By: Brian R. Bare

Recently, over 13,000 schools across the nation have been receiving a notification from a major education publishing and assessment service provider, that their student and employee data was inadvertently accessed in a data breach.  The data in question appears to have been limited to student or employee names, student dates of birth, and email addresses.  However, the breach has garnered a significant amount of media attention.  As the service provider deals with student assessments, the discussion in education now asks what to do if the next breach involves much more sensitive data.

Today, although federal law has the Family Educational Rights and Privacy Act (“FERPA”, 20 U.S.C. § 1232g) and the Children’s Online Privacy Protection Act (“COPPA”, 15 U.S.C. §§ 6501–6506), neither of these statutes deal explicitly with data breaches.  Instead, states have been left to address these incidents through state laws.  In Illinois, similarly, neither the School Code (105 ILCS 5/1 et seq.) nor the School Student Records Act (105 ILCS 10/1 et seq.) nor the Student Online Personal Protection Act (“SOPPA”, 105 ILCS 85/1 et seq.) deal with data breaches at the present moment.

Instead, the Personal Information Protection Act (“PIPA”, 815 ILCS 530/1 et seq.) addresses the issue of data breaches across the state.  PIPA is applicable to any “data collector,” which is a broadly-defined term that includes any entity that handles, collects, disseminates, or otherwise deals with private data “for any purpose,” and definitely includes school districts.  PIPA is limited to incidents that involve specific types of personal information, defined as either:

  1. an individual’s name plus their Social Security number, driver’s license or state ID number, financial or credit card account information, medical or health insurance information, or biometric data such as fingerprints; or
  2. an individual’s user name or email address plus a password or security question and answer to permit access to an online account.

For breaches described in item #1 above, the notification must include: (i) the toll-free numbers and addresses for consumer credit reporting agencies; (ii) the toll-free number, address, and website address for the Federal Trade Commission; and (iii) a statement that the individual can obtain information from these sources about fraud alerts and security freezes.  For breaches described in item #2 above, the notification may be provided in electronic form prompting the user to change his or her user name, password, security question, or answer, and to take such steps for other online accounts for which the individual uses the same information.

In the event of a data breach for an Illinois resident, the data collector must notify the resident of the breach expediently and “without unreasonable delay.”  The notice may be provided in writing or, in some instances, electronically.  A combination of email, website posting, and media notification is also allowed if the breach is exceptionally large or if the data collector does not have sufficient contact information for the individuals to be notified.

Illinois state agencies (i.e. school districts) that suffer a data breach as defined in PIPA are also subject to additional notification requirements.  If more than 1,000 persons are affected, the agency must notify all consumer credit reporting agencies.  If more than 250 Illinois residents are affected, the agency must notify the Illinois Attorney General within 45 days of discovery or whenever the agency provides any notice to consumers, whichever is sooner.  Other notification and reporting requirements may also apply.

Earlier this year, the Illinois legislature adopted Senate Bill 1624, which was sent for the Governor’s signature on June 25, 2019.  This amendment would require that any data collector that must issue a notice under PIPA to more than 500 Illinois residents must also provide notice to the Attorney General.  Unless Gov. Pritzker vetoes SB1624 prior to August 24, 2019, this law will take effect on January 1, 2020.

Similarly, the Illinois legislature has adopted House Bill 3606, which was sent for the Governor’s signature on June 28, 2019.  This bill would significantly modify SOPPA to place a number of mandates on schools and school districts in Illinois regarding student data and privacy.  SOPPA applies to essentially all student information that a school might possess.  If HB3606 becomes law as written, it will require that an operator will have to notify a school within 30 calendar days after determining that a data breach has occurred.  The school will then, within 30 calendar days of receiving that notice, be required to provide notice to the parents of any affected student.  The notice to parents will have to include:

  1. the date of the breach;
  2. a description of the information that was compromised;
  3. contact information to inquire about the breach with the operator and school;
  4. the toll-free numbers, addresses, and websites for consumer credit reporting agencies;
  5. the toll-free number, address, and website for the Federal Trade Commission; and
  6. a statement that the parent may obtain information from the FTC and credit agencies about fraud alerts and security freezes.

Schools will also be required to post detailed information on their websites listing information about data breaches that occur after July 1, 2021.  Because of the numerous mandates that HB3606 would place on school districts in Illinois, it has faced greater scrutiny and could be subject to a veto or an amendatory veto and further revision before it becomes law.

Even if specific notifications under the law are not required, a school district would be prudent to inform the affected individuals of the nature and type of data that was breached.  Moreover, privacy and student records confidentiality are rapidly changing areas of the law.  The recent legislation around PIPA and SOPPA suggests that FERPA, COPPA, the School Code, or the School Student Records Act could similarly be amended as data breaches become more frequent.

Whitt Law attorneys James R. Dougherty and Brian R. Bare are available to discuss these and any other questions that you may have regarding the impact of data breaches upon your organization. The attorneys at Whitt Law regularly review Board Policies and school district practices and procedures, as well as service provider and technology contracts. Please contact James R. Dougherty, Brian R. Bare, or Brittany Flaherty Theis for assistance with such review.

PLEASE NOTE: This blog entry is current as of its publication on August 8, 2019. Whitt Law anticipates developments in the law in the coming weeks, which will be discussed on Whitt Law’s News & Knowledge Blog. Please contact Brian R. Bare for updates or sign up to receive News & Knowledge delivered via email.


This blog/website is made available for educational purposes only. It is not intended to provide specific legal advice to your individual circumstances or legal questions. You acknowledge that your reading of this blog site does not establish an attorney-client relationship between you and the blog/website host or the law firm, or any of the attorneys with whom the host is affiliated. This blog/website should not be used as a substitute for seeking competent legal advice from a licensed professional attorney in your state. Readers of this information should not act upon any information contained on this website without seeking professional counsel.