What does compliance mean in the education technology industry? Learn more with Justin Beals and Sam Oberholtzer as they discuss the ins and outs of FERPA (Family Educational Rights and Privacy Act) and why compliance in education matters.
What is FERPA, and what PII (personally identifiable information) is included?
Why does FERPA matter?
What's the impact on a company in the education space?
What does Strike Graph recommend for compliance best practices?
Please enjoy this transcript of our video.
Justin Beals: Hey there, Sam. It's great to see you for episode nine today. It's been a little while. We took a short break, I think. If you can't tell, I moved during the break. I have a slightly different background. It's a wild time. We're not post-pandemic, but inviting each other into our homes via these remote calls. Did you...
Sam Oberholzer: Thank you for having me.
Justin Beals: Of course. [00:00:30] I am a southerner. We're going to offer you some tea. We're going to make sure you're settled in. I assume that I think you had a nice break, playing in some snow, and also a lot of work has gotten done recent at Strike Graph. It's been super exciting as we wrapped up our Q1, along with all of our other business partners.
Sam Oberholzer: Absolutely, and it's April Fools, April 1st.
Justin Beals: Oh, my goodness. It is.
Sam Oberholzer: So this is a nice little fun video cast that we're going [00:01:00] to have today.
Justin Beals: Yeah. I'm extra gullible, so I find that with April Fools jokes, I'm like, "Really?" Then I have to go research it. So you can't leave me hanging too long on the hook if have one for me today.
Sam Oberholzer: Let, me tell you, one time a friend did an April fools. I forgot what it was, but I remember being really high anxiety because she let it go for two days. She forgot to say, "April Fools," in a text. I thought she severely hurt herself. I'm like, "What is happening right [00:01:30] now?"
Justin Beals: All right.
Sam Oberholzer: So I won't let you hanging for too long.
Justin Beals: Thanks, Sam. Yeah. Well this particular podcast, we're going to be chatting a little bit about education technology as an industry because next week, you and I are going to be at one of my favorite conferences, ASU+GSV. I get asked all the time, what that stands for. It's Arizona State University and Global Silicon Ventures. Essentially, it's a really interesting ed tech conference where a lot of [00:02:00] early stage startups in the ed tech space are meeting with investors in the Silicon Valley vein and working through some of the innovations that are happening there. I think it's going to be real exciting. It's your first time visiting, but I've gone a fair bit. So this is actually/...
Finally, we're into an area that I have a ton of expertise in education technology. For those that don't know, I spent about 15 years developing innovative education technology solutions and it's a lot of fun, [00:02:30] but it's really exciting to work on a project like Strike Graph that has impact in a ton of industries. So you're new to ed tech privacy type concerns. So you're my foible for this particular event. You're going to ask me all the tough questions. I'm going to try to read some expertise.
Sam Oberholzer: Absolutely.
Justin Beals: All right, good. Yeah. Excellent.
Sam Oberholzer: Cannot wait to drill you.
Justin Beals: Good. So let's start off with each industry has had some type of [00:03:00] forward momentum into privacy or security, a little bit banking and finance might be like PCIDSS, but education has had one that they've had for a really long time, which like HIPAA, came in the form of a law and it's called FERPA, F-E-R-P-A. It stands for the Family Educational Rights and Privacy Act. I can't memorize all these, so I'm going to be checking my notes as we go through today.
Sam Oberholzer: Absolutely.
Justin Beals: [00:03:30] So let's talk about FERPA, first of all, was put into place in 1974. So it's been around for a really long time, and we're going to talk about how it is old and languishes and probably doesn't come up to par with some of the types of technologies that we have today and types of solutions. So on the spectrum of working standards, this one is a tough one. I'm not sure how operable it is, but since, as a [inaudible 00:03:59] place, education [00:04:00] technology has been so steeped in it, it's probably a good place for us to start for our ed tech companies that we'll be meeting with next week and just to understand FERPA more deeply. As a CTO, my idea for FERPA, the way I interpret it is you got to keep student data private, essentially...
Sam Oberholzer: Yes.
