Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back

Is the Application Your School Plans to Use to Track Coronavirus Symptoms Really Secure?

Written by: Cameron G. Shilling & John Weaver

8/4/2020

As we pass the midpoint of the summer, schools are debating how to reopen in the fall. Do you welcome all of your students back to campus? Do you establish a hybrid model where some students are on campus some of the time while others study from home? Should all learning be remote? Every school that welcomes students and staff back to campus will need to collect, use, disclose, and retain information about coronavirus symptoms, other medical and health data, and other sensitive personal information about individuals on campus. Many schools plan to use cloud based software applications to do so. How do you know that the application that the school plans to use is secure?

Schools that rely on such an application need to perform thorough due diligence to ensure that the application has appropriate information security controls, the school enters into an appropriate agreement with the application provider to ensure privacy and security law compliance to protect the school from liability, and provide notice and obtain consent to collect, use, disclose, and retain such information. Before a school enters into any services contract or provides any health or sensitive personal information to the application provider, the school should have appropriate answers to the following questions.

What information security controls has the application provider implemented to protect the health and sensitive personal information of the school community?

Schools need to ascertain the information security controls inherent in the application they plan to use. For example, does the vendor have a written information security program that the school can review? Does the vendor measure its security controls against an industry standard, such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework? Has the vendor received a certification of compliance with an information security standard, such as a Service Organization Control (SOC) 2 report? It is critical (particularly in light of the recent breach at Blackbaud) that schools obtain and review reliable information to ascertain whether the vendor has taken appropriate measures to protect the health and sensitive personal information of the school’s students, staff, and other campus visitors.

Does the contract with the application provider require appropriate privacy and security controls, establish that the vendor remains liable for breach, and ensure that the vendor has appropriate cyber insurance?

While many application providers have form services contracts, those forms rarely contain terms that are appropriate for these circumstances. For example, the forms commonly lack a commitment that the vendor will comply with an information privacy and security standard, and waive or dramatically limit the vendor’s liability for breach. Such one-sided contracts are inappropriate and insufficient for the school to comply with its own legal responsibilities. Schools should insist that form contracts be changed, or that an application provider enters into a separate agreement, requiring the vendor to comply with an established standard for information privacy and security, notify the school promptly of a breach, remain liable for costs of a breach, and implement effective cyber liability insurance to cover a breach.

Does the school need to implement a different data processing agreement?

Laws are emerging in the United States, and already exist around the world, requiring schools to provide certain privacy rights and protections, including the California Consumer Protection Act (CCPA), European Union General Data Protection Regulation (GDPR), United Kingdom Data Protect Act of 2018, and Canadian Personal Information Protection and Electronic Documents Act (PIPEDA). Thus, if a school is collecting health or sensitive personal information about students who are residents of California, Europe, England, or Canada, those laws may require the school to enter into a different type of agreement with the application provider, called a Data Processing Agreement (DPA). The purpose of DPAs is to protect the information privacy rights of individuals, and impose certain corresponding obligations on the vendor.

Has the school provided appropriate notice and obtained necessary consent to collect, use, disclose, and retain health and sensitive personal information?

Domestic and foreign privacy laws require that schools, before they collect and use health and sensitive personal information, notify individuals about the information to be collected by the school, and obtain consent for the school to use that information

This fall, schools will inevitably handle a greater volume and wider variety of health and sensitive personal information than they have in the past. Finding an application provider that is qualified under information privacy and security laws to manage such information is vital.

Cam Shilling chairs and John Weaver is a member of McLane Middleton’s Information Privacy and Security Practice Group, which assists businesses, independent schools, and private clients to improve their information privacy and security compliance, and address any security incident or breach that may arise.

Integrity and trust

At McLane Middleton we establish and maintain long-standing relationships with our clients to help us better achieve their unique goals over time. This approach to building trust requires that our esteemed lawyers and professionals use their broad, in-depth knowledge and work together with integrity to ascertain sound resolutions to legal matters for their clients.

Strength in numbers

McLane Middleton is made up of more than 105 attorneys who represent a broad range of clients throughout the region, delivering customized solutions. As a firm we are recognized as having the highest legal ability rating. The firm is rated Preeminent by Martindale Hubbell and is recognized as one of the nation's leading law firms in Chambers USA. Our attorneys are distinguished leaders in their respective practice areas.

Meet Our People

Commitment and collaboration

McLane Middleton's versatile group of attorneys and paralegals become trusted authorities on each case through collaboration. We work with our clients to learn their individual needs first and foremost and, together, we develop comprehensive solutions to their specific legal matters. This approach helps us exceed our clients' expectations efficiently and effectively, client by client, case by case.

Practice Areas

A history of excellence

McLane Middleton was established in 1919 in New Hampshire, and has five offices across two states. However, deep historical roots don't allow you to become innate. Our firm is organized, technological, and knowledgeable. Our history means we are recognized. But our reputation is built on the highest quality of service and experience in very specific areas of law.

The Firm

Intelligence paired with action

Our team continuously seeks opportunities to enhance their professional development and put key learnings to action. The pursuit of further insight guides us to volunteer service opportunities, speaking engagements, and teaching roles. Our lawyers are sought after thought leaders across their industries, and recipients of leadership awards throughout the region.