Higher Education, IT, and Public Policy (288238548)
Transcript of Higher Education, IT, and Public Policy (288238548)
7/26/2019 Higher Education, IT, and Public Policy (288238548)
http://slidepdf.com/reader/full/higher-education-it-and-public-policy-288238548 1/25
7/26/2019 Higher Education, IT, and Public Policy (288238548)
http://slidepdf.com/reader/full/higher-education-it-and-public-policy-288238548 2/25
Higher Education, IT, and Public Policy
October 29, 2015
Jarret Cummings, Josh Ulman, Jennifer Ortega
7/26/2019 Higher Education, IT, and Public Policy (288238548)
http://slidepdf.com/reader/full/higher-education-it-and-public-policy-288238548 3/25
Presenters
• Jarret Cummings, Director, Policy and
External Relations, EDUCAUSE
• Josh Ulman, Ulman Public Policy and FederalRelations (Policy Advisor to EDUCAUSE)
• Jennifer Ortega, Ulman Public Policy and
Federal Relations (Policy Advisor toEDUCAUSE)
2
7/26/2019 Higher Education, IT, and Public Policy (288238548)
http://slidepdf.com/reader/full/higher-education-it-and-public-policy-288238548 4/25
Presentation Agenda
• Policy Advisory Committee
• TEACH Act AIM HEA
• Data Breach Notification and
Cybersecurity Information Sharing
• FERPA
• Network Neutrality
• EDUCAUSE in Action
3
7/26/2019 Higher Education, IT, and Public Policy (288238548)
http://slidepdf.com/reader/full/higher-education-it-and-public-policy-288238548 5/25
Policy Advisory Committee
• Member perspective on federal issues
– Relevance to member interests
– Informed response
– Identification of new concerns
• Core areas
– Cybersecurity/Data Privacy
– E-Learning (includes IT Accessibility)
– Networking/Telecomm
– Copyright
4
7/26/2019 Higher Education, IT, and Public Policy (288238548)
http://slidepdf.com/reader/full/higher-education-it-and-public-policy-288238548 6/25
Policy Advisory Committee
Learn more about the committee at:
http://www.educause.edu/about/mission-
and-organization/governance-and-leadership/member-committees/policy-
advisory-committee
5
7/26/2019 Higher Education, IT, and Public Policy (288238548)
http://slidepdf.com/reader/full/higher-education-it-and-public-policy-288238548 7/25
TEACH Act “ AIM-HEA”
Background
• 2011: AIM Commission proposes dev. of postsec.
instructional materials, related techs. guidelines
• 2012: National Federation of the Blind and Association of American Publishers craft draft bill
• 2013: TEACH Act in House (Senate in 2014)
• 2014: Higher ed groups identify problems, join withNFB and AAP to develop a shared proposal
• 2015: Accessible Instructional Materials in Higher
Education Act (AIM-HEA) coming
6
7/26/2019 Higher Education, IT, and Public Policy (288238548)
http://slidepdf.com/reader/full/higher-education-it-and-public-policy-288238548 8/25
TEACH Act “ AIM-HEA”
Nature of the Process
• Met regularly starting in October 2014, with
frequent communication between meetings
• Confirmed shared outline in June, started
drafting bill in late July
• Currently working to finalize legislative proposal
• Anticipate integration of AIM-HEA into HigherEducation Act (HEA) reauthorization
7
7/26/2019 Higher Education, IT, and Public Policy (288238548)
http://slidepdf.com/reader/full/higher-education-it-and-public-policy-288238548 9/25
TEACH Act “ AIM-HEA”
The Legislation
• Establishes an independent commission,
supported by a panel of technical experts
• Commission charged with developing:
• Voluntary accessibility guidelines for postsecondary
instructional materials, related technologies
• Annotated list of general IT standards• Legal safe harbor for following guidelines, limited
safe harbor if document process only
8
7/26/2019 Higher Education, IT, and Public Policy (288238548)
http://slidepdf.com/reader/full/higher-education-it-and-public-policy-288238548 10/25
TEACH Act “ AIM-HEA”
The Commission
• Balanced stakeholder representation
• Review gen. standards, identify gaps, develop
guidelines to bridge the gaps (where possible)• 18-24 months to complete
• Super-majority (75%) required for guidelines, list
• Guidelines voluntary; existing law, regulationsunchanged
• “Electronic instructional materials” & “relatedtechnologies” tied to instructional program
