Tag: College

Another Lesson for Higher Education Institutions about the Importance of Cybersecurity Investment

Key Takeaway

A Massachusetts class action claim underscores that institutions of higher education will continue to be targets for cybercriminals – and class action plaintiffs know it.

Background

On January 4, 2023, in Jackson v. Suffolk University, No. 23-cv-10019, Jackson (Plaintiff) filed a proposed class action lawsuit in the U.S. District Court for the District of Massachusetts against her alma matter, Suffolk University (Suffolk), arising from a data breach affecting thousands of current and former Suffolk students.

The complaint alleges that an unauthorized party gained access to Suffolk’s computer network on or about July 9, 2022.  After learning of the unauthorized access, Suffolk engaged cybersecurity experts to assist in an investigation. Suffolk completed the investigation on November 14, 2022.  The investigation concluded that an unauthorized third party gained access to and/or exfiltrated files containing personally identifiable information (PII) for students who enrolled after 2002.

The complaint further alleges that the PII exposed in the data breach included students’ full names, Social Security Numbers, Driver License numbers, state identification numbers, financial account information, and Protected Health Information.  While Suffolk did not release the total number of students affected by the data breach, the complaint alleges that approximately 36,000 Massachusetts residents were affected.  No information was provided about affected out-of-state residents.

Colleges and Universities are Prime Targets for Cybercriminals

Unfortunately, Suffolk’s data breach is not an outlier.  Colleges and universities present a wealth of opportunities for cyber criminals because they house massive amounts of sensitive data, including employee and student personal and financial information, medical records, and confidential and proprietary data.  Given how stolen data can be sold through open and anonymous forums on the Dark Web, colleges and universities will continue to remain prime targets for cybercriminals.

Recognizing this, the FBI issued a warning for higher education institutions in March 2021, informing them that cybercriminals have been targeting institutions of higher education with ransomware attacks.  In May 2022, the FBI issued a second alert, warning that cyber bad actors continue to conduct attacks against colleges and universities.

Suffolk Allegedly Breached Data Protection Duty

In the complaint, Plaintiff alleges that Suffolk did not follow industry and government guidelines to protect student PII.  In particular, Plaintiff alleges that Suffolk’s failure to protect student PII is prohibited by the Federal Trade Commission Act, 15 U.S.C.A. § 45 and that Suffolk failed to comply with the Financial Privacy Rule of the Gramm-Leach-Bliley Act (GLBA),  15 U.S.C.A. § 6801.  Further, the suit alleges that Suffolk violated the Massachusetts Right to Privacy Law, Mass. Gen. Laws Ann. ch. 214, § 1B, as well as its common law duties.

How Much Cybersecurity is Enough?

To mitigate cyber risk, colleges and university must not only follow applicable government guidelines but also  consider following industry best practices to protect student PII.

In particular, GLBA requires a covered organization to designate a qualified individual to oversee its information security program and conduct risk assessments that continually assess internal and external risks to the security, confidentiality and integrity of personal information.  After the risk assessment, the organization must address the identified risks and document the specific safeguards intended to address those risks.  See 16 CFR § 314.4.  

Suffolk, as well as other colleges and universities, may also want to look to Massachusetts law for guidance about how to further invest in its cybersecurity program.  Massachusetts was an early leader among U.S. states when, in 2007, it enacted the “Regulations to safeguard personal information of commonwealth residents” (Mass. Gen. Laws ch. 93H § 2) (Data Security Law).  The Data Security Law – still among the most prescriptive general data security state law – sets forth a list of minimum requirements that, while not specific to colleges and universities, serves as a good cybersecurity checklist for all organizations:

