Security compliance Designing security programs Security compliance Designing security programs SOC 2

Video | FERPA for EdTech companies

  • copy-link-icon

    Copy URL

  • facebook-icon
  • linkedin-icon

When it comes to student data, educational institutions are intimately familiar with the major piece of legislation surrounding privacy — the Family Educational Rights to Privacy Act, or FERPA. While schools hear FERPA mentioned on a regular basis, EdTech companies may have less familiarity with the requirements of this legislation, especially when it comes to cybersecurity.

Join Strike Graph CEO Justin Beal and Director of Sales Engineering Sam Oberholtzer in the video below for a deep dive into who and what FERPA covers and how this 1974 piece of legislation is being applied to modern technologies. Or, read on for a quick look at the most important points for EdTech companies to know about FERPA.

Click to read full transcript


Justin Beal: So let's start off with each industry has had some type of forward momentum into privacy or security, a little bit of banking and finance might be like PCI DSS, but education has had one that they've had for a really long time, which like HIPAA, came in the form of a law and it's called FERPA, F-E-R-P-A. It stands for the Family Educational Rights and Privacy Act. I can't memorize all these, so I'm going to be checking my notes as we go through today.

Sam Oberholzer: Absolutely.

Justin Beal: So let's talk about FERPA, first of all, was put into place in 1974. So it's been around for a really long time, and we're going to talk about how it is old and languishes and probably doesn't come up to par with some of the types of technologies that we have today and types of solutions. So on the spectrum of working standards, this one is a tough one. I'm not sure how operable it is, but since, as a marketplace of education technology has been so steeped in it, it's probably a good place for us to start for our ed tech companies that we'll be meeting with next week and just to understand FERPA more deeply. As a CTO, my idea for FERPA, the way I interpret it is you’ve got to keep student data private at the end of the day. Netnet was, that felt like the beginning, end, and middle of the story sometimes, but it's also one of the things to understand about FERPA, you and I talk all the time about what are liability standards and what are revenue standards. FERPA is a liability standard. So you don't get a certificate for it. There's no assessment methodology. You claim compliance, but an independent assessment of that compliance is really almost impossible to get because it's very loose as we're going to describe some of the details around it. So an organization that is concerned about FERPA is concerned about a liability lawsuit, and you can actually file with the Department of Education a FERPA complaint. Just like the SEC might go after a publicly traded company for some type of issue, that's where FERPA comes into play.

Sam Oberholzer: Absolutely. I think it's also important for our listeners, viewers to also know, or anyone that's in the EdTech space or any SaaS company that might have some student data or PII, a lot of these privacy laws, it’s just as important to understand why it's liability, because it's really trying to protect the rights and the control of students, in this case, over their own data. So a lot of the times, we see that these privacy laws, especially they're coming up more and more because everyone's starting to realize just how crucial it is to protect people's data, especially children, or users under 18. So that's really what comes down to why these privacy acts are actually coming into place more and more everywhere, globally.

Justin Beal: Exactly. Yeah. I've seen these privacy issues crop up for businesses in some really terrifying ways in education technology, in particular. One story I like to tell is there was a great startup around 2008 to 2010 called InBloom. They were trying to aggregate a large data set of student performance to identify best practices in education. They had built multi-state contracts to ingest that data. But the whole thing fell apart, even before they could get the product released, when parents at these states, rightfully so, became concerned about the privacy of that data. There was no good way for this organization to talk to how they were going to keep it secure. So the market of standards around privacy had not really caught up with the opportunity that a solution could bring. So it is dangerous. It can really hurt you. However, it's not going to be that you have an RFP sitting out there and them waiting on your FERPA certificate to come through. That's not the type of issue you're going to see.

One thing that I learned about FERPA today that I don't think a lot of people know, especially in the education technology product space, is who it actually applies to. So it doesn't actually, according to the law, apply to an EdTech solution. So let's say you're a learning management system. That's not what FERPA says. FERPA says it applies to any public or private school, elementary, secondary, or post-secondary, and any state or local education agency. So that's any education agency that is receiving funds under a program with the US Department of Education. So when you are shopping your EdTech solution around and a school wants to adopt it, but they ask if you're FERPA compliant, it's not that you're directly liable. The US Department of Education is not going to come knocking on a learning management system's door and say, "We're going to fine you." They're going to fine the school and that's why the school is terrified about it.

