Category: Universities

Another Lesson for Higher Education Institutions about the Importance of Cybersecurity Investment

Key Takeaway

A Massachusetts class action claim underscores that institutions of higher education will continue to be targets for cybercriminals – and class action plaintiffs know it.

Background

On January 4, 2023, in Jackson v. Suffolk University, No. 23-cv-10019, Jackson (Plaintiff) filed a proposed class action lawsuit in the U.S. District Court for the District of Massachusetts against her alma matter, Suffolk University (Suffolk), arising from a data breach affecting thousands of current and former Suffolk students.

The complaint alleges that an unauthorized party gained access to Suffolk’s computer network on or about July 9, 2022.  After learning of the unauthorized access, Suffolk engaged cybersecurity experts to assist in an investigation. Suffolk completed the investigation on November 14, 2022.  The investigation concluded that an unauthorized third party gained access to and/or exfiltrated files containing personally identifiable information (PII) for students who enrolled after 2002.

The complaint further alleges that the PII exposed in the data breach included students’ full names, Social Security Numbers, Driver License numbers, state identification numbers, financial account information, and Protected Health Information.  While Suffolk did not release the total number of students affected by the data breach, the complaint alleges that approximately 36,000 Massachusetts residents were affected.  No information was provided about affected out-of-state residents.

Colleges and Universities are Prime Targets for Cybercriminals

Unfortunately, Suffolk’s data breach is not an outlier.  Colleges and universities present a wealth of opportunities for cyber criminals because they house massive amounts of sensitive data, including employee and student personal and financial information, medical records, and confidential and proprietary data.  Given how stolen data can be sold through open and anonymous forums on the Dark Web, colleges and universities will continue to remain prime targets for cybercriminals.

Recognizing this, the FBI issued a warning for higher education institutions in March 2021, informing them that cybercriminals have been targeting institutions of higher education with ransomware attacks.  In May 2022, the FBI issued a second alert, warning that cyber bad actors continue to conduct attacks against colleges and universities.

Suffolk Allegedly Breached Data Protection Duty

In the complaint, Plaintiff alleges that Suffolk did not follow industry and government guidelines to protect student PII.  In particular, Plaintiff alleges that Suffolk’s failure to protect student PII is prohibited by the Federal Trade Commission Act, 15 U.S.C.A. § 45 and that Suffolk failed to comply with the Financial Privacy Rule of the Gramm-Leach-Bliley Act (GLBA),  15 U.S.C.A. § 6801.  Further, the suit alleges that Suffolk violated the Massachusetts Right to Privacy Law, Mass. Gen. Laws Ann. ch. 214, § 1B, as well as its common law duties.

How Much Cybersecurity is Enough?

To mitigate cyber risk, colleges and university must not only follow applicable government guidelines but also  consider following industry best practices to protect student PII.

In particular, GLBA requires a covered organization to designate a qualified individual to oversee its information security program and conduct risk assessments that continually assess internal and external risks to the security, confidentiality and integrity of personal information.  After the risk assessment, the organization must address the identified risks and document the specific safeguards intended to address those risks.  See 16 CFR § 314.4.  

Suffolk, as well as other colleges and universities, may also want to look to Massachusetts law for guidance about how to further invest in its cybersecurity program.  Massachusetts was an early leader among U.S. states when, in 2007, it enacted the “Regulations to safeguard personal information of commonwealth residents” (Mass. Gen. Laws ch. 93H § 2) (Data Security Law).  The Data Security Law – still among the most prescriptive general data security state law – sets forth a list of minimum requirements that, while not specific to colleges and universities, serves as a good cybersecurity checklist for all organizations:

  1. Designation of one or more employees responsible for the WISP.
  2. Assessments of risks to the security, confidentiality and/or integrity of organizational Information and the effectiveness of the current safeguards for limiting those risks, including ongoing employee and independent contractor training, compliance with the WISP and tools for detecting and preventing security system failures.
  3. Employee security policies relating to protection of organizational Information outside of business premises.
  4. Disciplinary measures for violations of the WISP and related policies.
  5. Access control measures that prevent terminated employees from accessing organizational Information.
  6. Management of service providers that access organizational Information as part of providing services directly to the organization, including retaining service providers capable of protecting organizational Information consistent with the Data Security Regulations and other applicable laws and requiring service providers by contract to implement and maintain appropriate measures to protect organizational Information.
  7. Physical access restrictions for records containing organizational Information and storage of those records in locked facilities, storage areas or containers.
  8. Regular monitoring of the WISP to ensure that it is preventing unauthorized access to or use of organizational Information and upgrading the WISP as necessary to limit risks.
  9. Review the WISP at least annually or more often if business practices that relate to the protection of organizational Information materially change.
  10. Documentation of responsive actions taken in connection with any “breach of security” and mandatory post-incident review of those actions to evaluate the need for changes to business practices relating to protection of organizational Information.

