In mid-2016, Colorado signed into law a new measure meant to protect student data - The Student Data Transparency & Security Act. The third and final milestone of the act requires that Local Education Providers (LEPs) adopt a Student Information Privacy and Protection Policy by December 31, 2017 (extended July 1, 2018 for rural school systems). The comprehensive legislation covers the protection of Student Personally Identifiable Information (SPII). SPII is defined as:
"Information that, alone or in combination, personally identifies an individual student or the student’s parent or family, and that is collected, maintained, generated, or inferred by a public education entity, either directly or through a school service, or by a school service contract provider or school service on-demand provider."
The legislation applies to some, but not all online service providers (vendors). Specifically, internet websites, online services or applications, or mobile applications that are designed and marketed primarily for use in schools. So, some cloud and mobile applications are definitely in scope - though only those specifically marketed to school systems.
School systems, however, have a much broader guideline to follow. Specifically, they must adopt a SPII Privacy and Protection Policy that covers a broad range of controls. These controls include identifying and (when requested) destroying SPII, implementing data breach prevention and response, providing notifications in the event of a breach, and more. This broader guideline means that while vendors, such as cloud services, might be off the hook, school systems need to protect SPII everywhere - not only in education specific services, but across the board. Since the vendors aren't forced to comply, that means school systems must turn to third party tools, like Cloud Access Security Brokers (CASB), to fill in the gaps.
The Colorado Department of Education has provided an extensive list of sample policies that school systems are encouraged to implement. With the broad reach of cloud suites like Office 365 and G Suite into education, a Next-Gen CASB can help organizations achieve the goals set out in many of these policies, including:
More broadly, a Next-Gen CASB helps to identify and protect SPII across any cloud app and any device. Advanced technologies, such as Zero-day CASB Core, ensure that whether the school has only a few well-known SaaS apps, or a broad range of lesser known and custom applications, the CASB will automatically adapt to support the use cases.
Regardless of whether you're a school system in Colorado, elsewhere in the US, or any organization that deals with PII, the legislation put forth by the Colorado General Assembly represents good best practice for data protection in the cloud.
To learn more about SDTSA and how Bitglass, the Next-Gen CASB, can help you comply, download the document below.