For educational agencies, institutions, and third-party service providers, protecting student information from unauthorized use or access is paramount. SIIA believes that every party handling student data should implement and maintain strong administrative, physical, and technical safeguards reasonably designed to protect the types of information they hold.

For years, third-party service providers have been maintaining strong security measures for two big reasons. First, it is in the best interest of an education service provider to act in the best interest of students and schools, including by using information only for the educational purposes tasked with and maintaining strong security measures. The digital instructional materials and educational software industry is highly reputational. Success and failure is built not just on product efficacy and improving student outcomes but trust between providers and the students, schools, and parents they serve.

Second, school service providers are legally obligated to maintain strong security measures under federal and state laws. The Children’s Online Privacy Protection Act (COPPA) requires providers of online services targeted to children to “establish and maintain reasonable procedures to protect the confidentiality, security and integrity of personal information (PI) collected from children.” The Federal Trade Commission (FTC) has provided resources to school service providers to understand compliance requirements and has taken enforcement actions against non-compliant providers. Additionally, over the last few years more than 35 states have passed more than 40 student privacy laws outlining security practices for agencies, institutions, and school service providers.

This network of state and federal laws require providers to maintain strong security measures without providing prescriptive measures that risk becoming outdated as technology advances. School service providers are acutely aware of their legal responsibilities and community expectations and are constantly examining and updating their security measures to ensure the safety of student information. The U.S. Department of education has even published and continually updates a series of security best practices papers. Because of these efforts by providers and the flexibility of security requirements, we have not seen data breaches occur due to a third-party’s work with an educational agency or institution.

It is critical that this level of flexibility to ensure that security measures keep pace with technology is maintained in any legislation or regulation. As an example, encryption technology is an industry standard today for sensitive and personally identifiable information. Just a few years ago though encryption was not widely available or always necessary given the constraints of technology at the time. The design of laws and regulations to protect student information should ensure that, in the coming years, protections continue to advance with new technologies and the changing needs of schools, students, and parents, including through security measures that have to be conceived.