Joshua Rosenblat – Medill National Security Zone http://nationalsecurityzone.medill.northwestern.edu A resource for covering national security issues Tue, 15 Mar 2016 22:20:28 +0000 en-US hourly 1 White House pushes for student data regulations http://nationalsecurityzone.medill.northwestern.edu/blog/2015/03/19/white-house-pushes-for-student-data-regulations/ Thu, 19 Mar 2015 21:32:07 +0000 http://nationalsecurityzone.medill.northwestern.edu/site/?p=21196 Continue reading ]]> WASHINGTON — When the educational company ConnectEDU filed for bankruptcy about a year ago, it tried to do what any business would — sell off its most valuable asset: student data.

Millions of students submitted personal information such as email addresses, birth dates and test scores to the college and career planning company.

The Federal Trade Commission eventually stopped any transactions involving the data after noting that they violated ConnectEDU’s privacy policy.

Some student educational records are protected through the Family Educational and Privacy Rights Act, or FERPA. Originally signed into law in 1974, FERPA essentially protects the records schools collect on students and gives parents certain oversight and disclosure rights.

The growing influence of technology in classrooms and in administrative data collection, though, is making FERPA out-of-date.

Teachers, students and parents now routinely submit information to educational services companies, such as ConnectEDU. FERPA does not regulate how these companies use that data. And there is no other federal law that does. The companies’ own privacy policies are the only limit to what the companies can do with the information users provide.

The concern is that ConnectEDU may not be the only education technology company that is trying to sell its data to third parties.

ConnectEDU’s databases, for example, were filled with students’ personally identifiable information including names, birthdates, email addresses and telephone numbers. The sale of that information to other companies is not regulated.

In order to make FERPA up-to-date, President Barack Obama, in conjunction with partners in the private sector, called for a legislation to establish a national standard to protect students’ data in January.

“It’s pretty straightforward,” Obama said in a speech at the Federal Trade Commission. “We’re saying the data collected on students in the classroom can be used for educational purposes — to teach our children, not to market to our children. We want to prevent companies from selling student data to third parties for purposes other than education. We want to prevent any kind of profiling about certain students.”

Dubbed the Student Digital Privacy Act, the White House’s plan is loosely based on a 2014 California law that prohibits third-party education companies from selling student information. While other states have laws regulating and increasing the transparency, regulation and collection of student data, the California law seems to be the most far-reaching.

Because FERPA doesn’t cover third-party use, some private sector leaders have taken a vow to establish clear industry standards for protecting student data through the Student Privacy Pledge.

Created by the Future of Privacy Forum and the Software and Information Industry Association in the fall of 2014, Obama mentioned the pledge as an encouraging sign for the protection of student information.

“I want to encourage every company that provides these technologies to our schools to join this effort,” Obama said. “It’s the right thing to do. And if you don’t join this effort, then we intend to make sure that those schools and those parents know you haven’t joined this effort.”

So far, 123 companies have signed the pledge, including tech and education giants such as Apple, Microsoft, Google and Houghton Mifflin Harcourt.

“There was a lack of awareness, information and understanding about what school service providers did and didn’t do with data and what the laws required and allowed,” Mark Schneiderman, senior director of education policy at SIIA, said. “Rather than waiting for public policy and public debate to play itself out, we figured, let’s just step in and make clear that the industry is supporting schools, is using data only for school purposes, not selling the data, not doing other things that there was a perception out there that maybe [companies were doing].”

The National Parent-Teacher Association and other groups support the pledge, according to Schneiderman.

“It is imperative that students’ personal informational formation is protected at all times,” the National PTA wrote in a statement.

The companies that signed the pledge are not subject to any policing body, but by signing the pledge they show consumers their commitment to student privacy, Schneiderman said.

But many notable educational technology companies, like Pearson Education, have not signed the pledge. Pearson was recently the subject of a POLITICO investigative report that revealed that the company’s use of student data was unmonitored.

According to the report, Pearson claims it does not sell the students’ data it collects.

The College Board, ACT and Common Application are often viewed as integral to the college admissions process, but are also not included in the pledge.

Instead, these education companies point consumers to their privacy policies, which can often be difficult to understand because of the legal jargon and ambiguous terms.

Some groups such as the Parent Coalition for Student Privacy think the pledge and the privacy policies aren’t enough.

“We also need strong enforcement and security mechanisms to prevent against breaches,” Leonie Haimson, one of the group’s co-chairs, said in a statement responding to Obama’s speech. “This has been a year of continuous scandalous breaches; we owe it to our children to require security provisions at least as strict as in the case of personal health information.”