Justin Beals: ... at the end of the day. [Netnet 00:04:23] was... That felt like the beginning, end, and middle of the story sometimes, but [00:04:30] it's also one of the things to understand about FERPA, you and I talk all the time about what are liability standards and what are revenue standards. FERPA is a liability standard. So you don't get a certificate for it. There's no assessment methodology. You claim compliance, but an independent assessment of that compliance is really almost impossible to get because it's very loose as we're going to describe some of the details around it. So an organization [00:05:00] that is concerned, earned about FERPA is concerned about a liability lawsuit, and you can actually file with the Department of Education, a FERPA complaint. Just like the SEC might go after a publicly traded company for some type of issue, that's where FERPA comes into play.
Sam Oberholzer: Absolutely. I think it's also important for our listeners, viewers to also know, or anyone that's in the ed tech space or any SaaS company that might have some [00:05:30] student data or PII, a lot of these privacy laws are just important to understand why it's liability, because it's really trying to protect the rights and the control of students, in this case, over their own data. So a lot of the times, we see that these privacy laws, especially they're coming up more and more because everyone's starting to realize just how crucial it is to protect people's [00:06:00] data, especially children, or users under 18. So that's really what comes down to why these privacy acts are actually coming into place more and more everywhere, globally.
Justin Beals: Exactly. Yeah. I've seen these privacy issues crop up for businesses in some really terrifying ways in education technology, in particular. One story I like to tell is there was a [00:06:30] great startup around 2008 to 2010 called In Bloom. They were trying to aggregate a large data set of student performance to identify best practices in education. They had built multi-state contracts to ingest that data. But the whole thing fell apart, even before they could get the product release, when parents at these states, rightfully so, became concerned about the privacy of that data. There [00:07:00] was no good way for this organization to talk to how they were going to keep it secure. So the market of standards around privacy had not really caught up with the opportunity that a solution could bring. So it is dangerous. It can really hurt you. However, it's not going to be that you have an RFP sitting out there and them waiting on your FERPA certificate to come through. That's not the type of issue you're going to see.
One [00:07:30] thing that I learned about FERPA today that I don't think a lot of people know, especially in the education technology product space, is who it actually applies to. So it doesn't actually, according to the law, apply to an ed tech solution. So let's say you're a learning management system. That's not what FERPA says. FERPA says it applies to any public or private school, elementary, secondary, or post-secondary, and any state or local education [00:08:00] agency. So that's any education agency that is receiving funds under a program with the US Department of Education. So when you are shopping your ed tech solution around and a school wants to adopt it, but they ask if you're FERPA compliant, it's not that you're directly liable. The US Department of Education is not going to come knocking on a learning management system's door and say, "We're going to fine you." They're going to fine the [00:08:30] school and that's why the school is terrified about it.
Sam Oberholzer: Absolutely. This is where the high risk comes into to play. But we're also seeing even some of our customers have questions around this, that the states or the schools or whatever we're talking about, they're actually pushing down their requirements to our customers that are SaaS [00:09:00] products that might be processing student data. So I would love to hear a little bit into play from your perspective, how we can minimize that risk or minimize the pressure from these school that are hiring vendors, like some of our customers are.
Justin Beals: Yeah. Honestly, I think the problem for the schools here is that they imagine by asking, "Are you FERPA compliant," that they bring you into some form of liability. I think I would advise schools [00:09:30] that that's just not the case. I mean, anyone can... Lawsuits are written if you decide you want to. Nothing holds that back. But you, as a school, that is held under this FERPA law needs to really decide what your third party risk management program will look like. I don't recommend FERPA as a requirement because it's so loose, as we're going to see, that it's [00:10:00] just not a good ask.
If you're a buyer at a school asking, "Are you FERPA compliant," is not a great way to manage the risk that a new third party vendor is introducing into your school for liability against FERPA. Yeah. So I think we're going to start talking about a couple of standards that we recommend ed tech companies vendors go after and buyers start asking for, for sure. Let's talk a little bit about [00:10:30] the information that's protected so that you can know which of these standards are really going to be applicable. It really comes down to student education records. So this is any personally identifiable information. True or false, Sam, email? That's PII, right?
