- Local Government Lowdown - https://www.localgovernmentlowdown.com -

The Adoption Of SOPPA May Provide A Tough Lesson For Schools That Fail To Comply

Recently, the Chicago Tribune reported on a data breach involving student data [1] stored by Pearson Clinical Assessment that may have involved a number of students at Illinois schools. On September 5, 2019, the parent of a student at Indian Prairie School District 204 in Naperville, Illinois filed a class-action lawsuit against Pearson Clinical Assessment – the education publisher that suffered a massive data breach in November 2018 exposing the personal information of thousands of teachers and students across the country.

As schools increasingly use online services and other technologies to help students learn, the ability to provide adequate protection of sensitive student data becomes increasingly problematic. Data protection is further complicated as more third party vendors provide services to schools that require the collection and storage of personal information belonging to students and staff.  Therefore, schools are increasingly becoming proactive by implementing security safeguards and privacy policies to protect sensitive student and staff data to reduce their chances of being involved in breaches similar to the one seen with Pearson.

The Illinois legislature has recently adopted a statutory framework to make sure schools take all steps necessary to protect student and staff information. Specifically, the Illinois legislature’s recent amendments to the Illinois Student Online Personal Protection Act (SOPPA) [2] by setting forth an extensive list of requirements that schools must implement by July 1, 2021. These requirements are designed to ensure schools take steps to protect data. The major amendments affecting schools are summarized below:

The adoption of SOPPA dramatically impacts Illinois public schools to the extent many requirements move from being voluntary to compulsory. Over the next year, schools will need to analyze where their safeguards stand and what additional protections should be put in place before this law takes effect. The largest change for schools may be to forge a close relationship with their vendors and confirm vendors are providing the necessary safeguards. On a more practical level, schools may need to get away from using “boilerplate” contract forms with vendors and take a closer look at what the vendor is doing to protect information the schools have been entrusted to protect.

For more information about this article, contact Tressler attorney Christine Walczak [3] at cwalczak@tresslerllp.com [4].