We know it is critical for ed tech companies to get security right.
The Student Privacy Pledge developed by FPF and SIIA requires signatories to maintain “a comprehensive security program that is reasonably designed to protect the security . . . of personal student information . . . appropriate to the sensitivity of the information.” “Reasonableness” in this context is not a subjective standard, open to interpretation by each company, but rather a standard used and interpreted across a range of contexts by the Federal Trade Commission. It is also the basis of California’s new Student Online Privacy Protection Act.
A company’s security and other commitments made under the Student Privacy Pledge are legally enforceable. Under Section 5 of the Consumer Protection Act, the Federal Trade Commission (FTC) can take action against companies that commit deceptive trade practices. It is a form of deception to make a public statement such as signing the Student Privacy Pledge but then implementing practices that do not conform to those public statements. The FTC and various State Attorneys General have brought enforcement actions against companies that made privacy promises to their consumers and then violated those promises.
Companies with security practices that fall short can therefore face legal liability. The pledge does not designate specific security technologies, because those measures need to be tailored to the service, context and sensitivity of the protected information. What constitutes reasonable may depend on the specific company and nature of the data that it handles, and must evolve over time as new threats and solutions emerge.
For services that hold sensitive student data, login password encryption or equally protective measures are basic measures that companies must implement. Of course, effective security requires ongoing training of company employees, and toward that end, we have also kicked off a series of workshops starting next week to help companies further hone their security and privacy practices.
When a company signs the Pledge, they publicly commit to its responsible and appropriate standards for student privacy and data security, and the pledge allows the public – the media, parents, educators and federal regulators – to hold these companies accountable. It’s exactly this sort of public scrutiny that makes the pledge an effective means for ensuring data accountability. This accountability requires that all stakeholders understand its security standard, enforceability and other elements of the Student Privacy Pledge.
-FPF and SIIA