An organization not implementing any of these controls should consider documenting the decision-making process as a defensive measure.  In implementing these requirements and recommendations, colleges and universities can best position themselves to thwart cybercriminals and plaintiffs alike.

Article By Ericka A. Johnson and Julia B. Jacobson of Squire Patton Boggs (US) LLP

For more cybersecurity and data privacy legal news, click here to visit the National Law Review.

© Copyright 2023 Squire Patton Boggs (US) LLP

Division I Universities Must Be Ready for Changes to the NCAA Infractions Process

The NCAA Division I Board of Directors has adopted key changes to the way in which NCAA infractions matters will be investigated and processed in the future. The changes, which take effect on January 1, 2023, are intended to modernize and enhance the process, while focusing resources on the most serious violations. Another objective is to reduce the time needed to process and resolve violation proceedings.

President of the University of Georgia and Chair of the Division I Board of Directors Jere Morehead said in August that NCAA members are “committed to resolving cases fairly and in a timely fashion, thus holding those responsible for violations accountable and avoiding penalizing those who were not involved in rule-breaking.”

Among the key changes are the following:

Enhanced duty to cooperate: Institutions, staff, and student-athletes, upon learning of potential violations, will be required to preserve information, to provide immediate access to all electronic devices, and to encourage family members, spouses, boosters, and others to cooperate in the investigation. The number of aggravating and mitigating factors in the Bylaws has been expanded to reward prompt and full cooperation and deter efforts to hinder or impede investigations.

New head coach responsibility standard: Head coaches will be held responsible for serious violations committed by those who report to them directly or indirectly. Only in determining the appropriate penalty will the Committee on Infractions (COI) consider whether the head coach promoted compliance and monitored the program. The previous infractions approach, which included a rebuttable presumption of responsibility on the part of a head coach, has been abandoned.

Additional method for resolution: A new alternative for resolving infractions cases has been added, with the aim of providing the COI greater flexibility and reserving full hearings for only the most serious cases. The new method, known as a “Written Record Hearing,” will be employed in cases in which the facts are largely undisputed and the alleged violations not numerous or significant.

Clarification of appeal standard and limitation of appeals: Findings and penalties by the COI will be affirmed by the Infractions Appeals Committee (IAC) if there is information in the record that supports the decision. Findings and penalties will not be set aside unless no reasonable person could have made the ruling given the factual record. Appeals to the IAC as to the penalties imposed will be limited to those sanctions that fall outside legislated penalty guidelines, or “core penalties.” The majority of appeals will be decided based on the written record without the need for oral argument. Finally, and as is also the case with the revised COI process, extensions of time will be granted only in extreme and clearly defined circumstances.

Aggravating and mitigating factors: The new guidelines clarify which factors apply to institutions and which apply to involved individuals. Previously, this was unclear and often debated. New aggravating factors have been added, including hindering an investigation or inhibiting the COI’s processing of a case. New mitigating factors also have been added, including a demonstration of exemplary cooperation by, for example, securing meaningful cooperation from an outside party.

Name, image and likeness (NIL): In this rapidly evolving area, the bylaws provide that if available information indicates that behaviors surrounding an NIL offer or agreement is contrary to NCAA legislation, it shall be presumed that a violation occurred.  The charged institution or involved individual will then be required to rebut this presumption with credible and sufficient information that a violation did not occur.

In addition to the above changes, the new infractions construct eliminates the Independent Accountability Resolution Process (IARP), which had been created at the recommendation of the Commission on College Basketball chaired by Condoleezza Rice. While acknowledging the panel’s thoroughness in deciding the several cases referred to the IARP, it was concluded that this new process prolonged case timelines and required substantial additional resources to bring cases to resolution.

Finally, the Board of Directors announced that it will consider additional future changes that may help to deliver timely and fair outcomes in infractions matters. Among the subjects under further consideration are (i) requiring increased documentation of recruiting efforts, (ii) adjusting the size and composition of the COI, (iii) modification of penalty ranges (including alternatives to post-season bans), and (iv) enhancing confidentiality rules for involved parties during investigation by the NCAA enforcement staff.

Jackson Lewis P.C. © 2022
For more Public Services Legal News, click here to visit the National Law Review.

