Back in 2009 I blogged about the need for a consumer reports for schools: “If the Department of Education wants to help schools save time and money, create an independent foundation, or fund an initiative at a university, modeled on Consumers Reports Labs, and set it to testing school equipment, furnishings, and other items.”
No one took me up on that idea. Nevertheless, let me throw out another notion that I think would be of value to schools, enough so that someone might even be able to make a business out of it: privacy auditing and reporting.
Schools are increasingly (if belatedly) recognizing the importance of maintaining the privacy of student and employee data. At the same time, schools are also moving more of this data to a variety of cloud services, each of which maintains its own privacy practices and procedures. On top of this, various state and federal regulations (CIPA, COPPA, HIPPA, Dodd-Frank, ) are continually being reviewed and sometimes reinterpreted in the light of new threats and emerging best practices.
Most schools have neither the time nor the expertise to wade through government regulations, compare them with dozens of licenses and software as service (SAS) agreements (some of which may change multiple times during a school year), and determine if they are satisfied with the results. Nonetheless, schools are legally compelled to comply with certain regulations. Data breaches are expensive: data recovery and notifying affected parties, installation of new security software and devices, re-training of students and employees, loss of stature and even donors. There may be civil penalties or even criminal charges.
Schools hope for the best and deny that the worst could ever happen.
Corporations, on the other hand, hope for the best but plan for the worst. They call this conundrum “risk management” and may have entire departments working to find the optimum risk-reward ratio. They will look at a number of risk factors including internal policies, partner and vendor practices, and even externalities such as geopolitics and weather.
Imagine a non-profit, b-corporation, or traditional corporation dedicated to helping schools comprehend all of the privacy practices of their partners and how these practices compare with what is required by law. Here’s how something like this might work:
- A school creates an inventory of all of the software products and cloud-based services they use.
- The school submits this inventory to Company A – call it Computer Privacy Practice Tracker (CPPT).
- CPPT collects and audits all privacy practices based on the submitted list of products and services.
- Audit rules are based on existing federal and state laws and regulations, as well as any other criteria established by the school
- CPPT reports the findings to the school:
- a summary report suitable for parents, teachers, administrators and students detailing what data is shared and with whom, relevant privacy and safeguards, and compliance with applicable federal and state laws
- a detailed report for administrators containing “as of date” documentation for all relevant documents, recommended remedial actions and goals
- CPPT monitors all of the companies and alerts school whenever there’s a change in any pertinent privacy policies, the meaning of the change, and its impact on compliance
The devil is in the details. How much would this cost? What liability does the auditor assume? What happens if a software vendor misrepresents their practices? What are the consequences if a school fails to take recommended remedial action? Who audits the auditors? How much of this can be automated, how would it work, and who would control the source code?
Meanwhile, Some Resources
In researching this idea I ran across several resources that may provide the reader with helpful information while Silicon Valley startups wrestle with how to actually create CPPT.
“How Little Data Breaches Cause Big Problems For Schools,” T.H.E. Journal
Halpert, B. (2011). Auditing cloud computing: A security and privacy guide. Hoboken, N.J.: John Wiley & Sons.
U.S. Department of Education Privacy Technical Assistance Center