  1. Designation of one or more employees responsible for the WISP.
  2. Assessments of risks to the security, confidentiality and/or integrity of organizational Information and the effectiveness of the current safeguards for limiting those risks, including ongoing employee and independent contractor training, compliance with the WISP and tools for detecting and preventing security system failures.
  3. Employee security policies relating to protection of organizational Information outside of business premises.
  4. Disciplinary measures for violations of the WISP and related policies.
  5. Access control measures that prevent terminated employees from accessing organizational Information.
  6. Management of service providers that access organizational Information as part of providing services directly to the organization, including retaining service providers capable of protecting organizational Information consistent with the Data Security Regulations and other applicable laws and requiring service providers by contract to implement and maintain appropriate measures to protect organizational Information.
  7. Physical access restrictions for records containing organizational Information and storage of those records in locked facilities, storage areas or containers.
  8. Regular monitoring of the WISP to ensure that it is preventing unauthorized access to or use of organizational Information and upgrading the WISP as necessary to limit risks.
  9. Review the WISP at least annually or more often if business practices that relate to the protection of organizational Information materially change.
  10. Documentation of responsive actions taken in connection with any “breach of security” and mandatory post-incident review of those actions to evaluate the need for changes to business practices relating to protection of organizational Information.

An organization not implementing any of these controls should consider documenting the decision-making process as a defensive measure.  In implementing these requirements and recommendations, colleges and universities can best position themselves to thwart cybercriminals and plaintiffs alike.

Article By Ericka A. Johnson and Julia B. Jacobson of Squire Patton Boggs (US) LLP

For more cybersecurity and data privacy legal news, click here to visit the National Law Review.

© Copyright 2023 Squire Patton Boggs (US) LLP

Do You Have a College Student? Important Healthcare, Financial, and Educational Documents That They (and You) Need

August is upon us and you may soon be sending children off to college. If your child is age 18 or older, you and your child will need to take some simple steps so that, in the event of an emergency, you will be able to make health care and financial decisions for your child and have access to your child’s medical information and financial accounts. The same is true if you are to have access to your child’s educational records.

Medical Information. Once your child reaches age 18, your child is deemed to be an adult by law and you no longer have a legal right to make health care decisions on behalf of your child or to access your child’s health care information. As a result, if you have an adult child, your child must execute certain legal documents naming you as his or her health care agent and permitting you to access his or her medical information:

  1. Your child must execute a “Health Care Proxy” naming you as his or her agent for health care decisions. In this document, your child authorizes you to make health care decisions on your child’s behalf if he or she becomes unable to make or communicate such decisions him or herself. The child may also share his or her own wishes regarding medical treatment.
  2. Your child must also sign a “HIPAA Authorization Form.” The Health Insurance Portability & Accountability Act of 1996 (generally known as “HIPAA”) protects the privacy of an individual’s medical information, and health care providers may require written consent from a patient to share information with family members, including parents of an adult child. Your child’s college or university may also have policies in place preventing it from sharing medical information without the student’s consent. This form will serve as written permission authorizing those providing health care services to your child to share medical information with you as your child’s health care agent.
  3. In addition, you should be in contact with the health services department of your child’s college or university. The institution may provide its own form for authorizing the release of medical information that can be kept on record with the institution’s health services department.

Financial Accounts. If you are to have the ability to act on behalf of your adult child with respect to financial matters, your child also needs to execute a “Durable Power of Attorney” naming you as your child’s agent with respect to the child’s assets and finances. If your child is attending college away from home, is studying abroad, or undergoes a medical emergency, it may be useful for you to access your child’s accounts on his or her behalf. This allows you to pay bills for a child out of their accounts, make deposits and open or close accounts. In addition, a durable power of attorney allows you to handle other financial tasks for the child, like filing tax returns or renewing a lease.

Educational Records. Finally, the Family Educational Rights and Privacy Act (FERPA) protects the educational records of a child who has turned 18 or is enrolled at a postsecondary institution from access by his or her parents. If the child’s parents claim the child as a dependent on their tax returns, the parents may still access the child’s education records without the child’s consent. However, institutions may be reluctant to allow access to education records for any child over the age of 18 without a “FERPA Waiver” signed by the child, regardless of their status as a dependent. If you would like to have access to your child’s educational records, you should contact the institution to request a FERPA Waiver form.

Article By John H. Ramsey and Kerry L. Spindler of Goulston & Storrs

For more public education and services legal news, click here to visit the National Law Review.