Name, Image and Likeness: What Higher Education Institutions Need to Know for Legal Compliance

More than a year has passed since the NCAA v. Alston ruling and roll-out of the NCAA Name, Image and Likeness Interim Policy. What processes should institutions have in place, and what situations should they be on the lookout for at this point in the NIL game? While institutions cannot provide compensation to student-athletes or potential student-athletes in exchange for use of a student’s NIL, below are items counsel at higher institutions should have on their radar.

Review and Approval of NIL Agreements

The NCAA Interim Policy does not require student-athletes to disclose NIL agreements and/or opportunities to their institutions. In the State of Michigan, however, pursuant to House Bill 5217, beginning December 31, 2022, student-athletes must disclose proposed NIL opportunities or agreements to the institution at least seven days prior to committing to the opportunity or contract. For the institution, this means there needs to be a process in place by which student-athletes submit opportunities or agreements to the institution and the institution does a timely and thorough review of the submission. The institutional representative reviewing the submissions must be knowledgeable of the institution’s active contractual obligations and only sign off on the student-athlete’s potential NIL opportunity or contract once confident there is no conflict with an existing institutional contract. This is most likely to come up in agreements with exclusivity terms, such as sports apparel and campus-wide pouring rights agreements. If there is a conflict, the institution needs to articulate the specific conflict to the student-athlete so they can negotiate a revision, which is then subject to additional review and potential approval by the institution.

Institutions are the Regulating Bodies

Institutions in states that require submission of NIL opportunities by student-athletes need to pay close attention when reviewing submissions because the NCAA has placed most of the NIL regulatory burden on institutions. Specifically, institutions are obligated to report potential violations of NCAA policy. Among other potential violations, institutions must report possible abuses on the prohibition of pay-for-play and improper inducements of potential student-athletes and current student-athletes. Essentially, in addition to spotting potential conflicts between NIL agreements and current institution agreements, institutions need to review NIL agreements to determine if a student-athlete is being compensated for athletic achievement and/or for their enrollment or continued enrollment at a particular institution. Any indication that the student-athlete’s NIL agreement will be void if they no longer participate on an athletic team requires the institution to complete due diligence and determine the appropriateness of the arrangement in light of the NIL policy. Institutions are ultimately responsible for certifying the eligibility of student-athletes, and the presence of the previously mentioned terms place the agreement in direct violation of the language in the NIL Interim Policy and corresponding NCAA guidance.

Institutional Staff Members

It is in the best interest of institutions to train their staff members on appropriate interactions with boosters because the NCAA holds institutions responsible for the “impermissible recruiting activities engaged in by a representative of athletics interest (i.e., a booster).” Staff members need to understand the actions they are permitted to take and conversations they are permitted to have, as failure to do so could land them deep in the gray area of NIL.

  • An institutional staff member cannot directly or indirectly communicate with a potential student-athlete on behalf of a booster or NIL entity.
  • An institutional staff member cannot enter into agreements with an NIL entity to secure NIL deals between the entity and potential student-athletes.
  • An institutional staff member cannot “organize, facilitate or arrange” a meeting or any conversations between an NIL entity and a potential student-athlete, which includes transfer students coming from other institutions.

Financial Aid

Institutions should ensure they are not influencing how a student-athlete uses their compensation. Specifically, institutions should not direct student-athletes to use their NIL compensation for financial aid. Student-athletes’ financial aid is not impacted by compensation they would receive from NIL agreements. Financial aid limitations exclude compensation which also extends to NIL compensation. However, if a student receives NIL compensation, this may impact need-based financial aid.

FERPA

Many public institutions have made the argument that FERPA precludes them from disclosing NIL agreements without a release executed by the student-athlete. If a copy of an NIL agreement or summary of an NIL opportunity is provided to the institution by the student-athlete, this becomes a record of the university per the definition of FERPA and is likely part of the student-athlete’s educational record. There may be a particular circumstance in which a FERPA exception would apply to a request, but there is no broad FERPA exception that would apply in this situation. Institutions might find it strategic to include their stance on FERPA in an NIL policy to ensure all requests for NIL agreements are handled consistently.

International Students

International students can receive NIL compensation but with some caveats. In its documentation, the NCAA directs international student-athletes to their institution’s Designated School Official for “guidance related to maintaining their immigration status and tax implications.” As a result, institutions should make sure the individual(s) is/are well equipped to provide answers regarding NIL from international students.

Five Steps to Become a Well-Organized and Compliant Institution

  1. Have an NIL policy and procedures that are followed consistently and made available to student-athletes for reference and consultation;
  2. Have a process in place to review NIL agreements between the institution’s student-athletes and outside entities or individuals (if located in a state that requires student-athletes to make such disclosures);
  3. Have trained its staff (especially athletics staff) on what actions can and cannot be taken in relation to student-athletes’ NIL opportunities;
  4. Have trained its student-athletes on available resources; and
  5. Have a team of institutional staff members ready to pivot if additional laws are enacted by their state, if additional guidance is provided by the NCAA or if federal legislation is enacted.

