When it rains, it pours: protecting student data stored in the cloud.

• Author: Varella, Loree

1. INTRODUCTION II. STUDENT INFORMATION III. CALIFORNIA AND SOPIPA IV. ALTERNATIVES TO SOPIPA V. NEW JERSEY AND STUDENT PRIVACY REFORM I. INTRODUCTION

   The idea of "paperless schools" is no longer a purely theoretical concept of education reform. In many districts across the country, it is a near reality. By 2017, the Obama-Biden administration plans to have a "laptop, tablet or smartphone" for every k-12 student in the United States, while offering enough bandwidth to get all 49.8 million kids online simultaneously. (1) As schools transition from paper-based institutions to electronic ones, the methods for collecting and storing information have similarly adapted. That transformation, however, introduces concerns regarding the safety of online information storage, and privacy issues stemming from schools allowing third-parties to have access to such information.

   On August 30, 2014, California enacted the Student Online Personal Information Protection Act (SOPIPA) to "create privacy standards for K-12 school districts that rely on third-parties to collect and analyze students' data, and require that student data managed by outside companies remain the property of those school districts and remain within school district control." (2) This new legislation fills in the gaps of the Family Educational Rights and Privacy Act (FERPA), which had provided student information protection for four decades, but had not addressed issues specifically raised by cloud computing. (3) SOPIPA is the latest entry in a string of progressive California legislation, which includes "a 2013 law granting children and young adults the right to delete posted content from online services, mobile apps or other digital services for which they are registered users." (4)

   However, not all states address the issue of student data privacy with California's parent-and-student favored approach. A strong argument against stringent data protection laws is that overzealous regulation will make parents overcautious and deter data storage companies from branching out to new fields. Another argument is that the laws threaten to overreach. Because of the rapid advances in technology, legislators find themselves in an awkward position of catching-up and are forced to strike a balance between data storage providers and parents.

   Part II of this note will provide an overview of the type of information that schools collect from students, and how that information is typically stored and utilized. It will then highlight the nature of threats to student privacy in light of electronically-held student data and discuss how FERPA and other federal laws were created to initially address those concerns.

   Part III and Part IV will analyze how the differing environments within the states have shaped the various interpretations of FERPA and the varying degrees of deference given to it. California's progressive approach, with the passing of SOPIPA, will be analyzed alongside some of the other more conservative alternatives adopted by other states.

   Part V will then focus on New Jersey. New Jersey has remained relatively silent regarding student privacy thus far. Circumstances unique to the state and news of recent privacy breaches will be examined when determining how state courts and legislators are likely to act. Part V will conclude and provide a recommendation regarding the type of approach New Jersey should adopt.

2. STUDENT INFORMATION

   Many factors, such as district size and urbanization, influence schools' reasoning for the implementation and utilization of online storage. States vary on who can obtain student information, such as parents or school officials. They also vary on what information is available for perusal, from test scores to "early warning" drop-out indicators. (5) Online information can be utilized to "customize" classroom experiences. Teachers can track grades to determine areas requiring further elaboration, creating personalized lesson plans tailored to each student. (6) Other schools are making more dramatic shifts to a fully electronic classroom, such as implementing online exams. (7) Aside from academic and demographic data, schools may collect interpersonal information regarding students with disabilities or students with behavioral problems to facilitate the students' development. (8)

   Before the advent of online storage, schools were limited in how they could organize and apply the data they collected. Schools initially used paper-based filing systems stored on school premises. Administrative data, however, grew over time and the process of physically storing and finding information became frustratingly inefficient and limited by space. (9) With improvements in technology, many schools transitioned to a magnetic tape-based system to store information. (10) These systems, however, are often on-site and therefore vulnerable to power disruptions. (11)

   To protect data in the event of a power disruption, an increasing number of schools have shifted to cloud computing. A national study by the Fordham Law School Center on Law and Information Policy (CLIP) looked at twenty districts of varying sizes and demographics. It found that "95 [percent] of reporting districts relied on at least one type of cloud service to process student information." (12) Another national study reported that forty-two percent of K-12 schools utilized cloud storage in 2012, up from just twenty-seven percent the year before. (13) The increase is likely attributable to the ease of use and convenience of cloud computing.

   Cloud computing is comprised of two interconnected systems: the computer system of the client and the computer system of the cloud service provider. (14) Once client information is sent through the internet, a cloud storage system makes copies of that data, otherwise known as redundancies, and relocates them to backup machines. (15) Clients can then retrieve their data through the internet on any device, thereby increasing efficiency and reducing the physical space needed on-site. (16) However, as more information is entrusted to online databases, the likelihood of that information becoming "leaked, exposed by hackers, or more likely, sold to advertisers by the private companies hired by the schools themselves" increases. (17)

   Three of the biggest threats faced by cloud computing are insecure databases, data loss and leakage, and hardware failure. (18) Hackers can also access information on cloud storage systems using low-tech methods such as "Brute Force." (19) Some cloud storage companies are developing methods to combat such threats: after a series of public attacks, cloud storage company Dropbox created new security practices, including encrypting the data on secure connections and creating a two-factor authentication process. (20) While these measures pave the way for a more secure industry, increases in security by the cloud providers themselves may reduce storage efficiency and processing speed. (21) They are therefore unattractive from a business standpoint. Until a balance between heightened security and technology that allows for its seamless implementation is reached, parents and students must look towards the law to limit the data schools can store on such a system.

   Hacking is not the only means in which student data can be placed in a compromised circumstance. Advertisers have taken advantage of the relatively easy access to student information. After obtaining the information from the storage providers, advertisers then provide what they have gathered to software retailers, who sell "tailored" educational programs back to the schools. (22) The software market for K-12 schools jumped 2.7 percent from 2010 to 2011-2012, becoming a 7.97 billion dollar industry. (23) Technological advances have made it easier for businesses to access vast swaths of student information, and track that information over the course of students' K-12 education. Many schools allow student data to be sold to third-party marketers for advertising purposes. (24) The CLIP national study revealed that "fewer than 7 [percent] of the [school's] contracts [with storage providers] restrict[ed] the sale or marketing of student information by vendors," (25) and less than ten percent "expressly prohibited" the sale. (26) Sometimes the distinction between commercial and education functions is not clear. Other times, the distinction is so obvious that critics decry the practice as predatory. (27)

   To address some of these concerns and to provide greater transparency, the Department of Education created the Privacy Technical Assistance Center (PTAC). The PTAC serves as a resource that parents can turn to for finding out what information is being collected in their school district and how it is being utilized. (28) In turn, it instructs schools to respond to parental inquiries in a "thoughtful and careful manner." (29) It also features a "community of practice" hub for school officials to share data-processing procedures that are efficient and compliant with federal laws. (30) While the center does not provide additional private protection, and its language can be particularly vague, it presents parents with an easy-to-understand overview of the rights that they and their children have under federal laws such as FERPA. (31)

   FERPA was created in 1974 to protect records created and maintained by schools. (32) FERPA grants parents various rights, including the right to "inspect and review the student's education records" and to "request that a school correct records which they believe to be inaccurate or misleading." (33) These rights transfer to the student once he or she reaches eighteen years old. (34) FERPA also prohibits the disclosure of certain types of information without written permission from parents or eligible students. (35) However, "[s]chools may disclose, without consent, 'directory' information such as a student's name, address, telephone number, date and place of...