Maryland House of Delegates Committee on Ways and Means

Hearing on House Bill 607 February 21, 2014

estimony of Barma! "assirian Bet#esda, Maryland

C#airman Hi$son and Members of t#e Committee, My name is Barma! "assirian, and % am a resident of Montgomery County, &#ere % graduated from Walt W#itman Hig# '(#ool and &#ere my t&o young girls attend )ubli( s(#ools no&* % a))re(iate t#e o))ortunity to s#are my +ie&s on HB607 &it# t#e Committee* % a))ear before you )rimarily as a (on(erned )arent, but also as a )ri+a(y ad+o(ate &it# more t#an t&o de(ades of )rofessional e$)erien(e &it# legal ,uestions, te(#nologi(al issues, and administrati+e )ra(ti(es related to edu(ational )ri+a(y* % t#an! t#e s)onsors of HB607 and t#e entire Committee for t#e attention t#ey are rig#tly )aying to t#e subset of (#ildren-s )ri+a(y issues addressed in t#e )ro)osed legislation* #ere is no doubt t#at ad+an(es in information te(#nology, t#e broad a+ailability of #ig#.s)eed (onne(ti+ity, and t#e e$)losi+e gro&t# of (loud (om)uting ser+i(es )ose ne& and uni,ue (#allenges for s(#ools as &ell as for lo(al and state edu(ational agen(ies in t#eir efforts to automate, im)ro+e o)erations, and )romote effi(ien(y* #ese (#allenges in(lude security ris!s asso(iated &it# trans)ort and off.site storage of )ersonally identifiable information, as &ell as in#erent privacy (on(erns about aut#ori/ing t#ird.)arty a((ess to information t#at #as traditionally been )#ysi(ally maintained at s(#ools or lo(al or state edu(ational agen(ies* W#ile HB607 s#ould be re(ogni/ed for its )ro)er diagnosis of t#e )roblem, it suffers a number of signifi(ant s#ort(omings as it is (urrently drafted* #e follo&ing brief summary of some of t#ese is intended to assist t#e Committee in its deliberations* % belie+e re+isions of t#e )ro)osed statutory language &ould strengt#en t#e bill-s )ri+a(y and se(urity )rote(tions for students and simultaneously sim)lify (om)lian(e for s(#ools* Definitions: Section 1 (A) %tems 021 2 031 #e definition of (loud (om)uting is im)re(ise and o+erbroad, and read literally, &ould a))ly to on.site )#ysi(al lo(al area net&or!s as &ell as to soft&are, )latform, and infrastru(ture t#at are )ro+ided 4as a ser+i(e*5 %tem 041 #e definition of edu(ational institution e$(ludes institutions of #ig#er edu(ation, &#ere many minors may dually enroll for ad+an(ed study &#ile still in #ig# s(#ool* %n addition, t#e bill fails to (o+er lo(al and state edu(ational agen(ies, &#i(# are left entirely at liberty to (ontinue (loud (om)uting )ra(ti(es with the same records t#at t#e bill see!s to better )rote(t in s(#ool settings* Here, as &ell as &it# a number of ot#er definitions, t#e o)timal solution &ould be to use federal definitions arti(ulated in regulations 034 CF6 77*31 )romulgated )ursuant to Family 8du(ational 6ig#ts and 9ri+a(y :(t of 1774, as amended 0F869:1* W#ile im)ortant features of F869: &ere unfortunately &ea!ened in 2011, its )re.2011 definitions are no& &ell.settled la&, and (reating an entire ne& +o(abulary &ould (ause (onfusion and lead to unintentional non.(om)lian(e* %tem 0;1 #is definition of t#e +erb 4)ro(ess5 enumerates a lengt#y list of a(tions, none of &#i(# &ould be )ossible &it#out t#e original dis(losure of )ersonally identifiable information to t#e (loud (om)uting ser+i(e )ro+ider* %n edu(ational )ri+a(y la&, (ontrolling dis(losures and re.dis(losures #as #istori(ally been t#e &ay to (ontrol all subse,uent allo&able a(ti+ities* #is unne(essarily (om)li(ated definition s#ould be stru(! altoget#er, and all of t#e bill-s restri(tions and mandates s#ould be redrafted