Article By Richard T. Hewlett and Jessica E. Visser of Varnum LLP

For more entertainment, art, and sports legal news, click here to visit the National Law Review.

© 2022 Varnum LLP

All Federal Research Agencies to Update Public Access Policies

On 25 August 2022, the Office of Science and Technology Policy (OSTP) released a guidance memorandum instructing federal agencies with research and development expenditures to update their public access policies. Notably, OSTP is retracting prior guidance that gave discretion to agencies to allow a 12-month embargo on the free and public release of peer-reviewed publications, so that federal funded research results will be timely and equitably available at no cost. The memo also directs affected agencies to develop policies that:

  1. Ensure public access to scientific data, even if not associated with peer-reviewed publications;
  2. Ensure scientific and research integrity in the agency’s public access by requiring publication of the metadata, including the unique digital persistent identifier; and
  3. Coordinate with OSTP to ensure equitable delivery of federally funded research results and data.

KEY COMPONENTS OF GUIDANCE:

Updating Public Access Policies

Federal agencies will need to develop new, or update existing, public access plans, and submit them to OSTP and the Office of Management and Budget (OMB). Deadlines for submission are within 180 days for federal agencies with more than US$100 million in annual research and development expenditures, and within 360 days for those with less than US$100 million in expenditures.

Agencies will need to ensure that any peer-reviewed scholarly publication is free and available by default in agency-designated repositories without any embargo or delay following publication. Similarly, OSTP expects the access polices to address publication of any other federally funded scientific data, even if not associated with peer-reviewed scholarly publications. As a concession, federal agencies are being asked to allow researchers to include the “reasonable publication costs and costs associated with submission, curation, management of data, and special handling instructions as allowable expenses in all research budgets.1

Ensuring Scientific Integrity

To strengthen trust in governmentally funded research, the new or updated policies must transparently communicate information designed to promote OSTP’s research integrity goals. Accordingly, agencies are instructed to collect and make appropriate metadata available in their public access repositories, including (i) all author and co-author names, affiliations, and source of funding, referencing their digital persistent identifiers, as appropriate; (ii) date of publication; and (iii) a unique digital persistent identifier for research output. Agencies should submit to OSTP and OMB (by 31 December 2024) a second update to their policies specifying the approaches taken to implement this transparency, and publish such policy updates by 31 December 2026, with an effective date no later than one year after publication of the updated plan.

IMPLICATIONS FOR THE NATIONAL INSTITUTES OF HEALTH (NIH), OTHER FEDERAL AGENCIES, AND THEIR GRANTEES

The NIH is expected to update its Public Access Policy, potentially along with its Data Management and Sharing Policy to conform with the new OSTP guidance. Universities, academic medical centers, research institutes, and federally funded investigators should monitor agency publications of draft and revised policies in order to update their processes to ensure continued compliance.

In doing so, affected stakeholders may want to consider and comment to relevant federal agencies on the following issues in their respective public access policy development:

  • Federal agency security practices to prevent foreign misappropriation of research data;
  • Implications for research misconduct investigations and research integrity;
  • Any intellectual property considerations without a 12-month embargo, especially to the extent this captures scientific data not yet published in a peer-review journal; and
  • Costs allowable research budgets to support these data management and submission expectations.

1 Office of Science and Technology Policy, Memorandum for the Heads of Executive Departments and Agencies: Ensuring Free, Immediate, and Equitable Access to Federally Funded Research at p. 5 (25 August 2022) available at https://www.whitehouse.gov/wp-content/uploads/2022/08/08-2022-OSTP-Public-Access-Memo.pdf

Article By Cindy L. Ortega Ramos and Rebecca M. Schaefer of K&L Gates

For more administrative and regulatory legal news, click here to visit the National Law Review.

Copyright 2022 K & L Gates

School Law Update: CDC Adjusts Direction on Exposure Quarantine Requirements for Employees

CDC Adjusts Direction on Exposure Quarantine Requirements for Employees

On August 11, 2022, the CDC updated its COVID-19 guidance as the risk of severe illness, hospitalization, and death from COVID exposure has significantly declined. More specific guidance for school districts was issued by the CDC, which can be found here.

In addition, the Department of Public Instruction has published guidance entitled “COVID-19 Infection Control and Mitigation Measures for Wisconsin Schools 2022/2023,” which can be found here.

While we published a Legal Update on the recent CDC guidance changes last week, that Update primarily focused on the private sector. This Update is primarily focused on the impact the new CDC guidance will have on school districts and identifies some of the key changes.