2022 Goulston & Storrs PC.

Ohio Court of Appeals Affirms $30 Million Libel Verdict Against Oberlin College

The Ohio Court of Appeals affirmed a judgment in excess of $30,000,000 against Oberlin College, holding that Oberlin was responsible for libelous statements made during the course of a student protest. Gibson Bros., Inc. v. Oberlin College, 2022 WL 970347 (Ohio Ct. App. March 31, 2022). The court’s rationale, if followed elsewhere, could lead to significantly broader institutional and corporate liability for statements by students and employees.

The case arose out of an incident in which an employee of the Gibson Brothers Bakery and Food Mart accused a black student of shoplifting, and then pursued and held the student until police arrived. Over the next few days, large groups of student protestors gathered outside the bakery and among other things handed out a flyer describing the incident as an “assault,” and stating that the bakery had a “long account of racial profiling and discrimination.” The day following the incident, the student senate passed a resolution calling for a boycott. It likewise described the incident as an assault on the student and stated that the bakery had a “history of racial profiling and discriminatory treatment of students….” The resolution was emailed to the entire campus and posted on the senate bulletin board, where it remained for over a year. The court found the statements to be factually untrue, because the student pled guilty to the shoplifting charge and admitted racial profiling did not occur, and the College presented no evidence of any past racial profiling or instances of discrimination at the bakery.

The court acknowledged that there was no evidence that Oberlin participated in drafting the flyer or the student senate resolution. Instead, the court found Oberlin liable on the theory that one who republishes a libel, or who aids and abets the publication of a libelous statement, can be liable along with the original publisher. As to the flyer, the court cited the following as evidence sufficient to support a jury finding that Oberlin had either republished or aided and abetted its publication:

  • Oberlin’s Dean of Students attended the protests as part of her job responsibilities;
  • the Dean of Students handed a copy of the flyer to a journalist who had not yet seen it and told students they could use a college copier to make more copies of the flyer;
  • the associate director of a multicultural resource center was seen carrying a large number of flyers, which he appeared to be distributing to others to redistribute to the public; and
  • the College provided a warming room with coffee and pizza at a site near the protests.

As to the student senate resolution, the court cited:

  • the senate was an approved organization;
  • the College created the senate’s authority to adopt and circulate the resolution;
  • the senate faculty moderator was the Dean of Students; and
  • despite having knowledge of the content of the resolution, neither the President nor the Dean of Students took any steps to require or encourage the student senate to revoke the resolution or to remove it from the bulletin board.

The court then held that despite the publicity the bakery received once the dispute arose, at the time of the protests and resolution the bakery and its owners were private persons, not public figures. Thus, the bakery only had to show that Oberlin had been negligent, rather than that it acted with reckless indifference as to the truth or falsity of the statements published.

Particularly in these polarized times, university administrators should be aware of and take steps to manage legal risks when external disputes become the subject of campus discussion and activism. Student organizations, faculty and administrators should be reminded that, to the extent they participate in protests or other public commentary outside their official roles, they should make clear they are acting for themselves and not the institution. Institutional responses to causes espoused by students or faculty need to be carefully vetted to assure that any factual assertions about third parties are accurate.

Article By Barry P. Kaltenbach and Robert T. Zielinski of Miller Canfield

For more litigation legal news, click here to visit the National Law Review.

© 2022 Miller, Canfield, Paddock and Stone PLC

NLRB, Labor Laws and the Impact on NCAA Athletes

Can—and should—college athletes be classified as employees? The answer to that question may be in flux. In a recent episode of the In-House Roundhouse Podcast, Womble Bond Dickinson attorney and host Mark Henriques welcomed Womble Bond Dickinson attorney Mike Ingersoll and University of North Carolina School of Law Professor Barbara Osborne to discuss the latest developments. Both guests were scholarship student-athletes themselves during their college days, adding to their perspective on the many issues pertaining to college athletes as employees. This article is derived from that conversation and is the latest installment in Womble Bond Dickinson’s Opportunity Economy series.

Just when you think you have all the answers about college athletes as employees, the National Labor Relations Board changes the questions.