Sam Oberholzer: Absolutely. This is where the high risk comes into play. But we're also seeing even some of our customers have questions around this, that the states or the schools or whatever we're talking about, they're actually pushing down their requirements to our customers that are SaaS products that might be processing student data. So I would love to hear a little bit into play from your perspective, how we can minimize that risk or minimize the pressure from these school that are hiring vendors, like some of our customers are.

Justin Beal: Yeah. Honestly, I think the problem for the schools here is that they imagine by asking, "Are you FERPA compliant," that they bring you into some form of liability. I think I would advise schools that’s just not the case. I mean, anyone can, lawsuits are written if you decide you want to. Nothing holds that back. But you, as a school, that is held under this FERPA law needs to really decide what your third-party risk management program will look like. I don't recommend FERPA as a requirement because it's so loose, as we're going to see, that it's just not a good ask.

If you're a buyer at a school asking, "Are you FERPA compliant," is not a great way to manage the risk that a new third party vendor is introducing into your school for liability against FERPA. Yeah. So I think we're going to start talking about a couple of standards that we recommend ed tech companies vendors go after and buyers start asking for, for sure. Let's talk a little bit about the information that's protected so that you can know which of these standards are really going to be applicable. It really comes down to student education records. So this is any personally identifiable information. True or false, Sam, email? That's PII, right?

Sam Oberholzer: Yeah. Two or more.

Justin Beal: Two or more.

Sam Oberholzer: It has to be identified to them. Yep. That is the rule of thumb, I tell everybody. Some people don't think location is considered it, but ...

Justin Beal: Well...

Sam Oberholzer: ... we see that it's expanding more and more with these privacy laws.

Justin Beal: I live in a very small town now. I think if someone said Justin plus small town, there'd only be a couple of us, so you're probably going to find me out. So I think you're exactly right. It's two pieces of data and sometimes only one, especially if you're dealing with a social security number, which is oftentimes how students are tracked with ID values. I mean, the other thing to note is that I don't think we say this enough, is that any generated value. Let's say you have a database and you create a key ID for each student, that now is personally identifiable information, right? It is identifying a student. Now, granted, you may hold that only in your database, but it's still PII. You still need to protect it. Is that correct, Sam?

Sam Oberholzer: It depends. It really depends on their security controls and what they're doing. If they're masking, I mean, we can get a little bit more into detail with that, but it really is dependent on what their, I'm just going to call them protocols, are around protecting this data. So this is a good segue into why we recommend other standards for organizations that process student data on behalf of these schools.

Justin Beal: Yeah. Okay. One of the things FERPA did well for 1974, kudos to these guys, they actually defined what types of disclosure of personally identifiable information is allowed. So we're actually going to do the list here so that we know who a school can share this PII information with. So school officials, the school to which a student is transferring, so if you're transferring schools, you can ship the records, specific officials for audit or evaluation purposes. So I think that you could identify evaluation purposes as somewhere where you start bringing in SaaS platforms and you're putting that data on there and that's where you're starting to share it, any parties in connection with financial aid, to a student. That's critical, especially in higher ed for sharing that data. If you have a research organization that's conducting a study on behalf of the school, then that's okay.

So this is especially true for higher ed. If you are a university and you're going through accreditation, you may have to share student information in the accreditation process. Any officials in need of health or safety emergencies, state and local authorities within a juvenile justice system pursuant to specific state law is allowed, and then to comply with a judicial order or lawfully issued subpoena. Note that nowhere in here, and of course this was written in 1974, is any SaaS provider that you want to work with. So this is where I think it not being a permitted disclosure, but the school actually disclosing the data, they need a real good perspective on why that is still being held in private spaces.

Sam Oberholzer: Exactly.

Justin Beal: Because you're deeply liable if a breach happens at a third-party vendor for FERPA, you at the school, again, not the vendor. Now, you could sue for a breach of contract to that vendor, but you better make sure that your contract says something like, "Hey, we expect you to hold this data private." I would also recommend if you're a buyer, "We expect you to stay compliant with this particular standard." So that's where I think the standards come into play, right, Sam?

