ARIZONA SCHOOL RISK RETENTION

TRUST WEBINAR SERIES:GDPR AND DATA PRIVACY UPDATEFEBRUARY 13, 2019

DANIELLE D. JANITCH, WILLIAM D. FURNISH & MACKENZIE C. WOODS –OSBORN MALEDON P.A.

Disclaimer: The materials in this presentation are are for informational purposes only and not for the purpose of providing legal advice. Contact your attorney to obtain advice with respect to any particular issue or problem.

About Us

• Danielle Janitch co-chairs OM’s Privacy & Data Security Group, which is recognized as a leader in Arizona on these issues. Danielle assists a wide variety of clients with developing and managing data protection and privacy programs, including helping draft privacy, security, and document retention policies.

• William Furnish is a commercial litigator and member of OM’s Privacy & Data Security Group. His practice includes advising on trade secret and data security matters, and he is a regular presenter to professional organizations on data privacy, protection and compliance.

• Mackenzie “Mac” Woods is a member of OM’s education legal practice group. His career in education began as an 8th grade science teacher and he most recently served as Deputy General Counsel for BASIS.ed. His practice focuses on scaling the impact of public schools, private schools, community colleges, and universities.

Overview

GDPR Basics

Corresponding State Laws

Enforcement actions

Best Practices

Our Hypo(you will be tested later…)

The Arizona Community College (“ACC”) offers a leading international business program. Key to that success is ACC’s commitment to both having U.S. students study abroad and getting international students to study at ACC in Arizona. For U.S. students, ACC goes to great lengths to place them in quality residences and coordinate meaningful experiences abroad, all while taking ACC-provided online courses. For international students, ACC has online marketing materials and recently had the IT department launch an online application for international students as well as an online form to learn more about ACC which captures basic contact information, as well as browsing data. Although only about 30 students (or 1% of the total student body) are currently participating, the program’s success is causing a surge in popularity.

As part of the program’s expansion, ACC is negotiating with international partners to coordinate the international experiences its students will have abroad, as well as coordinating ACC’s recruitment of international students. A London-based company, International Student Opportunities, Ltd. (“ISO”), is telling ACC that it must certify it is in full compliance with GDPR before it will refer any international students to ACC or help coordinate local experiences for U.S. students. Currently ACC is compliant with data privacy laws in the U.S., including FERPA, but it has never analyzed GDPR.

GDPR: Guiding Principles

LawfulnessFairnessTransparencyPurpose LimitationsData Minimization AccuracyStorage LimitationsIntegrity and ConfidentialityAccountability

GDPR: In a Nutshell

• Replaces the Data Protection Directive• Brings data protection into the 21st century• Harmonizing of various national implementations

of the Data Protection Directive• Duty to comply and show you are complying• Stronger individual rights• New obligations- now on both controllers and

processors• Increased enforcement powers and higher

penalties for noncompliance

GDPR – What is Covered?

Sources of Personal Data

Current and Former Employees

Applicants and Prospective Applicants (both employeeand student)

Current and Former Students – Alumni Relations!

Parent/Guardians

Vendor, supplier and contractors

Others?

GDPR – Who is Covered?

Data Subject: “[A]n identified or identifiable natural person.” Art. 4

But what does that mean?• Just EU citizens? • Others? Does it cover:

• Tourists in the EU• Non-EU citizens residing in the EU• EU citizens residing outside the EU• Students abroad (both EU students in the US and US students in the

EU)• Everyone, everywhere in the whole world

Its Unclear

Article 3(2): “This Regulation applies to the processing of personal data of data subjects who are in the Union . . .”

Recital 2: “The principles of, and the rules on the protection of natural persons with regard to the processing of their personal data should, whatever their nationality or residence, respect their fundamental rights and freedoms . . .”

GDPR – The Language

Recital 14: “The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data.”

Recital 24: “The processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union should also be subject to the Regulation when it is related to the monitoring of the behavior of such data subject in so far as their behavior takes place in the Union.”

Our Hypo

Is GDPR Potentially Implicated?1. What Personal Data?2. From Whom collected?

BUT: What about our college?

It isn’t in the EU, so how can this matter?

GDPR & Non-EU Businesses

• If “established” in the EU: Determined by review of business operations for EU-related activities and contacts based on:

(1) physical location(2) agents/reps in the EU(3) real and effective activities conducted in the EU

through stable arrangements (even if minimal)

• Even if not “established,” GDPR covers: (1) processing activities that involve goods/services

offered to EU data subjects (free or paid),(2) IF monitoring data subjects behavior in the EU.

The Risk of Non-Compliance

Increased enforcement options: o Warningso Auditso Stop Notices

o High fines (up to 20M Euros or 4% global turnover, whichever is higher)

Breaches: o Mandatory to report security breaches in 72hr unless unlikely to

result in risk to rights and freedomso If high risk to rights and freedoms must report to individual unless

data is unintelligible

Our Hypo - Back Again . . .