Sam Oberholzer: Yeah. Two or more.
Justin Beals: Two or more.
Sam Oberholzer: [crosstalk 00:10:50] identified to them. Yep. That is the rule of thumb, I tell everybody. Some people don't think location is considered it, but...
Justin Beals: [00:11:00] Well...
Sam Oberholzer: ... we see that it's expanding more and more with these privacy laws.
Justin Beals: I live in a very small town now. I think if someone said Justin plus small town, there'd only be a couple of us so you're probably going to find me out. So I think you're exactly right. It's two pieces of data and sometimes only one, especially if you're dealing with a social security number, which is oftentimes how students are tracked with ID values. I mean, the other thing to note is that I don't think we say this enough, is that [00:11:30] any generated value. Let's say you have a database and you create a key ID for each student, that now is personally identifiable information, right? It is identifying a student. Now, granted, you may hold that only in your database, but it's still PII. You still need to protect it. Is that correct, Sam?
Sam Oberholzer: It depends. It really depends on their security controls and what they're doing. If they're masking, I mean, we can get a little bit more into detail with that, but it really is dependent on [00:12:00] what their, I'm just going to call them protocols are around protecting this data. So this is a good segue into why we recommend other standard for organizations that process student data on behalf of these schools.
Justin Beals: Yeah. Okay. One of the things FERPA did well for 1974, kudos to these guys, they actually defined what types of disclosure of personally [00:12:30] identifiable information is allowed. So we're actually going to do the list here so that we know who a school can share this PII information with. So school officials, the school to which a student is transferring, so if you're transferring schools, you can ship the records, specific officials for audit or evaluation purposes. So I think that you could identify evaluation purposes [00:13:00] is somewhere where you start bringing in SaaS platforms and you're putting that data on there and that's where you're starting to share it, any parties in connection with financial aid, to a student. That's critical, especially in higher ed for sharing that data. If you have a research organization that's conducting a study on behalf of the school, then that's okay.
But note that a good research institution will be doing their own privacy review of the research that they're doing and the impact on people. [00:13:30] That's called an IRB, a review board, and it's important to get your IRB sign off on any research that you're doing at, especially, a research institution. Any accrediting organization. So this is especially true for higher ed. If you are a university and you're going through accreditation, you may have to sell [inaudible 00:13:51] share student information in the accreditation process. Any officials in need of health or safety emergencies, [00:14:00] state and local authorities within a juvenile justice system pursuant to specific state law is allowed, and then to comply with a judicial order or lawfully issued subpoena. Note that nowhere in here, and of course this was written in 1974, is any SaaS provider that you want to work with. So this is where I think it not being a permitted disclosure, but the school actually disclosing the data, they need a real [00:14:30] good perspective on why that is still being held in private spaces.
Sam Oberholzer: Exactly.
Justin Beals: Because you're deeply liable for if a breach happens at a third party vendor for FERPA, you at the school, again, not the vendor. Now, you could sue for a breach of contract to that vendor, but you better make sure that your contract says something like, "Hey, we expect you to hold this data private." I would also [00:15:00] recommend if you're a buyer, "We expect you to stay compliant with this particular standard." So that's where I think the standards come into play, right, Sam?
Sam Oberholzer: Yeah. As I was thinking through this too, and just from what I know from this, I actually do think that's very crazy that even when you're performing your own research or when you're talking or looking at the law of FERPA, you'll see that when they talk about third parties, [00:15:30] they really are saying, "This is what they should do, but nothing's required." Literally, the only thing that is required is a contract and then they'll state, "Okay. Best practice is that both parties," so the school that has direct access to the student data and then that third party that they might partner with or contract for, they state, "Best practice to share the transparency of their data security or what they use and disclose how [00:16:00] they use the data."
But none of this is actually a requirement. That is fascinating to me because if we think about in health tech, how they came up with high tech for HIPAA in the US, how they require that actual [inaudible 00:16:22] proves their security and privacy controls. It's actually fascinating that in this case, in education, [00:16:30] mainly dealing with younger, under age, under 18, it's just fascinating that they're not requiring, but yet it's labeled as best practice guidance for those vendors.
