There is something soothing about the ubiquitous, quintessential image of the cloud—cumulus humilis, humble, lowly, and small—that has come to serve as the rallying icon of cloud technology. It’s a happy, puffy cloud that won’t cause lightning strikes or rain on your parade.

As we have seen in other industries, though, cloud technology has risks that need to be properly managed. Institutions want to know if the edtech industry and specifically cloud-based service providers are really all that “puffy.” Institutional CIOs ask Eduventures if they need to board up their data systems’ windows to protect against the changing winds of privacy and the forecasted hail of regulatory compliance. Colorful metaphors aside, it’s important to separate myth from fact when it comes to privacy and the security of cloud-based education technology solutions.

The Student Data Privacy Storm is Rolling In

Consider the example of a faculty member developing a new online course. He decides to try out a free license for a new, cloud-based learning management system (LMS). He logs in to his institution’s student information system and downloads a list of students’ names and email addresses and uploads it to the cloud LMS. From there, he sends the students invitations to log in to the LMS and start to participate in the online course.

What risk or liability does this present for his institution? If there was a data breach or if a student complained about the use of his or her data, would the situation devolve into finger pointing between the administration and the vendor? On one hand, the vendor would present a seemingly ironclad user agreement. On the other, the administration may claim ignorance of how the faculty member had used personally identifiable student information.

According to FERPA, responsible school officials who extract data from the student information system and upload it to a service provider that is not under official contract with the institution can be held liable.

At Eduventures Summit 2015, Kathleen Styles, Chief Privacy Officer of the U.S. Department of Education, joined me for a Q&A session. She confirmed that freemium business models that require individual faculty and staff to load data into the cloud still fall under FERPA. Furthermore, the majority of edtech vendors’ terms of use policies ask users to verify that they had permission to load students’ personal data. In most cases, the faculty would be held responsible in the event of a student complaint or data breach.

When faculty members adopt free cloud offerings, they are merely trying to do what’s in their students’ best interest, even if they are expressing dissatisfaction with institutional inertia in adopting learning technology. Additionally, holding individual faculty members accountable is rather unlikely, if only because of the politics of academic freedom on many campuses. Rather than reacting to data breaches or student complaints, CIOs should assume that student data is being shared with service providers beyond their purview and adopt a risk mitigation strategy.

The conversation continued on Twitter, and a few of the tweets touched on some of Kathleen’s most important points.

How often does privacy-breach lightning strike?

As with any risk mitigation strategy, it’s important to know the probability of a data breach and its potential impact on your institution. How often has the lightning of data privacy and security struck the education sector? When it does strike, how does its cost compare to breaches in other industries? The Ponemon Institute’s 2015 Cost of Data Breach Study from May 2015 indicates:

“The cost of data breach varies by industry. The average global cost of data breach per lost or stolen record is $154. However, if a healthcare organization has a breach the average cost could be as high as $363 and in education the average cost could be as high as $300.” [Emphasis added]

This high cost of a breach of a student educational record is due to the multiple types of data institutions store on each student. This might include personally identifiable information (i.e., name, date of birth, social security number, and address), education and work history, financial account numbers, and even medical records. By any objective measure, the relative impact of a breach of any student record on an institution is very high.

The probability of a breach is a different matter altogether. When we dig into the data from this global study, only four cited data breaches affected education. All four were breaches at institutions, not on the part of a vendor. There were several high-profile cyber attacks on institutional infrastructure in 2014 and 2015, as covered in EdTech Magazine and in a report by EDUCAUSE’s Higher Education Security Council. Even with these data breaches, each incident exposed relatively few records, further decreasing the absolute total potential damage.

Reflecting on the volume of student and parent complaints to the Department of Education, Kathleen Styles opined, “Cloud vendors are just as good and most likely better at data security than institutions.” In nearly all cases in which education technology providers were called out for privacy and security issues before a breach occurred, the companies in question remedied their cloud-based software incredibly quickly. Pearson and Coursera had very public instances of concerned users pointing out security flaws and fixed them in a timely fashion. It is commonly believed—and severely overstated—that hosting data with a cloud-based education technology company is inherently risky. The fact is that your institution’s on-premise systems and applications are much more likely to be targeted in a hack or result in a data breach than a vendor that has adopted industry standards for cloud data security.

Grounding Your Institution Before The Storm

Regardless of the likelihood of a data breach by the vendors your institution is working with, it’s important to take a proactive approach to faculty and students’ use of freemium and cloud-based tools. Here are some concrete recommendations for CIOs and IT administrators that go beyond establishing a data privacy checklist for officially sanctioned software and services:

  • Audit unsanctioned products in use across all departments. Once the data has been compiled, resist the urge to immediately block tools outright at the firewall. Rather, collect additional information about options for enterprise access to these cloud solutions to better control the flow of data and access from campus systems.
  • Open a dialogue with faculty about which tools they have seen and like and which standardized enterprise tools they do not. Embed links to offer feedback and take surveys on edtech products (or even links to the products themselves) in staff and student portals. Share their feedback with technology vendors. Use the insights to educate your IT staff and make informed decisions about retiring and acquiring technology.
  • Clearly state which systems the institution supports and which are “use at your own risk” to make your faculty informed users. Look for ways for faculty to obtain permission from students in a classroom setting (opt-ins). In this way, faculty can make the case directly with students about the benefits of new cloud-based tools, and students will understand how their personal data is used for educational purposes.
  • Encourage vendors identified in your audit of currently used cloud offerings to sign the Student Privacy Pledge. Many vendors that serve both P-12 and higher education markets have already signed the pledge, but several with an exclusive focus on higher education have not. Only pressure from current and prospective clients will prompt vendors to take proactive steps to improve data privacy and security safeguards.

Institutions can also proactively manage the risk that comes with these solutions by working with Eduventures to assess which platforms and service providers are the best fit. We can help you anticipate the needs of faculty and staff in selecting the right cloud-based services and leverage best practices in vendor selection and adoption. If your staff has specific concerns about cloud-based learning applications, please let us know. We will continue to cover issues related to migrating to cloud service providers, including data privacy and security, in 2016.