Out of the 12 commitments listed in the pledge, only one deals with preventing leaks or breaches.

The signees must “maintain a comprehensive security program that is reasonably designed to protect the security, privacy, confidentiality, and integrity of student personal information against risks,” the pledge states.

Haimson said the policies are a decent start, but do not go nearly far enough in protecting educational data.

Regardless, a bill for a comprehensive national standard has yet to be introduced despite the White House’s push.

In early February, though, the White House said that it had been working closely with Republican Rep. Luke Messer of Indiana and Colorado Democrat Rep. Jared Polis to introduce a bipartisan bill to Congress.

The bill’s release is expected by the end of the month, according to Messer’s office.MINTZERPRIVACY (9) 2

]]>
Cybersecurity, privacy get new scrutiny in Congress http://nationalsecurityzone.medill.northwestern.edu/blog/2015/02/02/cybersecurity-privacy-get-new-scrutiny-in-congress/ Mon, 02 Feb 2015 21:34:12 +0000 http://nationalsecurityzone.medill.northwestern.edu/site/?p=20790 Continue reading ]]> WASHINGTON – Key House subcommittees this week threw their weight behind the need for action to protect consumers and the government against growing cyber threats and strategies to increase privacy.

In two subcommittee hearings in the House of Representatives on Tuesday, witnesses from both private and public corporations and federal agencies detailed the importance of cybersecurity legislation to protect Americans from harmful data breaches.

“Cybercrimes are ever increasing,” Rep. Daniel Lipinski, D-Ill., said in his opening statement at the Subcommittee on Research and Technology’s hearing Tuesday afternoon. “The threats are not only growing in number, but in the level of sophistication… Cybercrime threatens our privacy, our pocketbooks, our safety, our economy and our national security.”

With the wide-reaching impacts of cyber threats, both the White House and Congress are actively looking to enact federal legislation that could better protect the nation from cyber threats.

In 2014, there were 145 data hacks on both private businesses and the government, according to Privacy Rights Clearinghouse. Although the number of hacks has decreased over the last couple of years, the breaches of high-profile firms serving millions of consumers thrust cybersecurity issues into the spotlight. For example, both the US State Department and the White House’s Healthcare.gov suffered from data breaches last year, as well as Sony Pictures, Home Depot and Apple.

Witnesses testifying in the Commerce, Manufacturing and Trade Subcommittee hearing supported a federal law to regulate data breach legislation. Currently, 12 state laws cover data security and there are 47 different state laws that regulate cyber attack notification, according to a committee background memo.

“Compared to the current patchwork of state data breach notification laws, a single federal data breach notification standard will better protect consumers and allow companies to respond quickly and effectively following a breach. The key to any federal DBN law will be finding a single standard that maintains the strong consumer protections currently required by the states, but that does not overburden or impose inappropriate penalties on companies who should be focusing on notification and investigation in the wake of a breach,” Elizabeth Hyman, executive vice president for public advocacy at TechAmerica, a research and public policy group that often helps states and the federal government draft legislation, testifed.

Similarly, President Barack Obama recently announced plans to pursue federal legislation that would force companies to report data breaches to customers within 30 days of the breach being discovered.

A strong federal law, according to Acxiom Corporation’s Jennifer Barrett-Glasgow, would not only benefit business by simplifying data breach laws, but consumers’ information would be better protected.

“From the consumer’s perspective, a single federal standard not only increases their confidence in the safeguards protecting information businesses hold, but also makes notice procedures in the event of a breach clear,” Barrett-Glasgow, a global privacy officer, said in her testimony.

Congress was unable to pass data breach legislation in the last session when a bill stalled in the Senate over concerns of consumer security. Those matters of privacy have become the center of a debate on the value of digital privacy.

In order to for effective legislation to pass through Congress, according to Dean C. Garfield, president and CEO of the Information Technology Industry Council, a bill must address both security and consumer privacy concerns.

“Lawmakers should focus on legislation improving cybersecurity threat information sharing in a way that protects privacy and offers adequate legal liability protection for businesses,” Garfield said in his testimony at Tuesday’s Subcommittee on Research and Technology Committee on Science, Space, and Technology hearing on cyber threats.

With pressure from both Obama and recent cyber attacks on major corporations that have threatened the nation’s financial security and privacy, cybersecurity has earned an intense focus for Congress.

]]>