NLRB General Counsel Jennifer Abruzzo’s September 2021 memorandum states that her office will consider some college athletes to be employees moving forward. But a number of significant questions—including whether Abruzzo’s memo has the full support of the NLRB—remain unanswered.

The NLRB Memo: What it Says

Ingersoll explained that Abruzzo’s memo dovetailing off of the NLRB’s 2015 Northwestern University decision—which really was a non-decision. In that case, the NLRB failed to render a decision as to whether or not Northwestern University’s scholarship football players were university employees under the National Labor Relations Act. That non-decision created a gray area of the law that Abruzzo’s memo seeks to fill.

“Essentially, she has decided her office will prosecute disputes brought by students under the NLR Act as if they are employees,” Ingersoll said. “She said any mischaracterization of players as ‘student-athletes’ – which is a nomenclature that has been used for decades – will itself be consider a violation of the NLRA as far as her office is concerned.”

The NLRB hasn’t adopted this as its official position, though, and the memo appears to be limited only to private colleges and universities, because the NLRA only applies to private schools.

“The memo itself raises more questions than it answers,” Osborne said. “I think it invites student-athletes to file claims that they deserve to be paid as employees, and that opens a whole new can of worms.”

“The memo itself raises more questions than it answers. I think it invites student-athletes to file claims that they deserve to be paid as employees, and that opens a whole new can of worms.”

BARBARA OSBORNE, PROFESSOR AT UNIVERSITY OF NORTH CAROLINA SCHOOL OF LAW

So should the term “student-athlete” be scrubbed from the college sports lexicon?

Ingersoll believes colleges and universities should avoid using it, at least in the short term, if they believe they are at risk of having to defend employment claims in front of the NLRB.

“I always thought of myself as a student-athlete and was proud of that,” Osborne said. “I don’t necessarily know that using that term misidentifies, but you need to classify those people as employees.”

Unanswered Questions in the NLRB Memo

However, as Osborne notes, this raises the first of many serious unanswered questions. The NLRB memo would require at least some college athletes to be classified as employees. However, this is at odds with NCAA rules, which prohibit athletes from being institutional employees.

“So we have a conundrum,” she said.

Another question: Which athletes are covered by the memo? Ingersoll said that is unclear.

“The memo distinguishes ‘Certain Players’ as a capitalized term – but it doesn’t actually define the term,” he said. The NLRB only has jurisdiction over private colleges and universities, not state-supported schools.  The Northwestern University case applied only and explicitly to scholarship football players at Northwestern. It provided no opinion on other players in any other sport or at any other university, Ingersoll noted.

So to which students and sports does the memo apply? Only scholarship players or all varsity athletes? Both men’s and women’s athletics? Only so-called “revenue sports” or any officially sanctioned sport? To date, college officials and athletes don’t have any answers to these questions.

“Wait and see how it gets enforced,” Ingersoll said. “My assumption would be that it is intended to apply as broadly as the GC’s office can make it apply.”

Osborne said, “The ‘Certain Players’ term is very unclear. The only sport she mentions is football, but it’s hard to say if it’s just about football. But if the memo only applies to scholarship football players, you are leaving everybody else vulnerable.”

She explained that the NLRA is all about the ability to unionize and engage in activities related to exploring unionization, with the employer being prohibited from interfering.

“What she’s saying is that if these athletes want to unionize, we’re going to support that and (the colleges) can’t interfere. Again, though, that opens up so many more questions than there are answers,” Osborne said. For example, which athletes may organize? Can only private school athletes organize? And what exactly are “revenue sports?” This may vary from school to school. For example, the University of Georgia’s Gymnastics program is a profitable operation, while many schools actually lose money on football.

Another key question is that if athletes can organize, may they then collectively bargain with the NCAA about its rules and requirements. Ingersoll said all of this is unprecedented territory for college sports.

“From a legal standpoint, there’s been no union activities among college sports that I’m aware of,” he said. “As an athlete, it’s made clear to you early on that when you participate on a team, you are part of a dictatorship, not a democracy. There is no forcing the coaching staff or administration to do something they don’t want to do.”

