Justin Beal: So let's start off with each industry has had some type of forward momentum into privacy or security, a little bit of banking and finance might be like PCI DSS, but education has had one that they've had for a really long time, which like HIPAA, came in the form of a law and it's called FERPA, F-E-R-P-A. It stands for the Family Educational Rights and Privacy Act. I can't memorize all these, so I'm going to be checking my notes as we go through today.

Sam Oberholzer: Absolutely.

Justin Beal: So let's talk about FERPA, first of all, was put into place in 1974. So it's been around for a really long time, and we're going to talk about how it is old and languishes and probably doesn't come up to par with some of the types of technologies that we have today and types of solutions. So on the spectrum of working standards, this one is a tough one. I'm not sure how operable it is, but since, as a marketplace of education technology has been so steeped in it, it's probably a good place for us to start for our ed tech companies that we'll be meeting with next week and just to understand FERPA more deeply. As a CTO, my idea for FERPA, the way I interpret it is you’ve got to keep student data private at the end of the day. Netnet was, that felt like the beginning, end, and middle of the story sometimes, but it's also one of the things to understand about FERPA, you and I talk all the time about what are liability standards and what are revenue standards. FERPA is a liability standard. So you don't get a certificate for it. There's no assessment methodology. You claim compliance, but an independent assessment of that compliance is really almost impossible to get because it's very loose as we're going to describe some of the details around it. So an organization that is concerned about FERPA is concerned about a liability lawsuit, and you can actually file with the Department of Education a FERPA complaint. Just like the SEC might go after a publicly traded company for some type of issue, that's where FERPA comes into play.

Sam Oberholzer: Absolutely. I think it's also important for our listeners, viewers to also know, or anyone that's in the EdTech space or any SaaS company that might have some student data or PII, a lot of these privacy laws, it’s just as important to understand why it's liability, because it's really trying to protect the rights and the control of students, in this case, over their own data. So a lot of the times, we see that these privacy laws, especially they're coming up more and more because everyone's starting to realize just how crucial it is to protect people's data, especially children, or users under 18. So that's really what comes down to why these privacy acts are actually coming into place more and more everywhere, globally.

Justin Beal: Exactly. Yeah. I've seen these privacy issues crop up for businesses in some really terrifying ways in education technology, in particular. One story I like to tell is there was a great startup around 2008 to 2010 called InBloom. They were trying to aggregate a large data set of student performance to identify best practices in education. They had built multi-state contracts to ingest that data. But the whole thing fell apart, even before they could get the product released, when parents at these states, rightfully so, became concerned about the privacy of that data. There was no good way for this organization to talk to how they were going to keep it secure. So the market of standards around privacy had not really caught up with the opportunity that a solution could bring. So it is dangerous. It can really hurt you. However, it's not going to be that you have an RFP sitting out there and them waiting on your FERPA certificate to come through. That's not the type of issue you're going to see.

One thing that I learned about FERPA today that I don't think a lot of people know, especially in the education technology product space, is who it actually applies to. So it doesn't actually, according to the law, apply to an EdTech solution. So let's say you're a learning management system. That's not what FERPA says. FERPA says it applies to any public or private school, elementary, secondary, or post-secondary, and any state or local education agency. So that's any education agency that is receiving funds under a program with the US Department of Education. So when you are shopping your EdTech solution around and a school wants to adopt it, but they ask if you're FERPA compliant, it's not that you're directly liable. The US Department of Education is not going to come knocking on a learning management system's door and say, "We're going to fine you." They're going to fine the school and that's why the school is terrified about it.

Sam Oberholzer: Absolutely. This is where the high risk comes into play. But we're also seeing even some of our customers have questions around this, that the states or the schools or whatever we're talking about, they're actually pushing down their requirements to our customers that are SaaS products that might be processing student data. So I would love to hear a little bit into play from your perspective, how we can minimize that risk or minimize the pressure from these school that are hiring vendors, like some of our customers are.

Justin Beal: Yeah. Honestly, I think the problem for the schools here is that they imagine by asking, "Are you FERPA compliant," that they bring you into some form of liability. I think I would advise schools that’s just not the case. I mean, anyone can, lawsuits are written if you decide you want to. Nothing holds that back. But you, as a school, that is held under this FERPA law needs to really decide what your third-party risk management program will look like. I don't recommend FERPA as a requirement because it's so loose, as we're going to see, that it's just not a good ask.