Justin Beals: Yeah, absolutely. I've seen all kinds of bizarre questions asked of me as a CTO in like, "Are you FERPA compliant?" One of the ones that I find really interesting is, "Well, you're FERPA compliant if your data is encrypted," but the problem is encryption is transitory always, [00:17:00] right? Because you don't keep it in the gobbldy gook encryption and try and read it with your eyes. You have to decrypt it at some point. At that point, the information is exposed. So it's just that I think that there has been... Well let's face it, usually, the buyers are not experts deeply in technology and security, let alone security as a broader practice, and they're doing their best [00:17:30] to respond to what they think are the best practices of their marketplace. However, the best practices are not well-defined because they were defined quite some time ago.
Sam Oberholzer: Exactly.
Justin Beals: Yeah. So we've done good. We have a fair number of education technology customers, and some that started with us when we founded the company more than two years ago. I think what's interesting that I have learned is that some of the security standards that we do commonly see across [00:18:00] business are actually starting to be the security standards being asked for by buyers in education spaces. So I know of at least two or three statewide contracts where the state government chief information security officer has provided an edict for all buyers of technology in the state government for [SOC2 00:18:25] or [ISO27001 00:18:27] certification before purchasing. That's becoming more [00:18:30] commonplace.
Sam Oberholzer: I agree. Even when I'm just thinking about our ad tech customers that they've been showing us and sharing with us, their security questionnaires, and they are seriously a straight up rip from your baseline security program, SOC2 program that includes a list of all questions around what's their security controls. [00:19:00] So that's the most applicable to those companies that are critical vendors to these schools that would have to abide by FERPA.
Justin Beals: W we made a leap here that you and I are very comfortable with, but I think it's very confusing when I started. As you helped me learn about it early on, we went from talking about privacy to talking about security. Sam, what is the relationship between the two things?
Sam Oberholzer: Absolutely. [00:19:30] So starting off, privacy relies on security because security is really, how are you protecting the data? How are you protecting with actual controls in place by both indirect? So think about your HR, your employees, they're indirectly impacting systems, as well as your actual system controls. So that's what security is. It's actually protecting [00:20:00] the data. Privacy is protecting the rights of the users to access their data. So that's why privacy relies on security because you can't possibly have your actual data, so PII, secure, unless you have controls surrounding that. If everything was open, then nothing's private because anybody can access it. Yeah.
Justin Beals: Yeah. So another way I might put it is [00:20:30] privacy extends security. If you don't have a security posture, you can't keep things private, but there is a little more added to privacy in that there are individual rights. So there's got to be some controls or processes inside an organization to allow those individual rights to be voiced. I mean, I think about GDPR here as a privacy standard where I can say, "Hey, I want my record deleted."
Sam Oberholzer: Absolutely.
Justin Beals: Good.
Sam Oberholzer: You have that right.
Justin Beals: [00:21:00] Yeah. So I have started to think of SOC2 as a standard and ISO27001 as general security standards, broadly applicable to businesses, a wide swath of them. I think that's why we've seen [CISOs 00:21:19] say, "Here's a general auditable or certifiable security practice that we are just starting to expect." You think that's why we've seen ed tech buyers [00:21:30] start to ask for those?
Sam Oberholzer: Yeah, absolutely, and because they're really, if we're just putting the ed tech companies in one bucket, and if they're really just looking to sell to schools, it's actually quite interesting the relationship, because if there are no laws or if there's no push to prove security, then it's almost like I can see [00:22:00] that starting to happen because we're seeing that happen to every industry. So being a little bit more proactive and being able to prove it, you can just think of SOC2 or ISO just as your, well ISO International, so it's way more strict, but SOC2 as you're foundational, because it's going to be translated to everything, every privacy law, every single other security standard you want to go for. I think that's what's just so [00:22:30] important and why we're seeing more ed tech just be interested in what they actually have in place.
