Learning Without Tears’ Data Breach Response Policy
Effective Date: December 1, 2020
At Learning Without Tears (“Learning Without Tears”, “We” or “Us”), we take the legal responsibility to protect the privacy of education data seriously. This data includes personally identifiable information (PII) of students using our products and services. The legal framework of data protections outlined in Family Education Rights and Privacy Act (FERPA) includes protecting the confidentiality of education records by requiring districts, and therefore educational technology vendors contracting to provide services to said Districts, to record any and each incident of data disclosure in accordance with 34 CFR 99.32 (a)(1). A breach of student data maintained electronically by Learning Without Tears would be considered such a "disclosure" that must be recorded, contained, and resolved. In addition, under applicable state law, direct notification to Districts and/or parents and/or affected students may be warranted depending on the type of data compromised, such as any student identifying information that could lead to identity theft and related breaches of student privacy.
In the event of a data breach, this Data Breach Response Policy describes our practices and policies to prevent data breaches and to guide our post-breach response and notification protocols.
Click on the links below to jump to each section.
- Data Breach Prevention
- Data Breach Response
- Data Breach Notification
- How to Contact Us
- Changes to This Policy
1. Data Breach Prevention
[Basically, we take precautionary measures to prevent data breaches.]
Learning Without Tears’ Incident Response Team in close coordination with our Technology Team handles all protocols and procedures related to the prevention, response, and notification of data breaches. In particular, to carry out these responsibilities, the Incident Response Team has established roles, specified access credentials, and determined chains of command to coordinate the flow of information with relevant parties in the event of a breach.
Review of Information Systems and Data
The Incident Response Team’s review of information systems and data to identify and monitor where PII is stored and used may involve the following:
- We document what PII and other sensitive information is maintained in our data warehouse and how it is kept secure;
- We conduct regular risk assessments and evaluate privacy threats;
- We review and regulate Learning Without Tears’ staff approved for access to PII and/or other sensitive information and check user activity status to determine which accounts should be deactivated after a time period of usage or inactivity determined by the applicable license associated with a particular user;
- We review separation of duties to help ensure integrity of security checks and balances;
- We implement mitigation controls designed to prevent and detect unauthorized access, theft, or misuse of PII and/or other sensitive data;
- We implement security controls, such as encryption of sensitive data in motion and at rest (where feasible); and
- We regularly review and update of data destruction policies to minimize risk of data breaches directly or indirectly attributable to unauthorized data access.
Monitoring Sensitive Data Leakage and Loss
Our Technology Team and Incident Response Team actively monitor PII and other sensitive data leakage and loss through the following non-exclusive list of procedures:
- We employ automated tools, such as intrusion detection and prevention systems, next generation firewalls, and anti-virus and anti-malware tools, to monitor and alert about suspicious or anomalous activity;
- We use data loss prevention solutions to track the movement and use of information within our technology infrastructure, to detect and prevent the unintentional disclosure of PII and/or other sensitive data, for both data at rest and data in motion;
- We conduct regular searches of the information system and physical storage areas to identify PII that may be outside of approved areas;
- We periodically test and check privacy and information security controls (i.e., through the use of "real-life" exercises) to validate their effectiveness as part of a risk management program.
Privacy and Security Awareness Education
Learning Without Tears’ periodically conducts privacy and security awareness training on a recurring basis to staff that is routinely involved in data-related activities associated with customer onboarding and license administration. This includes the clear definition of and provision of easy access to Learning Without Tears’ internal processes for reporting, addressing, and resolving any privacy incidents that may arise in the ordinary course of business.
2. Data Breach Response
[Basically, we respond to data breaches immediately and will take immediate action to contain and cure a data breach.]
In the event that information from student education records may have been compromised or inadvertently disclosed, our Incident Response Team will take one or more of the following steps suggested by the U.S. Department of Education, as deemed necessary under the particular circumstances. The following list is not intended to be sequential or exclusive:
- We validate or confirm the data breach and determine exactly what information was compromised (i.e., names, login id, passwords, etc.), and whether the compromised information constitutes PII.
- We activate our Incident Response Team to coordinate all aspects of the breach response and assign an Incident Manager.
- We take steps immediately to determine status of the breach (on-going, active, or post breach), method of disclosure (internal/external disclosure, malicious attack, or accidental), affected devices, and prevent any further disclosures.
- We identify all affected records and students. Locate, obtain, and preserve for examination all written and electronic logs and records applicable to the breach.
- We determine how the incident occurred, including identification of what systems in our technology infrastructure and data governance processes were compromised. We further assess whether the incident occurred because of a lack of monitoring and oversight.
- We determine the scope of the breach, including: notification of law enforcement if criminal activity is suspected, conduct interviews with key personnel and document facts, preserve evidence when possible for later forensic examination, and locate and preserve all written and electronic logs applicable to the breach of examination.
- We determine whether our policies and procedures were breached, including organizational requirements governing access (user names, passwords, PINs, etc.); storage; transmission; and destruction of information from education records.
- We conduct a risk assessment and identify appropriate physical, technological, and administrative measures to prevent similar incidents in the future.
- We consult with our Legal Department to ensure compliance with any applicable federal, state and/or local laws or regulations related to data breaches, reporting or notification requirements.
- We report the incident to law enforcement authorities if criminal activity is suspected. If law enforcement is involved, we cooperate in the coordination of investigations and evidence collection to avoid compromising outcomes.
3. Data Breach Notification
[Basically, you are the data owner. We will notify you or your District in the event of a serious data breach.]
In the event of a student data breach, if Learning Without Tears’ Legal Department may determine that the compromised data includes student identifying information, in the form of individual data fields or a combination of data fields, that could lead to identity theft. In such a case, Learning Without Tears may directly notify the data owners, including the District and/or affected students and/or their parents of the breach and notify students and their parents that the U.S. Education Department's Office of Inspector General maintains a website describing steps students may take if they suspect they are a victim of identity theft at: http://www.ed.gov/about/offices/list/oig/misused/idtheft.html and http://www.ed.gov/about/offices/list/oig/misused/victim.html.
Learning Without Tears shall foster a cooperative relationship between the data owners and the Incident Response Team during the notification process. We will also work collaboratively with data owners to secure sensitive data and develop mutually-agreeable mitigation strategies as well as forward-looking strategies to prevent future occurrences.
Learning Without Tears shall maintain a record of each incident of data disclosure in accordance with 34 CFR 99.32 (a)(1). Our Incident Response Team may consider notifying the Family Policy Compliance Office (FPCO) about the breach. The FPCO can assist educational technology vendors and/or School Districts by helping to determine the potential for harm from the release of the information. The Incident Response Team may also consider seeking technical assistance from the Privacy Technical Assistance Center (PTAC) for support with security and breach prevention.
4. How to Contact Us
If you have any questions about this Policy, please contact us at firstname.lastname@example.org
5. Changes to This Policy
Learning Without Tears may modify or update this Policy from time to time, so you should review this page periodically. If we change this Policy in any material manner, we will provide sufficient notice to you or your organization so that you have sufficient time to evaluate our change in practices.