The more significant mask guidance has been reduced. Guidance now indicates that if COVID-19 is at a high Community Level, universal indoor masking in schools is recommended. The CDC also recommends masking in health care settings such as the school nurse’s office. The updated CDC guidance makes significant changes to quarantine and isolation protocols. Asymptomatic (exposed) children and staff, regardless of where the exposure occurred or vaccination status, no longer need to quarantine. Students or staff who self-identify as close contacts may continue to attend school/work if they remain asymptomatic.

Students or staff who come to school with symptoms or develop symptoms while at school should be asked to wear a well-fitting mask or respirator while in the building and be sent home. If testing is unavailable at school, students and staff should also be encouraged to get tested. Symptomatic people who cannot wear a mask should be separated from others as much as possible; children should be supervised by a designated caregiver who is wearing a well-fitting mask or respirator until they leave school grounds but masking with a high quality mask is suggested for 10 days from exposure.

If the school provides COVID-19 testing, a symptomatic student or staff member may remain in school if they are tested immediately onsite, and that test is negative. Best practice would include wearing a mask, if possible, until symptoms are fully resolved. If the student is “too ill” to be in school (fever, severe cough, vomiting, diarrhea, etc.), they should be sent home regardless of COVID-19 test results. If the symptomatic student or staff cannot be tested immediately, they should be sent home and encouraged to use an at-home-test-kit or be referred to a testing site.

Students and staff who test positive for COVID-19 should isolate for at least 5 days. If they are asymptomatic, they may end isolation after Day 5 (return Day 6). If they had symptoms, they may return to school/work after Day 5 if:

  • they are fever-free for 24 hours (without the use of fever-reducing medication)

  • their symptoms are improving

If the individual still has a fever or other symptoms have not improved, they should continue to isolate until the symptoms improve. Once isolation has ended, people should wear a well-fitting mask or respirator around others through Day 10. Testing is not required to determine the end of isolation or mask use following COVID-19 infection.

Article By James R. Macy, Ryan P. Heiden, and Anthony S. Wachewicz III of von Briesen & Roper, s.c.

For more coronavirus legal news, click here to visit the National Law Review.

©2022 von Briesen & Roper, s.c

U.S. Government Pursues More Aggressive Action to Curb Espionage at Universities

The U.S. Governmental Accountability Office (GAO) thinks the FBI and other agencies are not doing enough to address the espionage threat on U.S. university campuses. It issued a report, “Enforcement Agencies Should Better Leverage Information to Target Efforts Involving U.S. Universities” on June 14, 2022, urging the FBI, the Department of Homeland Security, and the Department of Commerce to step up their outreach efforts to address the threat. Commerce, DHS, and FBI have all concurred with GAO’s recommendations. As a result, U.S. colleges and universities to face yet another organizational risk: an increase in campuses visits by export control and law enforcement agents.

The threat: U.S. export control laws consider the disclosure to non-U.S. persons of technology, software, or technical data to be exports, even if the disclosure occurs in the United States.

The overwhelming majority of non-U.S. persons studying and working at U.S. universities are not security risks and are valued members of their academic organizations. But U.S. intelligence agencies have long warned that foreign state actors actively acquire sensitive national security data and proprietary technology from U.S. universities.

A lot of the technology flow abroad from U.S. universities is perfectly legal, for two reasons: First, most university research, even in cutting-edge technology, is exempt from export controls under an exemption known as “fundamental research.” Second, even in cases where the fundamental research exemption does not apply, it takes time for the U.S. government agencies to add new items to the export control lists they enforce; namely the U.S. Munitions List, administered by the U.S. Department of State, Directorate of Defense Trade Controls; and the Commerce Control List, administered by the U.S. Department of Commerce, Bureau of Industry and Security.

But at the same time, either through inadvertence or outright espionage, unlawful transfers of technology to foreign nationals take place. A 2006 report by the U.S. Office of the National Counterintelligence Executive found that a significant quantity of export controlled U.S. technology is released to foreign nationals in the United States unlawfully each year.

Clash of values: One important issue for higher education in addressing trade controls compliance is cultural in nature. U.S. universities value open, collaborative environments which drive and accelerate innovation. For those institutions, the idea of cutting off information flows conflicts with those cultural norms. By contrast, U.S. export controls aim to protect U.S. national security by hindering the flow of sensitive information to potential adversaries.

GAO’s recommendations: The GAO report recommends that U.S. trade control agencies take more aggressive steps to curb foreign access to sensitive technologies at U.S. universities. The recommendations include steps to enhance risk assessment and ranking of universities by risk, and steps to increase agency cooperation in planning and conducting outreach visits to universities. As a direct result of this report, U.S. universities are going to receive more visits from U.S. government agents.