Justin Beals: Yeah. I think that if I were advising an ed tech company today, I would ask them one question, "Are you US-centric?" Because there's a lot of ed tech organizations that are like, "Hey, we're built to sell to US curriculums." They may even say like, "We're just focusing on half a dozen states," in their initial rollout. Then SOC2 is a great standard. [00:23:00] I think if you were going more broadly, Europe, Asia-Pac, I would probably focus on ISO27001. Then both of those, in a really nice way, SOC2 and ISO27001 have some carve outs for a privacy certification as well, right?
Sam Oberholzer: Absolutely.
Justin Beals: Yeah. I know in SOC2, it's like there's a minimum required security portion of the standard, but then there's availability, processing [00:23:30] integrity...
Sam Oberholzer: Confidentiality.
Justin Beals: Confidentiality, thank you, and then privacy, right?
Sam Oberholzer: Yep.
Justin Beals: Yes. Good. So if I were an ed tech company, maybe I'm not getting privacy right away, but I'm definitely thinking I'm going to get SOC2 and then hot on the heels, probably privacy, right?
Sam Oberholzer: Yeah, absolutely. Because privacy is a little bit more strange because you're not just thinking about potentially your customers as an organization, [00:24:00] you're potentially thinking about their reach. So it is extending more of that thought process beyond just dealing with your direct customers. So that's why anytime you think that or anytime or any organization has the potential of collecting PII for the requirement of their services, or even if they just don't know, then they should think about the pathway to proving [00:24:30] privacy.
Justin Beals: Yeah, absolutely. Then on the ISO side, ISO27001 and brand new and on the Strike Graph product, ISO27701, just to make it difficult, is a privacy specific standard that has an assessment methodology, so you can be certified against it. That covers GDPR quite well, I think, as well, right?
Sam Oberholzer: 100% of an overlap of GDPR. [00:25:00] For those of you that don't know GDPR, it is a global privacy law, but mainly within Europe, but you're going to start seeing that's the highest, strictest privacy standard in the world. So if you are GDPR compliant, then you're going to be good everywhere else. Everything else, it's already covered, which is nice.
Justin Beals: Awesome. Yeah. Well, this has been a [00:25:30] lot of fun for me. I finally get to use a muscle that I had for a while on the education side. I'm super excited to see you in San Diego for ASU+GSV. I know we'll both be on site. We have a booth there. So those that [inaudible 00:25:46] to sit through these conversations that we have are welcome to come see us in person, right?
Sam Oberholzer: Absolutely. I'm super excited because of the fact that, again, since ed tech or just education in general, [00:26:00] I don't... I see the movement going towards proving their due diligence, trying to align with a standard like SOC2, so I'm really excited to educate the educators.
Justin Beals: Yeah. We've seen other markets deal with this, like a tidal wave, right?
Sam Oberholzer: Absolutely.
Justin Beals: One day, it's okay, you're getting contracts. You don't have to prove it. The next day, everyone is asking for it and being ahead of the curve means that you box [00:26:30] out the competition in a sales motion. There is nothing better in your RFP response for school adoption than saying, "We're SOC2 certified." That ensures some control over privacy, especially when your competitors haven't done it yet. So I think for those organizations that want to grow quickly, I think there's an opportunity here to lean in ahead of the movement of the marketplace instead of feeling like you have to respond to it. Yeah.
Sam Oberholzer: I agree. I [00:27:00] know we preach this often just because security and privacy is always at the top of our minds, but it truly is foundational and I truly believe that the industry's going to move pretty quickly. Honestly, probably within the next five years. So why not get started now and prove that, again, just to reiterate the trust that you're trying to build with your customers and their customers, which is the students and parents, but [00:27:30] yeah, I see it going in that direction and might as well be proactive.
Justin Beals: All right, Sam, another great conversation. I'm excited to see you in San Diego. Have a great weekend.
Sam Oberholzer: Have a great weekend. I'm so excited to see you in person. It's going to be... It's finally going to be a compliance party now.
Justin Beals: That's right. That's right. All right. Bye-bye, Sam.
Sam Oberholzer: See ya.