Osborne said, “I absolutely agree that it’s not something athletes think about doing – they’ve got too much personally at stake…. The flip side is that we do see student-athletes, through the free speech aspect, uniting for causes. I see that as a more hospitable way to open up a dialogue as to what could be done to make things better, but I don’t see that in union terms.”

“From a legal standpoint, there’s been no union activities among college sports that I’m aware of. As an athlete, it’s made clear to you early on that when you participate on a team, you are part of a dictatorship, not a democracy.”

MIKE INGERSOLL

As an example, Ingersoll noted the 2020 college football season, in which a number of teams influenced their conferences to hold the season amid COVID-19 concerns.

What’s Next for Athletes as Employees?

The NLRB memo isn’t the only significant development related to the employment status of college athletes.

An Eastern District of Pennsylvania case brought by college athletes alleges employment status under FLSA demanding wages. The claim survived a motion to dismiss and is now up on appeal. This is quite different from the Seventh Circuit precedent in Berger, which the Appeals Court dismissed because it decided college athletes weren’t employees and, thus, aren’t subject to the FLSA.

“We’ll see what ends up happening at the appellate level in light of these decisions,” Ingersoll said. “At the time of the Berger decision (in 2016), the landscape was significantly different than it is now.”

Also, the NLRB hasn’t adopted the Abruzzo memo as its official position and is limited in scope. But Ingersoll said the memo may “bleed into” state and federal litigation—litigation he expects to increase in volume.

One factor driving increased litigation surrounding college athletes-as-employees is Supreme Court Justice Brett Kavanaugh’s concurrence in this year’s NCAA v. Alston decision. The case opened the door for college athletes to use their name, image and likeness for commercial purposes

“At the point where you get favorable state and federal decisions in court, you get some teeth behind this notion of athletes as employees,” he said.

“At the point where you get favorable state and federal decisions in court, you get some teeth behind this notion of athletes as employees.”

MIKE INGERSOLL

Osborne pointed out that there may be many unintended consequences if student-athletes are reclassified as university employees. For example, scholarships would be considered taxable income, and athletes may even be owed wages. Employment status also may impact Pell Grants or need-based financial aid eligibility. For student-athletes who are dependents on families, how would family taxes be impacted? “There are all sorts of tax implications,” Osborne said.

Such a change in status also could require colleges and universities to provide Worker’s Compensation coverage for student-athletes who are hurt on the job.

And then there is the NLRB memo itself. Is it effective without board adoption? And what would happen if the board does (or does not) adopt it?

“The memo essentially means that Abruzzo and her office will investigate and prosecute claims with the assumption that the athlete is a university employee,” Ingersoll said. However, he said the full board ultimately will have to make a decision on the memo and stake out a position.

“If the board were to reject Abruzzo’s position, that essentially kills it—Abruzzo is bound by the board. The board is going to have to stake out an official position. If the board adopts it, that will be the NLRB’s position and as long as the athlete meets the criteria, then the case will have to proceed under the assumption the athlete is an employee under the NLRA.”

“If the board were to reject Abruzzo’s position, that essentially kills it—Abruzzo is bound by the board. The board is going to have to stake out an official position.”

MIKE INGERSOLL

But the NLRB’s position certainly could change later under a different administration. “The real teeth are in state and federal litigation decisions. That’s when you will see a bit of a sea change,” he said.

“The thing that stops that wave of litigation would be if we have federal legislation—which we’ve had a lot of lobbying for,” Osborne said. Proposals on the table run the gamut from supporting everything the NCAA has done in the past to the proposed College Athlete Bill of Rights, which would provide compensation and revenue sharing for student-athletes. Osborne wonders if the uncertainty created by the memo might force some form of Congressional action.

In addition, she notes that 37 court cases decided that state student-athletes are not employees and do not have rights associated with employment. “We have to reconcile those precedents,” she said.

So the path forward remains uncertain, with many questions still left to be decided.

Ingersoll said, “Justice Kavanaugh did provide a road map for these challenges to move forward. But right now, the NLRB memo is limited in its scope and impact. There should be no rush to judgment until we have some binding case law.”