Factors Suggesting Not Established?• Small amount of business derived from EU• No physical presence in EU• No stable relationship with EU entity (yet…)

Factors Suggesting Established?• Intentional marketing and collection of EU subject data• Seeking partnership with EU entities for student placement• EU contacts through international business program

SO, should the college in our hypo comply with GDPR?

GDPR Key Requirements

• Lawful Basis for all Personal Data Consent

Others

• Privacy Notices Concise, transparent, easily accessible and plain language

Contain minimal required information Purpose and legal basis Legitimate interest Source and recipients of data State individual’s GDPR rights Disclose and get consent for outside EU transfers Disclose retention periods

GDPR Key Requirements

• Policy Documents Written Explain how comply GDPR Explain retention practices Regularly updated Available

• Data Subject Rights Right to be forgotten (erasure) Right to correct Right to restrict processing Right to object Access Rights No fee Response without delay

GDPR: Differences With US law

Back to our Hypo:What must our college comply with already and how do those requirements overlap with GDPR?

State Laws Federal Laws Contractual Obligations?

What do our college’s EU partners require in the contracts governing the exchange process?

State Laws

Patchwork of state laws – consider your footprint.

CCPA – Key Requirements

• Obtain consent for sharing/sale of data for individuals under 16;

• Right to opt out of sale of personal information;• Right to request information regarding data

access;• Right to request deletion of personal information

within 45 days subject to exceptions; and• Right to access privacy policies that include

description of consumer rights.• Effective 1/1/20 – Cal. Civ. Code 1798.100-199.

CCPA – Who Is Covered?

• Data regarding “consumers” – “natural persons who are California residents”

• Collected by “business” – “for-profit legal entity” that “does business” in California and:

• (1) has over $25 million annual gross revenue; • (2) buys, sells or receives personal information of more

than 50,000 consumers, devices or households per year; or

• (3) derives 50 per cent or more annual revenue from selling consumer personal information.

Cal Civ. Code 1798.140

CCPA – What is covered?

“Personal Information” that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household,” including:

• identifiers (e.g., names, alias, signature); • protected classifications (e.g., race, sex, religion);• commercial information;• internet activity;• education information that is “not publicly available

personally identifiable information” under FERPA• not public information unless not compatible for its

public purpose.

CCPA – Actions / Penalties

• Right of action to sue for data breach where there is a failure maintain “reasonable security procedures and practices appropriate to the nature of the information” to protect that information. Cal Civ. Code 1798.150.

• Statutory penalties of damages or $100-$750 per violation to consumers or actual damages. Id.

• State fines up to $7,500 for violations not addressed with 30 days. Cal Civ. Code 1798.155.

CCPA v. GDPR

• Compliance with CCPA does not equal compliance with GDPR.

• Under CCPA:• The “right to be forgotten” applies to data from the

consumer only and has broader exceptions;• No absolute right not to be subject to data processing;• No requirement to “opt in,” except for minors;• Applies only to businesses that do business in CA;• Applies only to what GDPR would classify as a

“processor,” not a “controller”;• Requires disclosures only over 12 months

Arizona Data Breach Law

• Who is covered: natural persons, businesses and governmental agency (collectors) and residents of the state (providers).

• What is covered: “personal information,” including name + data elements (SSN, license number, financial account information, medical records, TIN, biometric data) or information giving access to online account and biometrics.

Arizona Data Breach Law

What does it require:• Incident involving “unencrypted and unredacted”

information;• Promptly investigate;• No notification if independent auditor determines no

substantial economic loss;• Notify individuals affected within 45 days;• Notify regulators and credit agencies if more than

1,000 individuals; and • “Knowing and willful” violations may result in fines up

to $500,000 for $10,000 per individual / actual loss.

Education-Specific Rules

• FERPA: Protects PII from student’s education records from unauthorized disclosure.

• Education records are “records that are (1) directly related to a student; and (2) maintained by an educational agency or institution by a party acting for the agency or institution.”

• Schools cannot disclose educational records without parent consent unless the service provider falls within one of FERPA’s exceptions (such as the school official exception).

• School official exception requires the service provider to be under the school’s “direct control” and limits service provider use.

Let’s Ask The Internet:

Predictions

Enforcement of Privacy Laws

• Unknown how broadly and aggressively EU agencies and Attorneys General will enforce data privacy and protection laws.

• GDPR and Arizona laws are new; CCPA will not come on line until 2020.

• No publicly-reported GDPR enforcement actions involving educational institutions to date.

Early GDPR Signs

• 59,430 breaches reported; 41,502 data breach notifications, 255 investigations and 91 fines between enactment and January 2019

• Only a handful of fines are public:• €50 million fine to Google by CNIL (France) for failure

to provide information about data processing and failure to obtain specific, unambiguous consent;

• €400,000 fine Portuguese to hospital for permitting non-physician access to medical records;

• €20,000 fine to entity for failing to encrypt hacked information

Future Enforcements

• GDPR and non-GDPR enforcements reveal a few patterns that will likely continue.