If you're a buyer at a school asking, "Are you FERPA compliant," is not a great way to manage the risk that a new third party vendor is introducing into your school for liability against FERPA. Yeah. So I think we're going to start talking about a couple of standards that we recommend ed tech companies vendors go after and buyers start asking for, for sure. Let's talk a little bit about the information that's protected so that you can know which of these standards are really going to be applicable. It really comes down to student education records. So this is any personally identifiable information. True or false, Sam, email? That's PII, right?

Sam Oberholzer: Yeah. Two or more.

Justin Beal: Two or more.

Sam Oberholzer: It has to be identified to them. Yep. That is the rule of thumb, I tell everybody. Some people don't think location is considered it, but ...

Justin Beal: Well...

Sam Oberholzer: ... we see that it's expanding more and more with these privacy laws.

Justin Beal: I live in a very small town now. I think if someone said Justin plus small town, there'd only be a couple of us, so you're probably going to find me out. So I think you're exactly right. It's two pieces of data and sometimes only one, especially if you're dealing with a social security number, which is oftentimes how students are tracked with ID values. I mean, the other thing to note is that I don't think we say this enough, is that any generated value. Let's say you have a database and you create a key ID for each student, that now is personally identifiable information, right? It is identifying a student. Now, granted, you may hold that only in your database, but it's still PII. You still need to protect it. Is that correct, Sam?

Sam Oberholzer: It depends. It really depends on their security controls and what they're doing. If they're masking, I mean, we can get a little bit more into detail with that, but it really is dependent on what their, I'm just going to call them protocols, are around protecting this data. So this is a good segue into why we recommend other standards for organizations that process student data on behalf of these schools.

Justin Beal: Yeah. Okay. One of the things FERPA did well for 1974, kudos to these guys, they actually defined what types of disclosure of personally identifiable information is allowed. So we're actually going to do the list here so that we know who a school can share this PII information with. So school officials, the school to which a student is transferring, so if you're transferring schools, you can ship the records, specific officials for audit or evaluation purposes. So I think that you could identify evaluation purposes as somewhere where you start bringing in SaaS platforms and you're putting that data on there and that's where you're starting to share it, any parties in connection with financial aid, to a student. That's critical, especially in higher ed for sharing that data. If you have a research organization that's conducting a study on behalf of the school, then that's okay.

So this is especially true for higher ed. If you are a university and you're going through accreditation, you may have to share student information in the accreditation process. Any officials in need of health or safety emergencies, state and local authorities within a juvenile justice system pursuant to specific state law is allowed, and then to comply with a judicial order or lawfully issued subpoena. Note that nowhere in here, and of course this was written in 1974, is any SaaS provider that you want to work with. So this is where I think it not being a permitted disclosure, but the school actually disclosing the data, they need a real good perspective on why that is still being held in private spaces.

Sam Oberholzer: Exactly.

Justin Beal: Because you're deeply liable if a breach happens at a third-party vendor for FERPA, you at the school, again, not the vendor. Now, you could sue for a breach of contract to that vendor, but you better make sure that your contract says something like, "Hey, we expect you to hold this data private." I would also recommend if you're a buyer, "We expect you to stay compliant with this particular standard." So that's where I think the standards come into play, right, Sam?

Sam Oberholzer: Yeah. As I was thinking through this too, and just from what I know from this, I actually do think that's very crazy that even when you're performing your own research or when you're talking or looking at the law of FERPA, you'll see that when they talk about third parties, they really are saying, "This is what they should do, but nothing's required." Literally, the only thing that is required is a contract and then they'll state, "Okay. Best practice is that both parties," so the school that has direct access to the student data and then that third party that they might partner with or contract for, they state, "Best practice to share the transparency of their data security or what they use and disclose how they use the data."

But none of this is actually a requirement. That is fascinating to me because if we think about in health tech, how they came up with high tech for HIPAA in the US, how they require that actual vendor prove their security and privacy controls. It's actually fascinating that in this case, in education, mainly dealing with younger, under age, under 18, it's just fascinating that they're not requiring, but yet it's labeled as best practice guidance for those vendors.

Justin Beal: Yeah, absolutely. I've seen all kinds of bizarre questions asked of me as a CTO in like, "Are you FERPA compliant?" One of the ones that I find really interesting is, "Well, you're FERPA compliant if your data is encrypted," but the problem is encryption is transitory always, right? Because you don't keep it in the gobbldy gook encryption and try and read it with your eyes. You have to decrypt it at some point. At that point, the information is exposed. So it's just that I think that there has been... Well let's face it, usually, the buyers are not experts deeply in technology and security, let alone security as a broader practice, and they're doing their best to respond to what they think are the best practices of their marketplace. However, the best practices are not well-defined because they were defined quite some time ago.

Sam Oberholzer: Exactly.