as re,uirements for disclosure of )ersonally identifiable information* %tem 061 #e definition of student data is #ig#ly unort#odo$ on t&o (ounts* First, it affirmati+ely in(ludes dire(tory data elements, t#e dis(losure of &#i(# is generally +ie&ed as less damaging to )ri+a(y rig#ts, but fails to enumerate or referen(e #ig#ly sensiti+e non.dire(tory information* 'e(ond, again in a de)arture from settled la& and (ommon intuition, it only in(ludes data elements t#at are )ro+ided eit#er by t#e student or (reated by t#e s(#ool* But, t#ere is a #ost of data elements< trans(ri)ts )ro+ided by )re+ious s(#ools, test s(ores administered by outside entities, medi(al re(ords from outside )ro+iders, et(*<t#at t#is definition may inad+ertently lea+e out* Bot# of t#ese s#ort(omings (an be (orre(ted t#roug# referen(e to 34 CF6 77*3 and its definition of 4)ersonally identifiable information5 from 4edu(ation re(ords*5 Legal Authorization of Cloud Computing: Section 1 (B) #is )ro+ision is unne(essary be(ause not#ing in (urrent la& )ro#ibits t#e use of (loud (om)uting, and t#ere is t#erefore no reason to affirmati+ely aut#ori/e its use* %nstitutions #a+e #istori(ally used (ontra(tors in agen(y relations#i)s to )ro+ide ser+i(es, and t#e use of (loud (om)uting ser+i(e )ro+iders qua contractors is &ell &it#in t#at #istori(al )re(edent* %f anyt#ing, a blan!et aut#ori/ation of (loud (om)uting &it# HB607-s minimal restri(tions may (reate an unintended e$em)tion from e$isting restri(tions for (loud (om)uting ser+i(e )ro+iders* % strongly urge t#e Committee to stri!e t#is )ro+ision* New estrictions on Cloud Computing: Section 1 (C) #is se(tion is intended as HB607-s substanti+e arti(ulation of ne& )rote(tions for students* 6egrettably, &#ile it )ro+ides minor im)ro+ements on some issues, it fails to address some of t#e stru(tural features of (loud (om)uting and &ould need a ma=or o+er#aul* #e bill fails, for e$am)le, to address su(# essential issues as dire(t (ontrol by s(#ools, ser+i(e )ro+iders- internal )ra(ti(es regarding a((ess to re(ords, ,uestions of of liability, of ,ualifi(ation, se(urity standards, se(urity audits, brea(#es and brea(# notifi(ations* %t also fails to (learly arti(ulate allo&able uses of data* % urge t#e Committee to stri!e t#is subse(tion and (onsider a more robust alternati+e> (C) (1) The Department, District Boards of Education and institutions may not disclose personally identifiable information from education records of students without the written consent of eli ible students or parents to a contractor, consultant, or other party to whom an a ency or institution has outsourced institutional services or functions unless that outside party! (") performs an institutional service or function for which the Department, District Board of Education, or institution would otherwise use employees# ("") is under the direct control of the a ency or institution with respect to the use and maintenance of education records# (""") limits internal access to education records to those individuals that are determined to have le itimate educational interests# ("$) does not use the education records for any other purposes than those e%plicitly authori&ed in its contract# ($) does not disclose any personally identifiable information to any other party! 1' without the prior written consent of the parent or eli ible student, or (' unless required by statute or court order and the party provides a notice of the disclosure to the Department , District Board of Education, or institution that

provided the information no later than the time the information is disclosed, unless providin notice of the disclosure is e%pressly prohibited by the statute or court order# ($") maintains reasonable administrative, technical and physical safe uards to protect the security, confidentiality and inte rity of personally identifiable student information in its custody# ($"") uses encryption technolo ies to protect data while in motion or in its custody from unauthori&ed disclosure usin a technolo y or methodolo y specified by the secretary of the )'*' Department of +ealth and +uman *ervices in uidance issued under *ection 1,-.((+)(() of /ublic 0aw 11112# ($""") has sufficient administrative and technical procedures to monitor continuously the security of personally identifiable information in its custody# ("3) conducts a security audit annually and provides the results of that audit to each Department , District Board of Education, or institution that provided educational records# (3) provides the Department, District Board of Education, or institution with a breach remediation plan acceptable to the Department , District Board of Education or institution prior to initial receipt of education records# (3") reports all suspected security breaches to the Department , District Boards of Education, or institution that provided education records as soon as possible but not later than forty1ei ht hours after a suspected breach was 4nown or would have been 4nown by e%ercisin reasonable dili ence# (3"") reports all actual security breaches to the Department , District Boards of Education, or institution that provided education records as soon as possible but not later than twenty1four hours after an actual breach was 4nown or would have been 4nown by e%ercisin reasonable dili ence# (3""") in the event of a security breach or unauthori&ed disclosures of personally identifiable information, pays all costs and liabilities incurred by the Department , District Boards of Education, or institutions related to the security breach or unauthori&ed disclosure, includin but not limited to the costs of respondin to inquiries about the security breach or unauthori&ed disclosure, of notifyin sub5ects of personally identifiable information about the breach, of miti atin the effects of the breach for the sub5ects of personally identifiable information, and of investi atin the cause or consequences of the security breach or unauthori&ed disclosure# and (3"$) destroys or returns to the Department , District Boards of Education, or institutions all personally identifiable information in its custody upon request and at the termination of the contract' % belie+e t#e 14 )ro+isions listed abo+e (onstitute a far more reassuring set of safeguards t#an t#e ; o+erbroad restri(tions in t#e (urrent draft of HB607, and t#at t#eir ado)tion &ould )ro+ide real )rote(tions to students and to s(#ools in Maryland* % &ould also )oint out t#at needed edu(ational )ri+a(y )rote(tions go beyond (loud (om)uting )ra(ti(es of institutions* % #o)e t#e Committee &ill (onsider an e+en more (om)re#ensi+e effort at )rote(ting t#e enormous amount of sensiti+e )ersonally identifiable student data t#at institutions and lo(al and state edu(ational agen(ies maintain* % t#an! t#e Committee for its (onsideration and &ould be #a))y to res)ond to any ,uestions*