protection laws. Your business’s requirements can vary widely from state to state, from specific cybersecurity framework requirements to detailing exactly when data must be destroyed. These laws can be thorny, and engaging legal counsel versed in both education and data privacy laws to help guide the business on how to proactively prepare for compliance is vital. Moreover, with the Federal Trade Commission increasingly focused on COPPA and edtech vendors, now is the perfect time to review your business’s obligations to ensure that compliance is buttoned up. 

This article outlines three key considerations for edtech vendors seeking to expand their business in preschool to post-graduate (P-20) educational markets while maintaining compliance across fifty states.  


Know Your Client (KYC)

Financial institutions have an obligation to conduct due diligence on their customers through a process called KYC. Because laws and regulations vary depending on the identity of the client, accurate KYC-type due diligence can help determine the business’s legal obligations.  

The first KYC question is simply: Who is the client? Many businesses incorrectly assume that the student is their client, when in fact their client may be the school, school district, board of education, state education department or a combination thereof. The identity of the client, however, can dictate the laws your business must observe.

For example, there are many online platforms for juvenile students (or adult students, for that matter) seeking educational material on a specific subject. If Sam, a 12-year-old child in California, finds ABC Academy on his own and watches a computer programming video, then ABC Academy’s client is Sam. In this context, COPPA, the California Consumer Privacy Act as amended by the California Privacy Rights Act (collectively, CCPA) and California’s Age-Appropriate Design Code Act may require ABC Academy to minimize the personal information it collects from Sam, limit how it uses Sam’s personal information, and implement measures to protect Sam’s personal information, among many other requirements. However, if Sam’s school district contracts with ABC Academy to use their services as a part of the educational program, then COPPA, FERPA and California’s Age-Appropriate Design Code Act (CAADCA) may all apply, while the CCPA may not apply given its exemption for FERPA-protected information. 

Correctly identifying the client has a profound impact on the business’s legal obligations given the lengthy requirements of the CCPA and the nuances in handling FERPA-protected information.


Process Makes Perfect

Having a legal compliance process for how your business contracts with state and local education agencies can help ensure that your sales team does not make promises your business’s cybersecurity program cannot meet. 

During a solicitation for education vendor services, the state or local education agency will often ask the vendor to certify, represent and warrant that a laundry list of cybersecurity controls is in place. The business’s request for proposal (RFP) response process needs to ensure that their legal department and information security department work hand in hand with the sales team to review the terms of the solicitation, any resulting agreement, applicable board policies and state laws. Information security teams can flag the controls the RFP requires and accurately assess whether the business can comply. Legal teams can likewise assist by presenting modifications and exceptions to the solicitation’s requirements and later by actively negotiating the contract.  

In many states, the contract itself is not the final word for a business’s compliance. Most contracts include blanket requirements to adhere to school board policy and state laws, which can be replete with requirements unique to that school district or state—and which are subject to change. This is why edtech vendors focused on K-12 public school districts especially need to ensure their legal counsel is well versed in education law in addition to general data privacy law. Edtech vendors need to know exactly what they are agreeing to when responding to RFPs or entering into contracts with education agencies, or they may find themselves in breach of contract and in violation of state law for using a one-size-fits-all approach to legal compliance that does not actually fit all.

Having a well-structured RFP response process with built-in input from your business’s relevant departments is critical to ensuring your business keeps its customers happy, regulators satisfied and your business out of court. 


Have a Plan 

Data breaches happen to even the most sophisticated and cautious market participants. However, they happen more frequently to small and medium-sized businesses that lack security controls. While every business can be the victim of a data breach, those businesses with a plan for handling breach response fare much better in maintaining their reputations and retaining their clients—particularly education agency clients who have very large, and very vocal, contingencies of parents and educators holding them accountable. 

Your business needs to understand its current data management practices and ensure that risk is reduced throughout the data lifecycle. This includes considering the type of data collected, how the data is stored, how the data is used and ultimately how the data is deleted. Some edtech vendors try to reduce risk by letting schools and teachers control the information input into the vendor’s system with free-text fields. Great risk mitigation in theory, but less effective in practice. Without structuring limitations on the types of information clients can input, these edtech vendors will quickly find that sensitive health information, disciplinary records and other information they never intended to store is being maintain on their systems. If a data breach occurs, discovering that sensitive information was implicated will expose the business to additional legal compliance requirements it may have not anticipated. 

Fortunately, there are some simple steps edtech vendors can take to mitigate risk. For example, ensuring that data is not stored for longer than is reasonably necessary to provide the services also reduces the amount of data that could be impacted in the event of a breach. The overarching goal should be to minimize the data that is collected and stored to reduce the size and impact of a data breach.

As in other parts of our economy and our society, information security is a key component of running a successful business. In the edtech sector, it becomes even more crucial due to both the variations in legal requirements as well as the sensitive nature of student data. A well-conceived compliance plan that clearly identifies the client and data necessary to deliver on the software’s promise, a meticulously drafted contract that presents a clear understanding of overlapping jurisdictions, and a comprehensive data security and disaster recovery plan are all essential elements for successful edtech vendors in today’s increasingly digital education marketplace.

Sarah Hutchins is a partner in the Charlotte, North Carolina office of Parker Poe Adams and Bernstein, LLP She leads Parker Poe’s Cybersecurity & Data Privacy Team. Her experience with business litigation and government investigations strengthens her cybersecurity and data privacy practice. She is recognized by the IAPP as a Certified Information Privacy Professional/United States (CIPP/US).

Robert Botkin is an associate in the Raleigh, North Carolina office of Parker Poe Adams and Bernstein, LLP. He helps clients navigate data privacy and security issues across industries and assists with developing privacy policies, responding to security incidents, and implementing data governance programs. Robert is a Certified AWS Cloud Practitioner, IAPP Certified Information Privacy Technologist (CIPT), IAPP Certified Information Privacy Practitioner/ U.S. (CIPP/US), and IAPP Certified Privacy Law Specialist (PLS). 

Laura Lashley is counsel in the Atlanta, Georgia of Parker Poe Adams and Bernstein, LLP. She advises clients on education policy and technology. 

Adam Setzer is an associate in Raleigh, North Carolina office of Parker Poe Adams and Bernstein, LLP. He is a litigator who helps corporate clients resolve business disputes, navigate class actions, and defend unfair trade practices claims. 


    Leave a Comment

    %d bloggers like this: