In Rare Summer Opinion, Supreme Court Follows Sixth Circuit’s Lead

In Department of Education v. Louisiana, the Supreme Court issued a rare August opinion to maintain two preliminary injunctions that block the Department of Education’s new rule.  That rule expands Title IX to prevent sexual-orientation and gender-identity discrimination.  State coalitions brought challenges; district courts in Louisiana and Kentucky enjoined the rule during the litigation; the Fifth and Sixth Circuits denied the government’s requests to stay the injunctions, nor would the Supreme Court intercede for the government.

All the Justices agreed that aspects of the rule warranted interim relief, most centrally the “provision that newly defines sex discrimination” to include sexual-orientation and gender-identity discrimination.  But because the district courts enjoined the entirety of the rule, the scope of relief proved divisive.  A narrow majority agreed to leave the broad injunctions in place, while four Justices in dissent argued to sever the suspect aspects of the rule and allow the remainder of the rule to take effect.  With emphasis on the “emergency posture,” the majority explained that the government had not carried its burden “on its severability argument.”

Justice Sotomayor’s dissent proposed limiting the injunctions to just the three challenged aspects of the rule.  The dissent focused on the “traditional” limits on courts’ power to fashion “equitable remedies.”  That Justice Gorsuch joined Justices Sotomayor, Kagan, and Jackson should come as no surprise.  Justice Gorsuch has harped on limiting equitable remedies to party-specific relief (e.g. Labrador v. Poe); cast doubt on severability doctrine (Barr v. AAPC (opinion concurring in part and dissenting in part)); and, of course, authored the landmark Bostock v. Clayton County decision that interpreted Title VII to protect against sex discrimination in much the same way the Department wishes to interpret Title IX.

This decision is an unreliable forecast of the Court’s view of what Title IX sex discrimination encompasses.  The Court unanimously agreed to table the debate over the Department’s new definition of sex discrimination while the lower courts proceed “with appropriate dispatch.”  The case concerned the status of the rest of the rule as that litigation continues.

A truer tell on the merits is the Sixth Circuit panel’s order denying the government’s stay request.  The panel found it “likely” “that the Rule’s definition of sex discrimination exceeds the Department’s authority.”  Preliminarily at least, the court thought it unlikely that Title IX—last amended in 1972—addresses sexual-orientation and gender-identity discrimination.  The Sixth Circuit has been reluctant “to export Title VII’s expansive meaning of sex discrimination to other settings”—and so it was here.

If “past is not always prologue,” still sometimes it is.  The Sixth Circuit panel divided on the injunction’s scope just like the Supreme Court.  Chief Judge Sutton and Judge Batchelder formed the majority, finding that the three “central provisions of the Rule . . . appear to touch every substantive provision.”  Saddling school administrators with new regulatory requirements on the eve of the new schoolyear tipped the equities toward enjoining the full rule.  Judge Mathis dissented because the injunction disturbed provisions of the rule “that Plaintiffs have not challenged.”

For now, the Department’s new rule yields to the old one.  That rule, too, is being litigated in the Sixth Circuit because guidance documents say the Department will interpret Title IX the same way Bostock interpreted Title VII.  See Tennessee v. Dep’t of Educ. and this coverage at the Notice & Comment blog.  To close out with some Supreme Court trivia—this marks its first mid-summer opinion since Alabama Association of Realtors v. DHHS in 2021, where the Court ended the Biden Administration’s Covid-era moratorium on evictions.  Before that may be the Court’s September 2012 decision Tennant v. Jefferson County Commission involving a challenge to West Virginia’s congressional districts.

Supreme Court Ruling on Affirmative Action and Impact on Companies’ DEI Programs

In June 2023, the US Supreme Court voted 6-3 in a decision that significantly changed the way colleges and universities used affirmative action in their admissions. The targets of the lawsuit were Harvard University and University of North Carolina for alleged racial discrimination in admissions.

The Ruling 

The Court ruled that race conscious college admission policies aimed at maintaining racially diverse student bodies violated the Equal Protection Clause of the Fourteenth Amendment. The court, though ruling out admissions solely based on race, did state, “Nothing in the opinion should be construed as prohibiting universities from considering an applicant’s discussion of how race affected his or her life.” It should be noted that court did not impose the same ruling on military academies because of their “distinct interest” in the benefits of a diverse officer corp. Though the ruling has caused an uproar in both academic and business communities, we need to remember the ruling does not significantly impact effect corporate America, yet.

Race Based Employment 

The affirmative action ruling only applies to colleges and universities admissions processes. Employers are subject to Title VII of the Civil Rights Act of 1964, which is a federal law that prohibits employment discrimination based on certain factors which include race, color, religion sex (including pregnancy, sexual orientation, and gender identity) and national origin. Further, Title VII applies to all aspects of employment, including, but not limited to recruiting, hiring, promoting training and discharge. Several states, like Massachusetts, have their own version of Title VII to protect both employers and employees. Despite these protections, employers are still cautious with implementing and maintaining diversity equity and inclusion (DEI) programs. This is probably true because most companies do not see the difference between the two. Though they are similar, Title VII protects the employer and employee, while DEI programs aim to enhance the workplace experience and to some extent maximize profits. Plus, most DEI programs go beyond race based concerns and tend to embrace various other aspects of people’s lives that may be subject to bias.

Attack on DEI 

Since the ruling by the Supreme Court, several state attorney generals sent letters to Fortune 500 companies stating that race-based preferences “whether under the label of diversity, equity and inclusion or otherwise” may violate federal and state antidiscrimination laws. In addition, corporations like Amazon and Comcast have had their DEI practices challenged. Several states like Florida have proposed and passed anti-DEI legislation banning certain DEI practices in state agencies. All this fervor has created the concern that the “right case” can outright destroy DEI practices and programs. Most recently, which seems like an act out of an abundance of caution, the well-known longstanding Society for Human Resources Management (SHRM) changed their focus from Inclusion, Equity and Diversity (IE&D) to Inclusion and Diversity (I&D). The concern relating to the future of DEI is palatable.

Safety Net for DEI Programs 

The DEI movement is far from defeated, we must remember DEI and Affirmative Action are not the same. DEI programs, though want to ensure that various races feel accepted in the workplace, should focus on anti-bias, inclusion of all employees from various backgrounds, allyship and the appreciation of everyone’s professional and personal life experiences. You can call your program whatever you want, but it is really the approach used by employers that will survive future legal scrutiny.

Incorporating AI to Address Mental Health Challenges in K-12 Students

The National Institute of Mental Health reported that 16.32% of youth (aged 12-17) in the District of Columbia (DC) experience at least one major depressive episode (MDE).
Although the prevalence of youth with MDE in DC is lower compared to some states, such as Oregon (where it reached 21.13%), it is important to address mental health challenges in youth early, as untreated mental health challenges can persist into adulthood. Further, the number of youths with MDE climbs nationally each year, including last year when it rose by almost 2% to approximately 300,000 youth.

It is important to note that there are programs specifically designed to help and treat youth that have experienced trauma and are living with mental health challenges. In DC, several mental health services and professional counseling services are available to residents. Most importantly, there is a broad reaching school-based mental health program that aims to provide a behavioral health expert in every school building. Additionally, on the DC government’s website, there is a list of mental health services programs available, which can be found here.

In conjunction with the mental health programs, early identification of students at risk for suicide, self-harm, and behavioral issues can help states, including DC, ensure access to mental health care and support for these young individuals. In response to the widespread youth mental health crisis, K-12 schools are employing the use of artificial intelligence (AI)-based tools to identify students at risk for suicide and self-harm. Through AI-based suicide risk monitoring, natural language processing, sentiment analysis, predictive models, early intervention, and surveillance and evaluation, AI is playing a crucial role in addressing the mental challenges faced by youth.

AI systems, developed by companies like Bark, Gaggle, and GoGuardian, aim to monitor students’ digital footprint through various data inputs, such as online interactions and behavioral patterns, for signs of distress or risk. These programs identify students who may be at risk for self-harm or suicide and alert the school and parents accordingly.

Proposals for using AI models to enhance mental health surveillance in school settings by implementing chat boxes to interact with students are being introduced. The chat box conversation logs serve as the source of raw data for the machine learning. According to Using AI for Mental Health Analysis and Prediction in School Surveys, existing survey results evaluated by health experts can be used to create a test dataset to validate the machine learning models. Supervised learning can then be deployed to classify specific behaviors and mental health patterns. However, there are concerns about how these programs work and what safeguards the companies have in place to protect youths’ data from being sold to other platforms. Additionally, there are concerns about whether these companies are complying with relevant laws (e.g., the Family Educational Rights and Privacy Act [FERPA]).

The University of Michigan identified AI technologies, such as natural language processing (NLP) and sentiment analysis, that can analyze user interactions, such as posts and comments, to identify signs of distress, anxiety, or depression. For example, Breathhh is an AI-powered Chrome extension designed to automatically deliver mental health exercises based on an individual’s web activity and online behaviors. By monitoring and analyzing the user’s interactions, the application can determine appropriate moments to present stress-relieving practices and strategies. Applications, like Breathhh, are just one example of personalized interventions designed by monitoring user interaction.

When using AI to address mental health concerns among K-12 students, policy implications must be carefully considered.

First, developers must obtain informed consent from students, parents, guardians, and all stakeholders before deploying such AI models. The use of AI models is always a topic of concern for policymakers because of the privacy concerns that come with it. To safely deploy AI models, there needs to be privacy protection policies in place to safeguard sensitive information from being improperly used. There is no comprehensive legislation that addresses those concerns either nationally or locally.
Second, developers also need to consider and factor in any bias engrained in their algorithm through data testing and regular monitoring of data output before it reaches the user. AI has the ability to detect early signs of mental health challenges. However, without such proper safeguards in place, we risk failing to protect students from being disproportionately impacted. When collected data reflects biases, it can lead to unfair treatment of certain groups. For youth, this can result in feelings of marginalization and adversely affect their mental health.
Effective policy considerations should encourage the use of AI models that will provide interpretable results, and policymakers need to understand how these decisions are made. Policies should outline how schools will respond to alerts generated by the system. A standard of care needs to be universally recognized, whether it be through policy or the companies’ internal safeguards. This standard of care should outline guidelines that address situations in which AI data output conflicts with human judgment.

Responsible AI implementation can enhance student well-being, but it requires careful evaluation to ensure students’ data is protected from potential harm. Moving forward, school leaders, policymakers, and technology developers need to consider the benefits and risks of AI-based mental health monitoring programs. Balancing the intended benefits while mitigating potential harms is crucial for student well-being.

© 2024 ArentFox Schiff LLP
by: David P. GrossoStarshine S. Chun of ArentFox Schiff LLP

For more news on Artificial Intelligence and Mental Health, visit the NLR Communications, Media & Internet section.

School Law & Legislative Update: New Laws In Effect 2024

Act 24 of 2023:

Effective 11/06/2023. Adds Section 1302.1 to the Public School Code entitled “Military Child Advance Enrollment” to require schools to develop a policy on enrollment of students to allow a child whose parent or guardian is an active duty member of the armed forces and has received orders to transfer into or within the Commonwealth of Pennsylvania to enroll in the school district prior to establishing residency for purposes of Section 1302 upon providing a copy of the official military orders and proof of the parent/guardian’s intention to move into the school district. This proof may include a signed contract to purchase a home, a signed lease, or statement from the parent/guardian stating their intention to move into the school district.

Act 26 of 2023:

Effective 01/05/2024. Repeals section 1112 of the Public School Code that prohibits teachers from wearing any dress, mark emblem or insignia indicative of their faith or denomination. This Act was passed on November 6, 2023 and is effective in 60 days.

Act 33 of 2023:

Effective 12/13/2023. Omnibus amendments to the Public School Code of 1949 including the following provisions:

Read the entirety of Act 33 here.

HIGHLIGHTS INCLUDE:

• Added a new Article XII-B entitled “Educator Pipeline Support Grant Program.” This is a new program within the Pennsylvania Higher Education Assistance Agency (PHEAA) to awards grants to individuals who are seeking placement as student teachers. Ten million dollars is available for implementation of the program, and the minimum grant available to a student teacher is $10,000. An additional minimum grant of $5,000 is available to a student teacher who is student teaching in a school entity in an area that “attracts few student teachers” or that “has a high rate of open teaching positions.” In addition to the student teacher receiving a grant payment, the student teacher’s cooperating teacher shall also receive a minimum grant of $2,500, unless the cooperating teacher receives compensation from an institution of higher education for servicing as a cooperating teacher.

• Section 1302-C (relating to school safety) is amended to now require that when a school police officer is appointed by a court, the court order must be submitted to the School Safety and Security Committee established under Section 1302-B. In addition, a school that has previously applied to court to appoint a person to act as a school police officer prior to the effective date of this subsection is required, within 120 days of the effective date of this subsection, submit a copy of the court order relating to the appointment of each school police officer to the committee. This subsection takes effect immediately.

• Adding a new Article XXVI-L entitled “School environmental Repairs Program,” to provide for a restricted account in the Commonwealth general fund to provide grants for the abatement or remediation of environmental hazards in school buildings; PDE is to develop an application process for schools to apply for the grants; eligible projects include abatement or remediation of lead in water sources, asbestos and mold inside the school building; the school must have a local match of at least 50% of the total cost of all the projects listed in its application; the local match may come from any non-state source funding, including federal and local donations, and the local match must be documented as part of the application.

Act 35 of 2023:

Effective 12/13/2023. Omnibus amendments to the Public School Code of 1949 including the following:

Read the entirety of Act 35 here.

HIGHLIGHTS INCLUDE:

• Section 130 is added to include a new section entitled “Public Job Posting Database” which is a public database to be established and maintained by PDE for both public and nonpublic schools to voluntarily advertise job vacancies.

• Section 131 is added to include a requirement that school entities, which includes charter schools, to submit information about instructional vacancies to PDE by August 31, 2024. The information required to be submitted includes the total budgeted number of instructional employees and vacancies included in the final adopted budget; and the quarterly average number of instructional vacancies had by the school during the school year. This information is to be posted on PDE’s website.

Act 52 of 2023:

Effective 12/14/2023 (see note about retroactivity). Adds a new Section 1525.1 to the Public School Code of 1949 entitled “Calculation of Average Daily Membership for a Dual Credit Course.” This section provides that a high school student who is enrolled in a dual credit course may be included in the school entity’s average daily membership.
This section shall apply retroactively to July 1, 2023.

Act 55 of 2023:

Effective 02/12/2024. Amends Section 1403 of the Public School Code of 1949 to provide for dental screenings by a school dentist or public health dental hygiene practitioner (previously only permitted dental examinations by a dentist).

Act 56 of 2023:

Effective 12/14/2023. Adds a new Section 103 to the Public School Code of 1949 entitled “Minimum Number of Days or Hours.” Provides that beginning in the 2023-2024 school year, a school entity is required to provide a minimum of 180 days or instruction OR 900 hours of instruction at the elementary level or nine hundred ninety (990) hours of instruction at the secondary level. This section does not preempt or supersede a collective bargaining agreement that was entered into prior to the effective date of this section. This Act is effective immediately. (Previously the requirement was 180 days AND the hours requirement). Note, However, That This Section Appears To Not Be Applicable To Charter Schools.

Employer Student Loan Debt Benefits Following SECURE 2.0

In December 2022, Congress enacted groundbreaking legislation as part of the SECURE 2.0 Act (SECURE 2.0) codifying an opportunity for employers to provide matching contributions within a tax-qualified retirement plan based on their employees’ qualified student loan payments outside the plan. The SECURE 2.0 student loan payment match is the latest vehicle for employers to aid employees to help relieve the financial burden of student loan debt.

This On the Subject discusses the SECURE 2.0 student loan benefit and other employer options for providing tax-advantaged benefits to employees based on student loan payments. It also examines the open questions and current implementation challenges for sponsors of 401(k) and 403(b) plans hoping to implement the student loan benefit.

IN DEPTH


THE STUDENT LOAN DEBT PROBLEM AND EMPLOYER RESPONSE

Over the last two decades, the amount of outstanding student loan debt in the United States has grown exponentially. Studies suggest there are currently around 43 million Americans with student loan debt of more than $1.6 trillion. Paying off student loan debt has become a hot-button political issue, including with presidential candidates and members of Congress. Earlier this summer, the US Supreme Court’s decision in Biden v. Nebraska rejected the Biden administration’s plans for student loan debt relief. The Supreme Court held that the Higher Education Relief Opportunities for Students Act of 2003 did not authorize the secretary of education to cancel approximately $430 billion in federal student loan principal. This decision comes as the statutory pause on student loan repayments ended on September 1, 2023, a moratorium enacted in response to the COVID-19 pandemic and lasting over three years.

Managing student loan debt has become an increasingly significant issue for many workers. As a result, student loan debt presents a significant opportunity for employers. Student loan repayment programs can be a key factor in attracting and retaining talent. In a 2019 survey conducted by Gradifi, a student loan benefits provider, 70% of employees said they were likely to stay at their current jobs because a student loan paydown plan was available. Ninety-seven percent of employees reported being happier in their place of employment because of a student loan repayment program. Ninety-two percent of employees reported feeling an improvement in their stress because of their employer’s student loan repayment program. As a result, many employers are investigating new options to stay competitive and help their employees tackle student loan debt.

OPTIONS FOR EMPLOYERS TO PROVIDE TAX-ADVANTAGED STUDENT LOAN DEBT BENEFITS

Unfortunately, there are limited ways for employers to structure a program to provide student loan debt assistance that is not subject to immediate income tax. The current vehicles for providing student loan debt benefits on a tax-advantaged basis are:

Educational Assistance Programs

As part of the Coronavirus Aid, Relief, and Economic Security Act of 2020 (CARES Act), Congress amended Section 127 of the Internal Revenue Code (Code) to permit employers to pay up to $5,250 per year to employees for student loan repayments as part of an educational assistance program. Many employers utilize such plans to provide tuition reimbursement for college or advanced degrees. Under the CARES Act, employers may also utilize these plans to provide student loan debt assistance.

To do so, employers must comply with the requirements of Section 127 of the Code, including:

  • The employer must have a written plan document that lays out the terms of the program;
  • The program must benefit employees or certain former employees who qualify under rules set up so that the program does not favor highly compensated employees;
  • The program must not provide more than 5% of its benefits during any year for shareholders or owners (or their spouses or dependents) who own more than 5% of the stock or of the capital or profits interest of the business;
  • The program must not allow employees to choose to receive cash or other benefits that would be included in gross income instead of educational assistance; and
  • Eligible employees must be given reasonable notice of the program.

An educational assistance program provides a direct ability to pay off student loan debt through a basic but effective tax structure. Employers can make payments either to employees or directly to lenders. Many employers who offer student loan repayment benefits work with a third-party vendor because the employer does not want to be in the position of asking employees for sensitive financial information regarding student loan debt. Vendors often work with lenders either to pay off student loan debt directly or, if the employer provides direct payment to employees, to track or verify student loan debt payments so that the employer can be certain the payments are being used to pay off student loan debt.

The $5,250 limit is the combined limit for all educational assistance, including both expenses related to tuition reimbursement and student loan debt payments. Under current law, the ability for employers to pay up to $5,250 per year to employees for student loan debt payments as part of an educational assistance program expires on December 31, 2025. However, it is often the case that employee benefit options enacted through the Code which are originally scheduled to sunset are extended indefinitely or made permanent. There is no guarantee, but it would not be surprising if the student loan debt payment benefit is extended or made permanent, particularly in the current environment where student loan debt receives significant media attention.

Contributions to Tax-Qualified Retirement Plans

In 2018, the Internal Revenue Service (IRS) released a groundbreaking private letter ruling (PLR) that helped to clear the way for employers to begin providing student loan repayment benefits as part of their 401(k) plans. The PLR confirmed that, under certain circumstances, 401(k) plan sponsors may link the amount of employer contributions made on an employee’s behalf to the amount of student loan debt payments made by the employee outside the plan. However, the PLR only applied to the specific plan sponsor requesting the ruling and did not address the effect on many other plan qualification requirements, such as the Code Section 401(a)(4) nondiscrimination requirement.

SECURE 2.0 codified the ability for certain defined contribution plan sponsors to provide employer-matching contributions based on employee payment of student loan debt. Effective for plan years after December 31, 2023, 401(k) and 403(b) plan sponsors can provide employer-matching contributions based on an employee’s “qualified student loan payments” made outside of the plan. A qualified student loan payment includes any payment made by an employee in repayment of a qualified higher education loan. The loan must be for the cost of attendance at an eligible educational institution.

SECURE 2.0 provided a helpful statutory framework for plan sponsors to provide matching contributions on student loan payments. Some of the most significant features are:

  • “Qualified student loan payments” can include payments made by an employee for student loans made on behalf of the employee, the employee’s spouse or dependent;
  • Plan sponsors are permitted to rely on an employee’s self-certification of qualified student loan payments, which certification must be made on an annual basis;
  • Matching contributions on student loan payments must be treated the same as matching contributions made on elective deferrals concerning the match percentage, eligibility and the same vesting rules (though match frequency can differ);
  • Plan sponsors may make the student loan match more frequently than annually (e.g., on a payroll period basis), but employees must have at least three months after the close of the plan year to claim the match;
  • Qualified student loan payments are treated as available to all participants for purposes of the Code Section 401(a)(4) nondiscrimination testing requirements;
  • Student loan payments can be treated as elective deferrals for safe harbor plan rules; and
  • For purposes of the Actual Deferral Percentage (ADP) test, plan sponsors may separately test participants who receive matching contributions on account of qualified student loan payments.

OUTSTANDING QUESTIONS REGARDING SECURE 2.0 STUDENT LOAN EMPLOYER MATCHING CONTRIBUTIONS

While SECURE 2.0 provided the framework for the implementation of the student loan match, many open questions remain, and the US Department of the Treasury (Treasury) and IRS need to provide more guidance to fully implement this feature. Some specific areas where guidance would be helpful include:

  • More guidance on what constitutes a qualified student loan payment. It seems clear that payment made by an employee toward a loan taken by an employee, employee’s spouse or dependent qualifies, but when is this determined? What if the employee’s spouse or dependent was a spouse or dependent when the loan was taken, but not when the loan payments are made (or vice versa)?
  • What is required for a plan sponsor to establish reasonable procedures regarding annual self-certification? Separately, are there any limits on how much substantiation a plan sponsor can require if it wants to?
  • If the match is allocated after the end of the year, can it be limited to active employees? Would this apply to safe harbor plans (which generally are not permitted to require service as of the last day of the plan year for employees to receive contributions) as well?
  • How does the ability of employees to claim the match within three months after the end of the plan year affect the general requirement for non-safe harbor plans to correct ADP and Actual Contribution Percentage testing failures within two-and-a-half months after the end of a plan year to avoid an excise tax?
  • How do the vesting requirements work? The student loan match must vest “in the same manner” as a regular match. How does this work if the plan has a fully vested safe harbor match plus a discretionary match subject to a vesting schedule?

SECURE 2.0 directs the Treasury to issue regulations to address these and other questions and establish reasonable procedures and deadlines for employees to take advantage of the student loan match benefit.

PLAN SPONSOR CHALLENGES IMPLEMENTING SECURE 2.0 STUDENT LOAN DEBT BENEFITS

In addition to the open legal questions, numerous other challenges exist for plan sponsors seeking to implement the SECURE 2.0 student loan matching contribution. Most significantly, plan sponsors need to assess their ability to implement a student loan benefit within the context of their existing 401(k) or 403(b) plan platform. The plan’s recordkeeper and third-party administrator must have systems set up to administer the student loan debt benefit. Due in part to the ongoing questions and lack of guidance, many recordkeepers have delayed the development of the systems set up to administer student loan debt benefits on a large scale beginning in 2024. Some have set up pilot programs to test the option for a handful of plans. Many recordkeepers and administrators are just starting to “pilot” their process and systems for 2024 before making the offering available more widely, which may be in 2025 or 2026.

Employers pondering a SECURE 2.0 student loan benefit should consider the following:

  • Is the benefit right for your employee population? For some employers the answer is obvious: They either have a significant number of employees with college or advanced degrees for whom this issue is a high priority, or they do not. For others, it can be useful to assess the employee demographics to estimate the proportion of employees who may be interested in a student loan match. Some 401(k) recordkeepers are developing data and programs to help their clients make this determination. Some employers have utilized polls or surveys to try to determine employee interest.
  • What is the potential cost? Employers can model cost projections based on expected participation rates. Some recordkeepers are developing data and programs to help their clients make this determination.
  • Are there other, more effective ways to provide student loan debt benefits? For example, the CARES Act educational assistance program benefit discussed above is a relatively straightforward way to provide direct student loan debt benefits.

Although challenges remain, plan sponsors should keep in mind that plan design features are constantly evolving, and implementation issues always take time. Many retirement plan practitioners believe that it is only a matter of time before the student loan employer matching contribution becomes a commonplace feature within most employers’ 401(k) or 403(b) retirement plans.

Article by Jeffrey M. Holdvogt , Brian J. Tiemann , Teal N. Trujillo of McDermott Will & Emery

For more news on education, visit the NLR Public Education and Services page.

University of Texas at Austin Permanently Blocks TikTok on Network

On Tuesday, January 17, 2023, the University of Texas at Austin announced that it has blocked TikTok access across the university’s networks. According to the announcement to its users, “You are no longer able to access TikTok on any device if you are connected to the university via its wired or WIFI networks.” The measure was in response to Governor Greg Abbott’s December 7, 2022, directive to all state agencies to eliminate TikTok from state networks. Following the directive, the University removed TikTok from university-issued devices, including cell phones, laptops and work stations.

Copyright © 2023 Robinson & Cole LLP. All rights reserved.

For  more Cybersecurity Legal News, click here to visit the National Law Review.

Another Lesson for Higher Education Institutions about the Importance of Cybersecurity Investment

Key Takeaway

A Massachusetts class action claim underscores that institutions of higher education will continue to be targets for cybercriminals – and class action plaintiffs know it.

Background

On January 4, 2023, in Jackson v. Suffolk University, No. 23-cv-10019, Jackson (Plaintiff) filed a proposed class action lawsuit in the U.S. District Court for the District of Massachusetts against her alma matter, Suffolk University (Suffolk), arising from a data breach affecting thousands of current and former Suffolk students.

The complaint alleges that an unauthorized party gained access to Suffolk’s computer network on or about July 9, 2022.  After learning of the unauthorized access, Suffolk engaged cybersecurity experts to assist in an investigation. Suffolk completed the investigation on November 14, 2022.  The investigation concluded that an unauthorized third party gained access to and/or exfiltrated files containing personally identifiable information (PII) for students who enrolled after 2002.

The complaint further alleges that the PII exposed in the data breach included students’ full names, Social Security Numbers, Driver License numbers, state identification numbers, financial account information, and Protected Health Information.  While Suffolk did not release the total number of students affected by the data breach, the complaint alleges that approximately 36,000 Massachusetts residents were affected.  No information was provided about affected out-of-state residents.

Colleges and Universities are Prime Targets for Cybercriminals

Unfortunately, Suffolk’s data breach is not an outlier.  Colleges and universities present a wealth of opportunities for cyber criminals because they house massive amounts of sensitive data, including employee and student personal and financial information, medical records, and confidential and proprietary data.  Given how stolen data can be sold through open and anonymous forums on the Dark Web, colleges and universities will continue to remain prime targets for cybercriminals.

Recognizing this, the FBI issued a warning for higher education institutions in March 2021, informing them that cybercriminals have been targeting institutions of higher education with ransomware attacks.  In May 2022, the FBI issued a second alert, warning that cyber bad actors continue to conduct attacks against colleges and universities.

Suffolk Allegedly Breached Data Protection Duty

In the complaint, Plaintiff alleges that Suffolk did not follow industry and government guidelines to protect student PII.  In particular, Plaintiff alleges that Suffolk’s failure to protect student PII is prohibited by the Federal Trade Commission Act, 15 U.S.C.A. § 45 and that Suffolk failed to comply with the Financial Privacy Rule of the Gramm-Leach-Bliley Act (GLBA),  15 U.S.C.A. § 6801.  Further, the suit alleges that Suffolk violated the Massachusetts Right to Privacy Law, Mass. Gen. Laws Ann. ch. 214, § 1B, as well as its common law duties.

How Much Cybersecurity is Enough?

To mitigate cyber risk, colleges and university must not only follow applicable government guidelines but also  consider following industry best practices to protect student PII.

In particular, GLBA requires a covered organization to designate a qualified individual to oversee its information security program and conduct risk assessments that continually assess internal and external risks to the security, confidentiality and integrity of personal information.  After the risk assessment, the organization must address the identified risks and document the specific safeguards intended to address those risks.  See 16 CFR § 314.4.  

Suffolk, as well as other colleges and universities, may also want to look to Massachusetts law for guidance about how to further invest in its cybersecurity program.  Massachusetts was an early leader among U.S. states when, in 2007, it enacted the “Regulations to safeguard personal information of commonwealth residents” (Mass. Gen. Laws ch. 93H § 2) (Data Security Law).  The Data Security Law – still among the most prescriptive general data security state law – sets forth a list of minimum requirements that, while not specific to colleges and universities, serves as a good cybersecurity checklist for all organizations:

  1. Designation of one or more employees responsible for the WISP.
  2. Assessments of risks to the security, confidentiality and/or integrity of organizational Information and the effectiveness of the current safeguards for limiting those risks, including ongoing employee and independent contractor training, compliance with the WISP and tools for detecting and preventing security system failures.
  3. Employee security policies relating to protection of organizational Information outside of business premises.
  4. Disciplinary measures for violations of the WISP and related policies.
  5. Access control measures that prevent terminated employees from accessing organizational Information.
  6. Management of service providers that access organizational Information as part of providing services directly to the organization, including retaining service providers capable of protecting organizational Information consistent with the Data Security Regulations and other applicable laws and requiring service providers by contract to implement and maintain appropriate measures to protect organizational Information.
  7. Physical access restrictions for records containing organizational Information and storage of those records in locked facilities, storage areas or containers.
  8. Regular monitoring of the WISP to ensure that it is preventing unauthorized access to or use of organizational Information and upgrading the WISP as necessary to limit risks.
  9. Review the WISP at least annually or more often if business practices that relate to the protection of organizational Information materially change.
  10. Documentation of responsive actions taken in connection with any “breach of security” and mandatory post-incident review of those actions to evaluate the need for changes to business practices relating to protection of organizational Information.

An organization not implementing any of these controls should consider documenting the decision-making process as a defensive measure.  In implementing these requirements and recommendations, colleges and universities can best position themselves to thwart cybercriminals and plaintiffs alike.

© Copyright 2023 Squire Patton Boggs (US) LLP

Division I Universities Must Be Ready for Changes to the NCAA Infractions Process

The NCAA Division I Board of Directors has adopted key changes to the way in which NCAA infractions matters will be investigated and processed in the future. The changes, which take effect on January 1, 2023, are intended to modernize and enhance the process, while focusing resources on the most serious violations. Another objective is to reduce the time needed to process and resolve violation proceedings.

President of the University of Georgia and Chair of the Division I Board of Directors Jere Morehead said in August that NCAA members are “committed to resolving cases fairly and in a timely fashion, thus holding those responsible for violations accountable and avoiding penalizing those who were not involved in rule-breaking.”

Among the key changes are the following:

Enhanced duty to cooperate: Institutions, staff, and student-athletes, upon learning of potential violations, will be required to preserve information, to provide immediate access to all electronic devices, and to encourage family members, spouses, boosters, and others to cooperate in the investigation. The number of aggravating and mitigating factors in the Bylaws has been expanded to reward prompt and full cooperation and deter efforts to hinder or impede investigations.

New head coach responsibility standard: Head coaches will be held responsible for serious violations committed by those who report to them directly or indirectly. Only in determining the appropriate penalty will the Committee on Infractions (COI) consider whether the head coach promoted compliance and monitored the program. The previous infractions approach, which included a rebuttable presumption of responsibility on the part of a head coach, has been abandoned.

Additional method for resolution: A new alternative for resolving infractions cases has been added, with the aim of providing the COI greater flexibility and reserving full hearings for only the most serious cases. The new method, known as a “Written Record Hearing,” will be employed in cases in which the facts are largely undisputed and the alleged violations not numerous or significant.

Clarification of appeal standard and limitation of appeals: Findings and penalties by the COI will be affirmed by the Infractions Appeals Committee (IAC) if there is information in the record that supports the decision. Findings and penalties will not be set aside unless no reasonable person could have made the ruling given the factual record. Appeals to the IAC as to the penalties imposed will be limited to those sanctions that fall outside legislated penalty guidelines, or “core penalties.” The majority of appeals will be decided based on the written record without the need for oral argument. Finally, and as is also the case with the revised COI process, extensions of time will be granted only in extreme and clearly defined circumstances.

Aggravating and mitigating factors: The new guidelines clarify which factors apply to institutions and which apply to involved individuals. Previously, this was unclear and often debated. New aggravating factors have been added, including hindering an investigation or inhibiting the COI’s processing of a case. New mitigating factors also have been added, including a demonstration of exemplary cooperation by, for example, securing meaningful cooperation from an outside party.

Name, image and likeness (NIL): In this rapidly evolving area, the bylaws provide that if available information indicates that behaviors surrounding an NIL offer or agreement is contrary to NCAA legislation, it shall be presumed that a violation occurred.  The charged institution or involved individual will then be required to rebut this presumption with credible and sufficient information that a violation did not occur.

In addition to the above changes, the new infractions construct eliminates the Independent Accountability Resolution Process (IARP), which had been created at the recommendation of the Commission on College Basketball chaired by Condoleezza Rice. While acknowledging the panel’s thoroughness in deciding the several cases referred to the IARP, it was concluded that this new process prolonged case timelines and required substantial additional resources to bring cases to resolution.

Finally, the Board of Directors announced that it will consider additional future changes that may help to deliver timely and fair outcomes in infractions matters. Among the subjects under further consideration are (i) requiring increased documentation of recruiting efforts, (ii) adjusting the size and composition of the COI, (iii) modification of penalty ranges (including alternatives to post-season bans), and (iv) enhancing confidentiality rules for involved parties during investigation by the NCAA enforcement staff.

Jackson Lewis P.C. © 2022
For more Public Services Legal News, click here to visit the National Law Review.

Name, Image and Likeness: What Higher Education Institutions Need to Know for Legal Compliance

More than a year has passed since the NCAA v. Alston ruling and roll-out of the NCAA Name, Image and Likeness Interim Policy. What processes should institutions have in place, and what situations should they be on the lookout for at this point in the NIL game? While institutions cannot provide compensation to student-athletes or potential student-athletes in exchange for use of a student’s NIL, below are items counsel at higher institutions should have on their radar.

Review and Approval of NIL Agreements

The NCAA Interim Policy does not require student-athletes to disclose NIL agreements and/or opportunities to their institutions. In the State of Michigan, however, pursuant to House Bill 5217, beginning December 31, 2022, student-athletes must disclose proposed NIL opportunities or agreements to the institution at least seven days prior to committing to the opportunity or contract. For the institution, this means there needs to be a process in place by which student-athletes submit opportunities or agreements to the institution and the institution does a timely and thorough review of the submission. The institutional representative reviewing the submissions must be knowledgeable of the institution’s active contractual obligations and only sign off on the student-athlete’s potential NIL opportunity or contract once confident there is no conflict with an existing institutional contract. This is most likely to come up in agreements with exclusivity terms, such as sports apparel and campus-wide pouring rights agreements. If there is a conflict, the institution needs to articulate the specific conflict to the student-athlete so they can negotiate a revision, which is then subject to additional review and potential approval by the institution.

Institutions are the Regulating Bodies

Institutions in states that require submission of NIL opportunities by student-athletes need to pay close attention when reviewing submissions because the NCAA has placed most of the NIL regulatory burden on institutions. Specifically, institutions are obligated to report potential violations of NCAA policy. Among other potential violations, institutions must report possible abuses on the prohibition of pay-for-play and improper inducements of potential student-athletes and current student-athletes. Essentially, in addition to spotting potential conflicts between NIL agreements and current institution agreements, institutions need to review NIL agreements to determine if a student-athlete is being compensated for athletic achievement and/or for their enrollment or continued enrollment at a particular institution. Any indication that the student-athlete’s NIL agreement will be void if they no longer participate on an athletic team requires the institution to complete due diligence and determine the appropriateness of the arrangement in light of the NIL policy. Institutions are ultimately responsible for certifying the eligibility of student-athletes, and the presence of the previously mentioned terms place the agreement in direct violation of the language in the NIL Interim Policy and corresponding NCAA guidance.

Institutional Staff Members

It is in the best interest of institutions to train their staff members on appropriate interactions with boosters because the NCAA holds institutions responsible for the “impermissible recruiting activities engaged in by a representative of athletics interest (i.e., a booster).” Staff members need to understand the actions they are permitted to take and conversations they are permitted to have, as failure to do so could land them deep in the gray area of NIL.

  • An institutional staff member cannot directly or indirectly communicate with a potential student-athlete on behalf of a booster or NIL entity.
  • An institutional staff member cannot enter into agreements with an NIL entity to secure NIL deals between the entity and potential student-athletes.
  • An institutional staff member cannot “organize, facilitate or arrange” a meeting or any conversations between an NIL entity and a potential student-athlete, which includes transfer students coming from other institutions.