Practical takeaways:

  • Universities: Consider reevaluating your risk. The threat has evolved, and the U.S. government response is also evolving. A risk evaluation using modern tools such as a premortem can help you know where to dedicate resources to update your export control policies, procedures, and training. Any unlawful escape of technology or technical data are much more likely to be detected and punished under the new regime, in part based on the GAO report. Organizations have to evolve with the threat.
  • Students, faculty, and administrators: Consider how to jealously guard your academic freedom, but be wary of the national security risks of sensitive technology falling into the wrong hands.
  • Research sponsors: More and more U.S. university research is sponsored by U.S. companies and government agencies. Research sponsorship agreements play a major role in striving for both national security and academic goals of the U.S. university system. Sponsors need to be sensitive to how these agreements are drafted. Sponsors must be aware of the espionage threat to their technology. But imposing too many restrictions in the contract may undermine the applicability of the fundamental research exemption and hinder the success of the project.

Conclusion: In the face of organizational threats, institutions do best when they heed their values. In the realm of protecting sensitive technology, we must constantly evolve with the threat. But we must also continue to carefully balance national security considerations with our bedrock values of academic freedom and openness.

Article By J. Scott Maberry of Sheppard, Mullin, Richter & Hampton LLP

For more government and administrative legal news, click here to visit the National Law Review.

Copyright © 2022, Sheppard Mullin Richter & Hampton LLP.

Do You Have a College Student? Important Healthcare, Financial, and Educational Documents That They (and You) Need

August is upon us and you may soon be sending children off to college. If your child is age 18 or older, you and your child will need to take some simple steps so that, in the event of an emergency, you will be able to make health care and financial decisions for your child and have access to your child’s medical information and financial accounts. The same is true if you are to have access to your child’s educational records.

Medical Information. Once your child reaches age 18, your child is deemed to be an adult by law and you no longer have a legal right to make health care decisions on behalf of your child or to access your child’s health care information. As a result, if you have an adult child, your child must execute certain legal documents naming you as his or her health care agent and permitting you to access his or her medical information:

  1. Your child must execute a “Health Care Proxy” naming you as his or her agent for health care decisions. In this document, your child authorizes you to make health care decisions on your child’s behalf if he or she becomes unable to make or communicate such decisions him or herself. The child may also share his or her own wishes regarding medical treatment.
  2. Your child must also sign a “HIPAA Authorization Form.” The Health Insurance Portability & Accountability Act of 1996 (generally known as “HIPAA”) protects the privacy of an individual’s medical information, and health care providers may require written consent from a patient to share information with family members, including parents of an adult child. Your child’s college or university may also have policies in place preventing it from sharing medical information without the student’s consent. This form will serve as written permission authorizing those providing health care services to your child to share medical information with you as your child’s health care agent.
  3. In addition, you should be in contact with the health services department of your child’s college or university. The institution may provide its own form for authorizing the release of medical information that can be kept on record with the institution’s health services department.

Financial Accounts. If you are to have the ability to act on behalf of your adult child with respect to financial matters, your child also needs to execute a “Durable Power of Attorney” naming you as your child’s agent with respect to the child’s assets and finances. If your child is attending college away from home, is studying abroad, or undergoes a medical emergency, it may be useful for you to access your child’s accounts on his or her behalf. This allows you to pay bills for a child out of their accounts, make deposits and open or close accounts. In addition, a durable power of attorney allows you to handle other financial tasks for the child, like filing tax returns or renewing a lease.

Educational Records. Finally, the Family Educational Rights and Privacy Act (FERPA) protects the educational records of a child who has turned 18 or is enrolled at a postsecondary institution from access by his or her parents. If the child’s parents claim the child as a dependent on their tax returns, the parents may still access the child’s education records without the child’s consent. However, institutions may be reluctant to allow access to education records for any child over the age of 18 without a “FERPA Waiver” signed by the child, regardless of their status as a dependent. If you would like to have access to your child’s educational records, you should contact the institution to request a FERPA Waiver form.

Article By John H. Ramsey and Kerry L. Spindler of Goulston & Storrs

For more public education and services legal news, click here to visit the National Law Review.

2022 Goulston & Storrs PC.

District Court Rules Most Plaintiffs in Case Do Not Have Standing to Block Florida Stop W.O.K.E. Act

There are two key cases pending before the U.S. District Court for the Northern District of Florida on Florida’s “Stop W.O.K.E. Act”: the Falls, et al. v. DeSantis, et al., matter (No. 4:22-cv-00166) and the Honeyfund.com, et al. v. DeSantis, et al., matter (No. 4:22-cv-00227). The Northern District of Florida has issued its first order on the Act, which went into effect on July 1, 2022.

