Summer vacation is winding down and teachers and students will soon be returning to classrooms across Oregon. While teachers are freshening up their classrooms for the new school year, administrators should remember to freshen up their legal compliance duties for the new school year. Some of those duties are likely already part of administrators’ routine. Annual Family Educational Rights and Privacy Act (FERPA) notice? Check ✓ What about a review of contracts that likely annually auto-renew, like with ed tech companies or other service providers? Check ✓
In this article, we discuss three issues that may not be top of mind for legal compliance at K-12 schools but definitely deserve your attention.
Artificial Intelligence
You may have noticed that there are a lot of companies claiming to have integrated a generative artificial intelligence (“Gen AI”) tool in their product, which will infinitely help you accomplish something at rapid rates and for low cost. While it’s true that Gen AI can help with certain tasks, there are also risks associated with using Gen AI. And many companies that claim to have AI benefits are doing nothing radically different than what has been done for many years.
For schools that want to use tools that incorporate Gen AI, there are a few contractual issues that must be addressed. Most important is that schools need to make sure they comply with their responsibilities under FERPA and other laws that protect student information. This means that schools need to ensure that the product is not impermissibly training the AI tool using protected data.
Check:
- Has a vendor recently requested an updated contract?
- Is the vendor advertising new AI features? If so, check to make sure FERPA and other privacy protections are in place.
Ransomware
This word causes more fear for security personnel than watching the Blair Witch Project in a haunted house. (For older readers, it might be watching The Texas Chain Saw Massacre. For younger readers, I’m sure there’s a TikTok on point.) Ransomware continues to be one of the top cybersecurity threats in the United States. Ransomware is oftentimes unknowingly downloaded by an employee opening an attachment in a phishing email, clicking on an ad, or following a link embedded with the ransomware. Ransomware locks down systems, causing disruptions in operations, and is increasingly coupled with data breaches (the intruder threatens to release personal data on the dark web if the ransom is not paid).
You can’t prevent a ransomware attack, but you can reduce the risk of being a target. You can also have policies and procedures in place to recover from a ransomware attack with minimal disruption and without paying the threat actor. It takes work, but these policies may save significant time, money, and headache.
Check:
- Do you have offline back-up copies of key information?
- Do you have an incident response plan? If so, have you practiced implementing it?
Ed Tech Contracts
Some schools may not be aware that the Oregon Student Information Protection Act (OSIPA) (ORS 336.184), has been around for almost a decade. OSIPA puts requirements on operators of websites, online services, and apps that are marketed to K-12 schools to use for school purposes (i.e., ed tech companies). While these requirements are not on the schools, schools should still be aware of those requirements and limitations and include limiting language in their contracts (or, at the very least, not contractually permit activities that are prohibited by OSIPA).
Check:
- Are teachers and staff prohibited from downloading or requiring students to download apps that are not pre-approved by the district?
- Are all ed tech contracts run through a single review process to ensure consistency and compliance?
Conclusion
It’s time to dust off the contracts and make sure operations are compliant with current legal requirements. Technology rapidly changes and laws rarely keep up with the times. But regulators and enforcement agencies consistently re-interpret old laws to address new technologies. If you need help reviewing your school’s policies, practices, and contracts, reach out to our knowledgeable privacy & data security team or education team.
This article is provided for informational purposes only—it does not constitute legal advice and does not create an attorney-client relationship between the firm and the reader. Readers should consult legal counsel before taking action relating to the subject matter of this article.
