While I was at the Privacy and Security Forum in D.C. this week, I heard from a Dept of Education official that the FTC and the Dept of Education were announcing a workshop. I think there’s a really good discussion to be had there about some very important issues and concerns.
The notice is below, but I wanted to mention a comment someone made to me over lunch at the forum. He – a security professional in the healthcare space – told me that his wife had recently begun a position as an elementary school teacher. He said he watched as she logged in to her work email and was stunned to notice that it was a simple login:pass. No 2FA or anything.
“How can that be in this day and age?” he asked me.
I had no good answer for him because there is no good answer. When every session at a privacy and security forum reiterates that attackers go for credentials, how can schools still use inadequate security for credentials?
I did not ask him what school district. Nor did I ask him if his wife would have been allowed to use a password like ABC123. But sadly, I think this is pretty much true too many places in the country.
Anyway, here’s the notice of the workshop, below, but let’s keep in mind that there are some real basics in security that we still need to address. And if you think I’m pulling a Chicken Little, trot on over to DataBreaches.net, where I’ve been covering attacks on the education sector.
———- Begin FTC/Dept of Education notice ————–:
As schools continue to find new ways to help enhance learning through technology, they must also ensure these efforts comply with federal laws designed to help protect the privacy of children and students.
The Federal Trade Commission and the Department of Education will co-host an Ed Tech Workshop on December 1, 2017 to examine how the Federal Trade Commission’s Rule implementing the Children’s Online Privacy Protection Act (COPPA) applies to schools and intersects with the Family Educational Rights and Privacy Act(FERPA), administered by the Department of Education.
More than half of K-12 students have access to a school-issued personal computing device, and many school districts have implemented an online curriculum. The workshop, to be held in Washington, D.C., will help provide additional guidance to schools, Ed Tech providers, parents, and other stakeholders.
The COPPA Rule, first issued in 2000, requires operators of websites and online services to obtain parental consent before collecting, using, or disclosing personal information from children under 13. FTC staff has provided guidance about the application of the Rule to schools including a determination that schools could act as intermediaries between Ed Tech providers and parents in the notice and consent process, or act as the parents’ agent for purposes of providing consent to providers.
Passed in 1974, FERPA is a federal law that protects the privacy of student education records. FERPA generally prohibits educational agencies and institutions from disclosing student education records without prior, written consent from a parent. The Department of Education issued guidance in 2014 explaining generally that this prohibition on disclosure does not preclude the use of educational technology in the classroom, provided the school follows the requirements of the “School Official Exception” to FERPA’s written consent requirement.
While both agencies have continued to provide additional guidance, questions remain about the intersection of COPPA and FERPA. To help promote discussion on these questions, the FTC and the Department of Education are inviting comments on a variety of questions including:
- Are the joint requirements of FERPA and COPPA sufficiently understood when Ed Tech providers collect personal information from students?
- Under what circumstances is it appropriate for a school to provide consent under COPPA and what is the process for properly obtaining the consent?
- How should requirements concerning notice, deletion, and retention of records be handled and by whom and when?
- COPPA and FERPA both limit the use of personal information collected from students by Ed Tech vendors. What are the appropriate limits on the use of this data?
- How do schools maintain “direct control” over Ed Tech providers when they rely on the School Official Exception to FERPA’s general consent requirement?
You can find a full list of questions and information about how to submit comments in the detailed public notice about the workshop.
The workshop, which is free and open to the public, will be held at the Constitution Center, 400 7th St., SW, Washington, DC. It will be webcast live on the FTC’s website.An agenda, directions to the Constitution Center building, and a list of speakers will be available in the near future on the event webpage.
The Federal Trade Commission works to promote competition, and protect and educate consumers. You can learn more about consumer topics and file a consumer complaint online or by calling 1-877-FTC-HELP (382-4357). Like the FTC on Facebook(link is external), follow us on Twitter(link is external), read our blogs and subscribe to press releases for the latest FTC news and resources.