In an Order Denying Preliminary Injunction, in Part, in the Falls matter, the court concluded that the K-12 teachers, the soon-to-be kindergartner, and the diversity and inclusion consultant who sued Governor Ron DeSantis and other officials to block the Stop W.O.K.E. Act did not have standing to pursue preliminary injunctive relief. The court reserved ruling pending additional briefing on the question of whether the college professor, who also sued, has standing.

Stop W.O.K.E. Act

The Stop W.O.K.E. Act expands an employer’s civil liability for discriminatory employment practices under the Florida Civil Rights Act if the employer endorses certain concepts in a “nonobjective manner” during training or other required activity that is a condition of employment.

Court Order

In the Falls case, a diverse group of plaintiffs claiming they were regulated by the Stop W.O.K.E. Act filed a lawsuit challenging the Act on the grounds that it violates their First and Fourteenth Amendment Rights to free expression, academic freedom, and to access information.

The court, however, did not reach the question of constitutionality. It also did not determine whether the case can move forward, an issue that will be decided when the court rules on the defendants’ pending motion to dismiss.

Instead, the court denied the plaintiffs’ request for a preliminary injunction on the threshold question of standing. It found the plaintiffs (other than the college professor) did not show they have suffered an injury-in-fact that is traceable to DeSantis or another defendant that can likely be redressed by a favorable ruling.

The court found the consultant is not an employer as defined by the Florida Civil Rights Act. Therefore, she could not assert standing on that basis. Instead, she argued she has third-party standing to assert the rights of the employers who would otherwise hire her, and she is harmed by the Act because employers will no longer hire her. The court rejected both theories, finding the consultant-employer relationship is not sufficiently “close” to create standing; employers are not hindered in raising their First Amendment rights on their own; and, based on the evidence presented, the court could not reasonably infer that the consultant has lost or will lose business because of the Act.

Importantly, the court specifically held that it was not ruling on the legality of the Act, whether it was moral, or whether it constituted good policy.

Private Employer

The court highlighted that the sister case pending in the Northern District of Florida (Honeyfund.com) involves a private employer under the Florida Civil Rights Act. In that case, the plaintiffs allege the Stop W.O.K.E. Act violates their right to free speech by restricting training topics and their due process rights by being unconstitutionally vague. Honeyfund.com, Inc. and its co-plaintiffs request that the court enjoin enforcement of the law. The case has been transferred to District Court Judge Mark Walker. The Honeyfund.com case will likely have the largest effect on Florida employers and questions surrounding the enforceability of the Act as to diversity and inclusion training.

***

Since the Stop W.O.K.E. Act took effect, employers are understandably unclear how to proceed with training. Employers should continue to train their employees, but review their training programs on diversity, inclusion, bias, equal employment opportunity, and harassment prevention through the lens of the new law. Employers should also ensure they train the trainers who are conducting these important programs. Finally, employers should understand potential risks associated with disciplining or discharging employees who refuse to participate in mandatory training programs, even if employers do not consider the programs to violate the new law.

Article By Stephanie L. Adler-Paindiris, Samia M. Kirmani, Amanda Simpson, and Lindsay Dennis Swiger of Jackson Lewis P.C.

For more litigation legal news, click here to visit the National Law Review.

Jackson Lewis P.C. © 2022

U.S. Supreme Court Sides with Public High School Coach in Free Speech/Freedom of Religion Case

The U.S. Supreme Court issued a ruling which will have wide-ranging effects on the ability of governmental entities to react to religious and other speech of public employees. In Kennedy v. Bremerton Schoolsthe Court ruled that a public high school could not discipline or disfavor a football coach for his practice of kneeling on the 50-yard line and praying at the conclusion of each game, eventually growing to include most of the football team and opposing players as well. The school district had attempted to accommodate the coach’s desire for prayer, but concerns mounted when one parent complained that her son felt compelled to participate despite being an atheist. The coach was eventually placed on administrative leave and not extended an offer to return to coaching the next school year. Both the district court and the U.S. Court of Appeals for the Ninth Circuit rejected the coach’s First Amendment challenges.

With a 6-3 majority, the Supreme Court reversed. In doing so, the Court first found a violation of the Free Exercise Clause.  The Court discounted the school district’s stated concerns that the coach’s practice could violate the Establishment Clause or interfere with students’ right of free exercise. The Court held that absent evidence of “direct” coercion the Establishment Clause was not implicated and then concluded that the coach’s position of authority over the players was insufficient to constitute direct coercion.  The Court distinguished earlier cases involving prayers at football games and civic meetings, by emphasizing that the speech for which the coach was disciplined was not publicly broadcast or recited to a captive audience. Additionally, students were not required or formally expected to participate.