9
7/26/2019 Higher Education, IT, and Public Policy (288238548)
http://slidepdf.com/reader/full/higher-education-it-and-public-policy-288238548 11/25
TEACH Act “ AIM-HEA”
Next Steps
• Reach shared draft, vet and finalize with other
stakeholders
• Identify sponsors and introduce bill in Congress
• Educate congressional staff as needed
• Integration with HEA reauthorization likely
– Would be considered within higher ed policy generally
– But timetable for reauthorization uncertain
– May require longer-term engagement with Congress
10
7/26/2019 Higher Education, IT, and Public Policy (288238548)
http://slidepdf.com/reader/full/higher-education-it-and-public-policy-288238548 12/25
Data Breach Notification
• Broad support for fed. data breach notification
legislation creating one national standard
• Requires full preemption of state laws; Dems
oppose as weakening protection in some states• Major bills (one each, House and Senate)
– H.R. 1770, Data Security and Breach Notification Act
of 2015 (Blackburn/Welch)
– S. 961, Data Security Act of 2015 (Carper/Blunt)
• Either likely to cover higher ed (although S. 961
exempts state, local agencies)
11
7/26/2019 Higher Education, IT, and Public Policy (288238548)
http://slidepdf.com/reader/full/higher-education-it-and-public-policy-288238548 13/25
Data Breach Notification
H.R. 1770
• Federal DBN standards
• Strong preemption
• Likely covers all
institutions
• “Reasonable security
measures and practices”
• DBN if significant identity
theft, financial harm risk
• Civil penalties could be
into the millions
S. 961
• Federal DBN standards
• Strong preemption
• Private institutionscovered (some publics?)
• Lists specific standards
required for compliance
• DBN if risk of “substantial
harm” (financial, identity)
• Exemptions for HIPAA/
GLBA compliance12
7/26/2019 Higher Education, IT, and Public Policy (288238548)
http://slidepdf.com/reader/full/higher-education-it-and-public-policy-288238548 14/25
Data Breach Notification
Major concerns
• Federal Trade Commission (FTC) enforcement
likely under either bill
‒ Concerns about FTC’s lack of knowledge abouthigher ed, potentially applicable laws like FERPA
‒ Neither bill requires formal rulemaking; all
enforcement by FTC on case-by-case basis
• Senate provides long list of “recommended” steps
that institutions would have to take, while House bill
presents “pick your poison” situation
13
7/26/2019 Higher Education, IT, and Public Policy (288238548)
http://slidepdf.com/reader/full/higher-education-it-and-public-policy-288238548 15/25
Data Breach Notification
EDUCAUSE Outreach
• Met with House Energy & Commerce Committee,
bill sponsors about H.R. 1770 concerns
– Seeking confirmation that higher ed in scope
– Looking for way to inform FTC enforcement if so
• Met with Senate sponsors about S. 961 concerns
– Bill provides many exemptions to requirements,enforcement based on other laws (e.g., HIPAA, GLBA)
– Pursuing continued dialogue on whether higher ed
concerns might also be resolved this way
14
7/26/2019 Higher Education, IT, and Public Policy (288238548)
http://slidepdf.com/reader/full/higher-education-it-and-public-policy-288238548 16/25
Data Breach Notification
Current Status
• H.R. 1770 passed Energy & Commerce, but lost
Democratic co-sponsor in the process
• H.R. 1770 sponsors, committee staff still working tosecure bipartisan support
• Senate cmte. vote on S. 961 not yet scheduled
• If Senate passes bill, both chambers will need to
conference to find compromise
• Major barriers (e.g., House leadership crisis,
presidential politics) mean both unlikely to move
15
7/26/2019 Higher Education, IT, and Public Policy (288238548)
http://slidepdf.com/reader/full/higher-education-it-and-public-policy-288238548 17/25
Cybersecurity Information Sharing
Act (CISA)• S. 745 (Burr/Blunt): Incentivizes sharing cyber-
threat indicators with other orgs., fed. government
• For institutions, more “real” sharing likely to help,
so CISA potentially beneficial
• Concerns about privacy
– Will personally identifiable info be sufficiently scrubbedbefore sharing?