Sam Oberholzer: Yeah. As I was thinking through this too, and just from what I know from this, I actually do think that's very crazy that even when you're performing your own research or when you're talking or looking at the law of FERPA, you'll see that when they talk about third parties, they really are saying, "This is what they should do, but nothing's required." Literally, the only thing that is required is a contract and then they'll state, "Okay. Best practice is that both parties," so the school that has direct access to the student data and then that third party that they might partner with or contract for, they state, "Best practice to share the transparency of their data security or what they use and disclose how they use the data."

But none of this is actually a requirement. That is fascinating to me because if we think about in health tech, how they came up with high tech for HIPAA in the US, how they require that actual vendor prove their security and privacy controls. It's actually fascinating that in this case, in education, mainly dealing with younger, under age, under 18, it's just fascinating that they're not requiring, but yet it's labeled as best practice guidance for those vendors.

Justin Beal: Yeah, absolutely. I've seen all kinds of bizarre questions asked of me as a CTO in like, "Are you FERPA compliant?" One of the ones that I find really interesting is, "Well, you're FERPA compliant if your data is encrypted," but the problem is encryption is transitory always, right? Because you don't keep it in the gobbldy gook encryption and try and read it with your eyes. You have to decrypt it at some point. At that point, the information is exposed. So it's just that I think that there has been... Well let's face it, usually, the buyers are not experts deeply in technology and security, let alone security as a broader practice, and they're doing their best to respond to what they think are the best practices of their marketplace. However, the best practices are not well-defined because they were defined quite some time ago.

Sam Oberholzer: Exactly.


What information is protected under FERPA? 

FERPA federally protects the privacy of all student educational records and personally identifiable information (known as PII). Parents are guaranteed certain access to their child’s records, and schools must have written parental consent to share student data with any outside vendor. There are exceptions, though, in some specific circumstances, such as school transfers, financial aid, and accreditation of higher education institutions. Ultimately, FERPA aims to protect the data of children — people under 18 years of age. 

Who must comply with FERPA?

The only organizations that can be held accountable for FERPA’s requirements are schools and any educational institution that receives federal funding. EdTech solutions cannot be held directly liable for a FERPA violation — but the schools they contract with can. This puts schools in the position of needing to be certain that their EdTech contractors comply fully with FERPA regulations.


Two key FERPA challenges for EdTech companies

There are two aspects of FERPA that make it challenging in today’s world. First, it was passed decades ago — long before the advent of the types of technologies that we currently use in the classroom. There is no language in FERPA specifically addressing cybersecurity, which makes it a challenge for EdTech companies to figure out exactly how to prove FERPA compliance. Second, it’s a liability standard. In other words, an organization cannot earn a certificate to show that they are FERPA compliant or have passed a FERPA audit. But, if a complaint is filed with the Department of Education for a FERPA violation, compliance must then be proven.

This puts schools in a tricky situation when it comes to EdTech vendors. They know that if a company they share student PII with fails to meet the standards of FERPA, it is the school who will be liable. More and more, buyers for schools are demanding that EdTech vendors demonstrate FERPA compliance — but how can a vendor do this, given the vague nature of the law? 

Using modern standards to show FERPA compliance

While schools need to have a plan for managing third-party vendor risks, they also need to understand that requesting “FERPA compliance” from those vendors isn’t the right ask. Because FERPA is so broad and doesn’t have any set criteria, it isn’t the best measure of an organization's cybersecurity. 

There are compliance frameworks, however, that can prove that a company’s cybersecurity is top-notch and capable of robustly protecting student PII. SOC 2 and ISO 27001, while not typically associated with the field of education, both effectively audit an organization’s level of cybersecurity. Both involve a thorough risk assessment and the implementation of effective controls and are significantly more specific in the criteria that companies need to meet in order to achieve compliance. 

The future of student privacy

While understanding how to meet FERPA’s requirements is important for any company involved in education, it’s time that other privacy frameworks like SOC 2 and ISO 27001 enter the conversation when it comes to cybersecurity in EdTech. Both frameworks communicate strong security stances to schools and families and give educational institutions peace of mind that their third-party vendors take student privacy seriously.

Keep up to date with Strike Graph.

The security landscape is ever changing. Sign up for our newsletter to make sure you stay abreast of the latest regulations and requirements.