Also, click here to read “Alston Aftermath: NLRB General Counsel Memo Confirms Employment Status for Certain College Football Players Under the National Labor Relations Act and Declares an End to the ‘Student-Athlete’” by Mike Ingersoll.

Copyright © 2021 Womble Bond Dickinson (US) LLP All Rights Reserved.
For more articles on employment law, visit the NLR Labor & Employment section.

IRS Notice Offers Good News for State Colleges and Universities (at Least for Now)

In January 2019, the Internal Revenue Service (IRS) issued Notice 2019-09, which provides interim guidance for Section 4960 of the Internal Revenue Code of 1986. As a reminder, Section 4960 imposes an excise tax of 21 percent on compensation paid to a covered employee in excess of $1 million and on any excess parachute payments paid to a covered employee. A “covered employee” is one of the organization’s top-five highest-paid individuals for years beginning after December 31, 2016. An organization must determine its covered employees each year, and once an individual becomes a covered employee, that individual will remain a covered employee for all future years.

Of particular interest to state colleges and universities is the answer to Q–5 of the notice. It provides that the Section 4960 excise tax does not apply to a governmental entity (including a state college or university) that is not tax-exempt under Section 501(a) and does not exclude income under Section 115(l). What does this mean? Basically, if an institution does not rely on either of those statutory exemptions from taxation, the institution will not be subject to the excise tax provisions of Section 4960. This exclusion from Section 4960 means the institution could compensate its athletic coaches (or other covered employees) in excess of the $1 million threshold and not be subject to the 21 percent excise tax.

As we discussed previously, some institutions rely on political subdivision status for tax purposes. Importantly, the notice also provides that any institution relying on its political subdivision status to avoid taxation, as opposed to relying on either of the above-mentioned exemptions, will be subject to the Section 4960 excise tax if the institution is “related” to any entity that does rely on either of the exemptions.

Although the IRS’s guidance is helpful in determining Section 4960’s application to state colleges and universities, it appears not to reflect “Congressional intent.” On January 2, 2019, the Committee on Ways and Means of the U.S. House of Representatives released a draft technical corrections bill that seeks to correct “technical and clerical” issues in the Tax Cuts and Jobs Act of 2017. The corrections bill seeks to clarify Section 4960’s application by stating that any college or university that is an agency or instrumentality of any government or any political subdivision, or that is owned or operated by a government or political subdivision, is subject to Section 4960. Given the current state of affairs in Washington, D.C., we are not confident that the corrections bill’s expanded application to state colleges and universities will ever come to fruition.

 

© 2019, Ogletree, Deakins, Nash, Smoak & Stewart, P.C., All Rights Reserved.

Fourth Circuit Expands Title IX Liability for Harassment Through Anonymous Online Posts

The Fourth Circuit recently held that universities could be liable for Title IX violations if they fail to adequately respond to harassment that occurs through anonymous-messaging apps.

The case, Feminist Majority Foundation v. Hurley, concerned messages sent through the now-defunct app Yik Yak to the individual plaintiffs, who were students at the University of Mary Washington. Yik Yak was a messaging app that allowed users to anonymously post to discussion threads.

Because of the app’s location feature, which  allowed users to see posts within a 5 mile radius, the Court concluded that the University had substantial control over the context of the harassment because the threatening messages originated on or within the immediate vicinity of campus. Additionally, some of the posts at issue were posted using the University’s wireless network, and thus necessarily originated on campus.

The Court rejected the University’s argument that it was unable to control the harassers because the posts were anonymous. It held that the University could be liable if it never sought to discern whether it could identify the harassers.

The dissent encouraged the University to appeal the decision stating that “the majority’s novel and unsupported decision will have a profound effect, particularly on institutions of higher education . . .  Institutions, like the university, will be compelled to venture into an ethereal world of non-university forums at great cost and significant liability, in order to avoid the Catch-22 Title IX liability the majority now proclaims. The university should not hesitate to seek further review.”

 

Copyright © 2019 Robinson & Cole LLP. All rights reserved.
This post was written by Kathleen E. Dion of Robinson & Cole LLP.
Read more about college and university legal news on the National Law Review’s Public Education Page.