Back-to-School Compliance Checklist: Key Privacy & Data Security Considerations for Oregon K-12 Administrators

Miller Nash LLP
Contact

Miller Nash LLP

Summer vacation is winding down and teachers and students will soon be returning to classrooms across Oregon. While teachers are freshening up their classrooms for the new school year, administrators should remember to freshen up their legal compliance duties for the new school year. Some of those duties are likely already part of administrators’ routine. Annual Family Educational Rights and Privacy Act (FERPA) notice? Check ✓ What about a review of contracts that likely annually auto-renew, like with ed tech companies or other service providers? Check ✓

In this article, we discuss three issues that may not be top of mind for legal compliance at K-12 schools but definitely deserve your attention.

Artificial Intelligence

You may have noticed that there are a lot of companies claiming to have integrated a generative artificial intelligence (“Gen AI”) tool in their product, which will infinitely help you accomplish something at rapid rates and for low cost. While it’s true that Gen AI can help with certain tasks, there are also risks associated with using Gen AI. And many companies that claim to have AI benefits are doing nothing radically different than what has been done for many years.

For schools that want to use tools that incorporate Gen AI, there are a few contractual issues that must be addressed. Most important is that schools need to make sure they comply with their responsibilities under FERPA and other laws that protect student information. This means that schools need to ensure that the product is not impermissibly training the AI tool using protected data.

Check:

  • Has a vendor recently requested an updated contract?
  • Is the vendor advertising new AI features? If so, check to make sure FERPA and other privacy protections are in place.

Ransomware

This word causes more fear for security personnel than watching the Blair Witch Project in a haunted house. (For older readers, it might be watching The Texas Chain Saw Massacre. For younger readers, I’m sure there’s a TikTok on point.) Ransomware continues to be one of the top cybersecurity threats in the United States. Ransomware is oftentimes unknowingly downloaded by an employee opening an attachment in a phishing email, clicking on an ad, or following a link embedded with the ransomware. Ransomware locks down systems, causing disruptions in operations, and is increasingly coupled with data breaches (the intruder threatens to release personal data on the dark web if the ransom is not paid).

You can’t prevent a ransomware attack, but you can reduce the risk of being a target. You can also have policies and procedures in place to recover from a ransomware attack with minimal disruption and without paying the threat actor. It takes work, but these policies may save significant time, money, and headache.

Check:

  • Do you have offline back-up copies of key information?
  • Do you have an incident response plan? If so, have you practiced implementing it?

Ed Tech Contracts

Some schools may not be aware that the Oregon Student Information Protection Act (OSIPA) (ORS 336.184), has been around for almost a decade. OSIPA puts requirements on operators of websites, online services, and apps that are marketed to K-12 schools to use for school purposes (i.e., ed tech companies). While these requirements are not on the schools, schools should still be aware of those requirements and limitations and include limiting language in their contracts (or, at the very least, not contractually permit activities that are prohibited by OSIPA).

Check:

  • Are teachers and staff prohibited from downloading or requiring students to download apps that are not pre-approved by the district?
  • Are all ed tech contracts run through a single review process to ensure consistency and compliance?

Conclusion

It’s time to dust off the contracts and make sure operations are compliant with current legal requirements. Technology rapidly changes and laws rarely keep up with the times. But regulators and enforcement agencies consistently re-interpret old laws to address new technologies.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Miller Nash LLP

Written by:

Miller Nash LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Miller Nash LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide