Higher Education, IT, and Public Policy (288238548)

7/26/2019 Higher Education, IT, and Public Policy (288238548)

http://slidepdf.com/reader/full/higher-education-it-and-public-policy-288238548 1/25



Higher Education, IT, and Public Policy

October 29, 2015

Jarret Cummings, Josh Ulman, Jennifer Ortega



Presenters

• Jarret Cummings, Director, Policy and

External Relations, EDUCAUSE

• Josh Ulman, Ulman Public Policy and FederalRelations (Policy Advisor to EDUCAUSE)

• Jennifer Ortega, Ulman Public Policy and

Federal Relations (Policy Advisor toEDUCAUSE)

2



Presentation Agenda

• Policy Advisory Committee

• TEACH Act AIM HEA

• Data Breach Notification and

Cybersecurity Information Sharing

• FERPA

• Network Neutrality

• EDUCAUSE in Action

3



Policy Advisory Committee

• Member perspective on federal issues

– Relevance to member interests

– Informed response

– Identification of new concerns

• Core areas

– Cybersecurity/Data Privacy

– E-Learning (includes IT Accessibility)

– Networking/Telecomm

– Copyright

4



Policy Advisory Committee

Learn more about the committee at:

http://www.educause.edu/about/mission-

and-organization/governance-and-leadership/member-committees/policy-

advisory-committee

5

http://www.educause.edu/about/mission-and-organization/governance-and-leadership/member-committees/policy-advisory-committee























TEACH Act “ AIM-HEA”

Background

• 2011: AIM Commission proposes dev. of postsec.

instructional materials, related techs. guidelines

• 2012: National Federation of the Blind and Association of American Publishers craft draft bill

• 2013: TEACH Act in House (Senate in 2014)

• 2014: Higher ed groups identify problems, join withNFB and AAP to develop a shared proposal

• 2015: Accessible Instructional Materials in Higher

Education Act (AIM-HEA) coming

6




Nature of the Process

• Met regularly starting in October 2014, with

frequent communication between meetings

• Confirmed shared outline in June, started

drafting bill in late July

• Currently working to finalize legislative proposal

• Anticipate integration of AIM-HEA into HigherEducation Act (HEA) reauthorization

7




The Legislation

• Establishes an independent commission,

supported by a panel of technical experts

• Commission charged with developing:

• Voluntary accessibility guidelines for postsecondary

instructional materials, related technologies

• Annotated list of general IT standards• Legal safe harbor for following guidelines, limited

safe harbor if document process only

8




The Commission

• Balanced stakeholder representation

• Review gen. standards, identify gaps, develop

guidelines to bridge the gaps (where possible)• 18-24 months to complete

• Super-majority (75%) required for guidelines, list

• Guidelines voluntary; existing law, regulationsunchanged

• “Electronic instructional materials” & “relatedtechnologies” tied to instructional program

9




Next Steps

• Reach shared draft, vet and finalize with other

stakeholders

• Identify sponsors and introduce bill in Congress

• Educate congressional staff as needed

• Integration with HEA reauthorization likely

– Would be considered within higher ed policy generally

– But timetable for reauthorization uncertain

– May require longer-term engagement with Congress

10



Data Breach Notification

• Broad support for fed. data breach notification

legislation creating one national standard

• Requires full preemption of state laws; Dems

oppose as weakening protection in some states• Major bills (one each, House and Senate)

– H.R. 1770, Data Security and Breach Notification Act

of 2015 (Blackburn/Welch)

– S. 961, Data Security Act of 2015 (Carper/Blunt)

• Either likely to cover higher ed (although S. 961

exempts state, local agencies)

11




H.R. 1770

• Federal DBN standards

• Strong preemption

• Likely covers all

institutions

• “Reasonable security

measures and practices”

• DBN if significant identity

theft, financial harm risk

• Civil penalties could be

into the millions

S. 961

• Federal DBN standards

• Strong preemption

• Private institutionscovered (some publics?)

• Lists specific standards

required for compliance

• DBN if risk of “substantial

harm” (financial, identity)

• Exemptions for HIPAA/

GLBA compliance12




Major concerns

• Federal Trade Commission (FTC) enforcement

likely under either bill

‒ Concerns about FTC’s lack of knowledge abouthigher ed, potentially applicable laws like FERPA

‒ Neither bill requires formal rulemaking; all

enforcement by FTC on case-by-case basis

• Senate provides long list of “recommended” steps

that institutions would have to take, while House bill

presents “pick your poison” situation

13




EDUCAUSE Outreach

• Met with House Energy & Commerce Committee,

bill sponsors about H.R. 1770 concerns

– Seeking confirmation that higher ed in scope

– Looking for way to inform FTC enforcement if so

• Met with Senate sponsors about S. 961 concerns

– Bill provides many exemptions to requirements,enforcement based on other laws (e.g., HIPAA, GLBA)

– Pursuing continued dialogue on whether higher ed

concerns might also be resolved this way

14




Current Status

• H.R. 1770 passed Energy & Commerce, but lost

Democratic co-sponsor in the process

• H.R. 1770 sponsors, committee staff still working tosecure bipartisan support

• Senate cmte. vote on S. 961 not yet scheduled

• If Senate passes bill, both chambers will need to

conference to find compromise

• Major barriers (e.g., House leadership crisis,

presidential politics) mean both unlikely to move

15



Cybersecurity Information Sharing

Act (CISA)• S. 745 (Burr/Blunt): Incentivizes sharing cyber-

threat indicators with other orgs., fed. government

• For institutions, more “real” sharing likely to help,

so CISA potentially beneficial

• Concerns about privacy

– Will personally identifiable info be sufficiently scrubbedbefore sharing?

– Can fed. agencies share info for non-cybersecurity

purposes (e.g., criminal investigations)?

16



• EDUCAUSE consulted REN-ISAC about bill’s

likely higher ed impact

• CISA unlikely to negatively affect REN-ISAC

or impose bureaucratic burdens on members

• But benefits depend on feds really sharing, too

• Senate passed the bill on Oct. 27

• Both chambers will now need to conference to

reach compromise legislation

Cybersecurity Information Sharing Act

(CISA)

17



Family Educational Rights and

Privacy Act (FERPA)H.R. 3157, Student Privacy Protection Act

(Rokita/Fudge): FERPA rewrite

• Adds cybersecurity, data breach standards

• Updates “education records” to cover student

information connected to classroom technology

• Prohibits schools or 3rd parties from using student

data to market goods or services• Clarifies parents’ right to review, correct, or limit use

of information about their child

• Sets data storage standards, limits access to records

18




Privacy Act (FERPA)Major concerns

• Confuses further rather than clarifies

• Cybersecurity and DBN standards don’t align

with other bills (H.R. 1770, S. 961)

• E.g., H.R. 3157 would only give a 3-day

window for notification• Other bills provide 25-30 days for notification,

depending on the notifying organization

19




Privacy Act (FERPA)

• Bill stalled, limited prospects for passage

(leadership retirements, limited Senate interest)

• Elementary and Secondary Education Act

(ESEA) bill may be vehicle to address FERPA

– Amendment to reauthorization bill from Sen. Hatch

may serve as the entry point

– Would create a commission to assess student data

privacy in light of existing laws and current practices

20




Privacy Act (FERPA)

• EDUCAUSE working to inform committee about

higher education cybersecurity/data breach

notification issues as it considers FERPA rewrite• Coordinating with ACE and others on possible

response should:

‒ The House’s FERPA rewrite (H.R. 3157) resurface

‒ The Senate’s ESEA bill become the way FERPA gets

addressed in the near term

21



Network Neutrality

• FCC rules address higher ed/library issues

(EDUCAUSE = core coalition member)

• No blocking, throttling, or paid prioritization

• Both mobile and fixed access covered

• General conduct standard based on our

“Internet reasonable” standard

• Private end-user networks unaffected

(campus networks cited)

22



EDUCAUSE Comments

• NIST SP 800-171 (Controlled Unclassified Info.):

Worked with HEISC to seek clarification of CUI

requirements, applicability of guidance given other

laws and regulations

• US Open Government National Action Plan: Joined

SPARC comments calling for federally funded

educational resources to be released as open

educational resources (OER)

• NTIA’s Multi-stakeholder Process to Boost

Cybersecurity: Worked with HEISC to urge NTIA to

tap HEISC as a primary resource on higher ed

cybersecurity priorities and concerns

23



Thank you!

Jarret Cummings

[email protected]

Josh Ulman

[email protected]

Jennifer Ortega [email protected]

24

mailto:[email protected]






Documents

Higher Education, IT, and Public Policy (288238548)