– Can fed. agencies share info for non-cybersecurity
purposes (e.g., criminal investigations)?
16
7/26/2019 Higher Education, IT, and Public Policy (288238548)
http://slidepdf.com/reader/full/higher-education-it-and-public-policy-288238548 18/25
• EDUCAUSE consulted REN-ISAC about bill’s
likely higher ed impact
• CISA unlikely to negatively affect REN-ISAC
or impose bureaucratic burdens on members
• But benefits depend on feds really sharing, too
• Senate passed the bill on Oct. 27
• Both chambers will now need to conference to
reach compromise legislation
Cybersecurity Information Sharing Act
(CISA)
17
7/26/2019 Higher Education, IT, and Public Policy (288238548)
http://slidepdf.com/reader/full/higher-education-it-and-public-policy-288238548 19/25
Family Educational Rights and
Privacy Act (FERPA)H.R. 3157, Student Privacy Protection Act
(Rokita/Fudge): FERPA rewrite
• Adds cybersecurity, data breach standards
• Updates “education records” to cover student
information connected to classroom technology
• Prohibits schools or 3rd parties from using student
data to market goods or services• Clarifies parents’ right to review, correct, or limit use
of information about their child
• Sets data storage standards, limits access to records
18
7/26/2019 Higher Education, IT, and Public Policy (288238548)
http://slidepdf.com/reader/full/higher-education-it-and-public-policy-288238548 20/25
Family Educational Rights and
Privacy Act (FERPA)Major concerns
• Confuses further rather than clarifies
• Cybersecurity and DBN standards don’t align
with other bills (H.R. 1770, S. 961)
• E.g., H.R. 3157 would only give a 3-day
window for notification• Other bills provide 25-30 days for notification,
depending on the notifying organization
19
7/26/2019 Higher Education, IT, and Public Policy (288238548)
http://slidepdf.com/reader/full/higher-education-it-and-public-policy-288238548 21/25
Family Educational Rights and
Privacy Act (FERPA)
• Bill stalled, limited prospects for passage
(leadership retirements, limited Senate interest)
• Elementary and Secondary Education Act
(ESEA) bill may be vehicle to address FERPA
– Amendment to reauthorization bill from Sen. Hatch
may serve as the entry point
– Would create a commission to assess student data
privacy in light of existing laws and current practices
20
7/26/2019 Higher Education, IT, and Public Policy (288238548)
http://slidepdf.com/reader/full/higher-education-it-and-public-policy-288238548 22/25
Family Educational Rights and
Privacy Act (FERPA)
• EDUCAUSE working to inform committee about
higher education cybersecurity/data breach
notification issues as it considers FERPA rewrite• Coordinating with ACE and others on possible
response should:
‒ The House’s FERPA rewrite (H.R. 3157) resurface
‒ The Senate’s ESEA bill become the way FERPA gets
addressed in the near term
21
7/26/2019 Higher Education, IT, and Public Policy (288238548)
http://slidepdf.com/reader/full/higher-education-it-and-public-policy-288238548 23/25
Network Neutrality
• FCC rules address higher ed/library issues
(EDUCAUSE = core coalition member)
• No blocking, throttling, or paid prioritization
• Both mobile and fixed access covered
• General conduct standard based on our
“Internet reasonable” standard
• Private end-user networks unaffected
(campus networks cited)
22
7/26/2019 Higher Education, IT, and Public Policy (288238548)
http://slidepdf.com/reader/full/higher-education-it-and-public-policy-288238548 24/25
EDUCAUSE Comments
• NIST SP 800-171 (Controlled Unclassified Info.):
Worked with HEISC to seek clarification of CUI
requirements, applicability of guidance given other
laws and regulations
• US Open Government National Action Plan: Joined
SPARC comments calling for federally funded
educational resources to be released as open
educational resources (OER)
• NTIA’s Multi-stakeholder Process to Boost
Cybersecurity: Worked with HEISC to urge NTIA to
tap HEISC as a primary resource on higher ed
cybersecurity priorities and concerns
23
7/26/2019 Higher Education, IT, and Public Policy (288238548)
http://slidepdf.com/reader/full/higher-education-it-and-public-policy-288238548 25/25
Thank you!
Jarret Cummings
Josh Ulman
Jennifer Ortega [email protected]
24