Financial Aid

Institutions should ensure they are not influencing how a student-athlete uses their compensation. Specifically, institutions should not direct student-athletes to use their NIL compensation for financial aid. Student-athletes’ financial aid is not impacted by compensation they would receive from NIL agreements. Financial aid limitations exclude compensation which also extends to NIL compensation. However, if a student receives NIL compensation, this may impact need-based financial aid.

FERPA

Many public institutions have made the argument that FERPA precludes them from disclosing NIL agreements without a release executed by the student-athlete. If a copy of an NIL agreement or summary of an NIL opportunity is provided to the institution by the student-athlete, this becomes a record of the university per the definition of FERPA and is likely part of the student-athlete’s educational record. There may be a particular circumstance in which a FERPA exception would apply to a request, but there is no broad FERPA exception that would apply in this situation. Institutions might find it strategic to include their stance on FERPA in an NIL policy to ensure all requests for NIL agreements are handled consistently.

International Students

International students can receive NIL compensation but with some caveats. In its documentation, the NCAA directs international student-athletes to their institution’s Designated School Official for “guidance related to maintaining their immigration status and tax implications.” As a result, institutions should make sure the individual(s) is/are well equipped to provide answers regarding NIL from international students.

Five Steps to Become a Well-Organized and Compliant Institution

  1. Have an NIL policy and procedures that are followed consistently and made available to student-athletes for reference and consultation;
  2. Have a process in place to review NIL agreements between the institution’s student-athletes and outside entities or individuals (if located in a state that requires student-athletes to make such disclosures);
  3. Have trained its staff (especially athletics staff) on what actions can and cannot be taken in relation to student-athletes’ NIL opportunities;
  4. Have trained its student-athletes on available resources; and
  5. Have a team of institutional staff members ready to pivot if additional laws are enacted by their state, if additional guidance is provided by the NCAA or if federal legislation is enacted.
© 2022 Varnum LLP

All Federal Research Agencies to Update Public Access Policies

On 25 August 2022, the Office of Science and Technology Policy (OSTP) released a guidance memorandum instructing federal agencies with research and development expenditures to update their public access policies. Notably, OSTP is retracting prior guidance that gave discretion to agencies to allow a 12-month embargo on the free and public release of peer-reviewed publications, so that federal funded research results will be timely and equitably available at no cost. The memo also directs affected agencies to develop policies that:

  1. Ensure public access to scientific data, even if not associated with peer-reviewed publications;
  2. Ensure scientific and research integrity in the agency’s public access by requiring publication of the metadata, including the unique digital persistent identifier; and
  3. Coordinate with OSTP to ensure equitable delivery of federally funded research results and data.

KEY COMPONENTS OF GUIDANCE:

Updating Public Access Policies

Federal agencies will need to develop new, or update existing, public access plans, and submit them to OSTP and the Office of Management and Budget (OMB). Deadlines for submission are within 180 days for federal agencies with more than US$100 million in annual research and development expenditures, and within 360 days for those with less than US$100 million in expenditures.

Agencies will need to ensure that any peer-reviewed scholarly publication is free and available by default in agency-designated repositories without any embargo or delay following publication. Similarly, OSTP expects the access polices to address publication of any other federally funded scientific data, even if not associated with peer-reviewed scholarly publications. As a concession, federal agencies are being asked to allow researchers to include the “reasonable publication costs and costs associated with submission, curation, management of data, and special handling instructions as allowable expenses in all research budgets.1

Ensuring Scientific Integrity

To strengthen trust in governmentally funded research, the new or updated policies must transparently communicate information designed to promote OSTP’s research integrity goals. Accordingly, agencies are instructed to collect and make appropriate metadata available in their public access repositories, including (i) all author and co-author names, affiliations, and source of funding, referencing their digital persistent identifiers, as appropriate; (ii) date of publication; and (iii) a unique digital persistent identifier for research output. Agencies should submit to OSTP and OMB (by 31 December 2024) a second update to their policies specifying the approaches taken to implement this transparency, and publish such policy updates by 31 December 2026, with an effective date no later than one year after publication of the updated plan.

IMPLICATIONS FOR THE NATIONAL INSTITUTES OF HEALTH (NIH), OTHER FEDERAL AGENCIES, AND THEIR GRANTEES

The NIH is expected to update its Public Access Policy, potentially along with its Data Management and Sharing Policy to conform with the new OSTP guidance. Universities, academic medical centers, research institutes, and federally funded investigators should monitor agency publications of draft and revised policies in order to update their processes to ensure continued compliance.

In doing so, affected stakeholders may want to consider and comment to relevant federal agencies on the following issues in their respective public access policy development:

  • Federal agency security practices to prevent foreign misappropriation of research data;
  • Implications for research misconduct investigations and research integrity;
  • Any intellectual property considerations without a 12-month embargo, especially to the extent this captures scientific data not yet published in a peer-review journal; and
  • Costs allowable research budgets to support these data management and submission expectations.

1 Office of Science and Technology Policy, Memorandum for the Heads of Executive Departments and Agencies: Ensuring Free, Immediate, and Equitable Access to Federally Funded Research at p. 5 (25 August 2022) available at https://www.whitehouse.gov/wp-content/uploads/2022/08/08-2022-OSTP-Public-Access-Memo.pdf

Copyright 2022 K & L Gates