• Being outside of the EU will not protect you • GDPR / CCPA do not require physical presence• UK ICO Enforcement - Aggregate IQ

Future Enforcements

• Failure to properly notify at the time of data collection may be punished.

• Google• Portland State University

• Custodians must take requirements to pseudonymize / encrypt personal data seriously

• LfDI Enforcement

Future Enforcements

• Data breaches will be result in fines or damages, even with cooperation.

• LfDI Enforcement• UK ICO Enforcement - University of Greenwich• Mason v. Yale University

• Third parties must be vetted and examined.• Katy Independent School District• Portland State University

Best Practices

Goals for this Section:• Remind you of key data security resources in the

education sector, particularly FERPA.• Enable you to walk away with a plan for

identifying key data sets, properly managing the security of those data sets, and planning how to respond to an incident.

• Explore the overlap between FERPA and GDPR.

Best Practices

Key Resources:• US Dept. of Ed’s “Privacy Technical Assistance

Center” has various technical papers and guidance about managing student educational records in compliance with FERPA.

• Data Security Checklist (link)• Data Security Management and Training: Best Practice

Considerations (link)• Data Breach Response Checklist (link)• Model Terms of Service (link)• Responsibilities of Third Party Service Providers (link)

FERPA generally already requires you to:1. Maintain “educational records” as confidential and

secure.2. Maintain a record of each unauthorized disclosure

of educational records. 3. Allow students to inspect and review his/her

educational records. 4. Allow students to amend their educational record. 5. Provide annual notice to students of their rights

under FERPA.

FERPA Versus GDPR

When it comes to the international students, if you comply with FERPA does GDPR require you to do anything else?

Does GDPR require more than FERPA when arranging foreign experiences and lodging for U.S. based students?

Back to the HYPO

1. Minimize data collection Only keep what you need for as long as necessary— driven in

large part by State Library retention schedules, grant requirements

2. Be aware of your legal obligations FERPA Data Breach Notification Laws GDPR

3. Review privacy disclosures Website privacy policy? Employee privacy disclosures?

5 Steps to Better Security and Privacy

4. Information Security Plan Do you have one?

Do you regularly test and update it?

5. Diligence and hold Third Party Service Providers Accountable

5 Steps to Better Security and Privacy

Use the Model Terms

Put in writing that you own your data and (if you can) anything created incorporating your data, and that you require all data to be returned or destroyed when the agreement terminates.

Don’t bind yourself to GDPR compliance in private contracts, unless you must.

Limit the use of your data – is use of your data (in any form) appropriate for the service provider’s own commercial benefit?

Probably not (whether raw form, aggregated, or de-identified). Maybe if service directly depends on ancillary use of such data (such as

aggregating data to provide data trending and analysis to you and similar customers).

If agreement is silent on use, discuss and add terms. Watch for FERPA compliance issues – Remember Agora and PTAC

Negotiating Terms:

Ask for indemnification for violation of law and confidentiality breaches (not just infringement and security). Even ask for additional insured status on the vendor’s cybersecurity policy.

Make sure the confidentiality language captures all of your data stored in the service.

Provider’s usually limit their exposures to fees paid over some time period and exclude all indirect damages. Push back!

Require the vendors to maintain all data on encrypted servers at the highest commercial standard. Ask for indemnification if a breach occurs on their system.

Indemnification and Limitation of Liability

Know - what data you are managing and how it is being used by internal and external users.

Manage – secure and manage your data and check with vendors regularly to confirm that your provider is living up to the terms you negotiated.

Plan – for a breach and negotiate terms with vendors that protect your students and the institution in the event of a breach. Keeping in mind that your exposure is broad.

Bottom Line?

What will you entrust to a third party service provider? Confidential business and financial data Intellectual property PII Educational records

Who will you entrust? Diligence: There is no replacement! Don’t forget to ask about subcontractors/sub processors.

Where will the data be stored? Different countries have different abilities to access your data (not just

different privacy laws!). Is the storage encrypted?

Verify Regularly check/audit performance (both of yourself and the

provider).

So Think Before You Sign Up!

External Resources

• US Department of Education Privacy Technical Assistance –https://studentprivacy.ed.gov/audience/school-officials-k-12

• European Commission 2018 Reform of EU Data Protection Rules -europa.eu/dataprotection

• California Attorney General Privacy Enforcement and Protection -https://www.oag.ca.gov/privacy

• Arizona Attorney General Data Privacy and Security -https://www.azag.gov/consumer/data-breach

• FERPA Sherpa Summary of State Student Privacy Laws -https://ferpasherpa.org/state-laws/

• NetDiligence Cyber Insurance Study - https://netdiligence.com/portfolio/cyber-claims-study/

• Verizon 2018 Data Breach Investigations Report -https://enterprise.verizon.com/resources/reports/dbir/

• Symantec 2018 Internet Security Threat Report -https://www.symantec.com/security-center/threat-report