With respect to the Free Speech issue, the Court concluded that the coach’s prayers were not unprotected “government speech,” and in doing so applied a restrictive view of what could be considered “government speech.”  The Court held that because the coach’s job duties did not include leading prayers, the fact that the speech occurred on the field immediately after the game was insufficient to transform it from private speech to government speech.  “To hold differently,” the Court stated, “would be to treat religious expression as second-class speech and eviscerate this Court’s repeated promise that teachers do not ‘shed their constitutional rights to freedom of speech or expression at the schoolhouse gate.’”

The decision, together with Shurtleff v. Boston decided earlier this Term, suggests a sharp break with past Court jurisprudence on the balance between the dictates of the Establishment and Free Exercise Clauses.  Government entities should review their policies on religious activity on government property or by employees in connection with their positions in light of these two decisions.

Article By Ahmad Chehab, Scott R. Eldridge, and Robert T. Zielinski of Miller Canfield

For more civil rights legal news, click here to visit the National Law Review.

© 2022 Miller, Canfield, Paddock and Stone PLC

Ohio Court of Appeals Affirms $30 Million Libel Verdict Against Oberlin College

The Ohio Court of Appeals affirmed a judgment in excess of $30,000,000 against Oberlin College, holding that Oberlin was responsible for libelous statements made during the course of a student protest. Gibson Bros., Inc. v. Oberlin College, 2022 WL 970347 (Ohio Ct. App. March 31, 2022). The court’s rationale, if followed elsewhere, could lead to significantly broader institutional and corporate liability for statements by students and employees.

The case arose out of an incident in which an employee of the Gibson Brothers Bakery and Food Mart accused a black student of shoplifting, and then pursued and held the student until police arrived. Over the next few days, large groups of student protestors gathered outside the bakery and among other things handed out a flyer describing the incident as an “assault,” and stating that the bakery had a “long account of racial profiling and discrimination.” The day following the incident, the student senate passed a resolution calling for a boycott. It likewise described the incident as an assault on the student and stated that the bakery had a “history of racial profiling and discriminatory treatment of students….” The resolution was emailed to the entire campus and posted on the senate bulletin board, where it remained for over a year. The court found the statements to be factually untrue, because the student pled guilty to the shoplifting charge and admitted racial profiling did not occur, and the College presented no evidence of any past racial profiling or instances of discrimination at the bakery.

The court acknowledged that there was no evidence that Oberlin participated in drafting the flyer or the student senate resolution. Instead, the court found Oberlin liable on the theory that one who republishes a libel, or who aids and abets the publication of a libelous statement, can be liable along with the original publisher. As to the flyer, the court cited the following as evidence sufficient to support a jury finding that Oberlin had either republished or aided and abetted its publication:

  • Oberlin’s Dean of Students attended the protests as part of her job responsibilities;
  • the Dean of Students handed a copy of the flyer to a journalist who had not yet seen it and told students they could use a college copier to make more copies of the flyer;
  • the associate director of a multicultural resource center was seen carrying a large number of flyers, which he appeared to be distributing to others to redistribute to the public; and
  • the College provided a warming room with coffee and pizza at a site near the protests.

As to the student senate resolution, the court cited:

  • the senate was an approved organization;
  • the College created the senate’s authority to adopt and circulate the resolution;
  • the senate faculty moderator was the Dean of Students; and
  • despite having knowledge of the content of the resolution, neither the President nor the Dean of Students took any steps to require or encourage the student senate to revoke the resolution or to remove it from the bulletin board.

The court then held that despite the publicity the bakery received once the dispute arose, at the time of the protests and resolution the bakery and its owners were private persons, not public figures. Thus, the bakery only had to show that Oberlin had been negligent, rather than that it acted with reckless indifference as to the truth or falsity of the statements published.

Particularly in these polarized times, university administrators should be aware of and take steps to manage legal risks when external disputes become the subject of campus discussion and activism. Student organizations, faculty and administrators should be reminded that, to the extent they participate in protests or other public commentary outside their official roles, they should make clear they are acting for themselves and not the institution. Institutional responses to causes espoused by students or faculty need to be carefully vetted to assure that any factual assertions about third parties are accurate.

Article By Barry P. Kaltenbach and Robert T. Zielinski of Miller Canfield

For more litigation legal news, click here to visit the National Law Review.

© 2022 Miller, Canfield, Paddock and Stone PLC