Securing Independent Schools with Cybersecurity and Legal Imperatives
The conversation revolved around the growing importance of cybersecurity in the legal profession and the need for specialized knowledge in this area. Speakers emphasized the importance of engaging with attorneys early on during cybersecurity incidents to maintain the attorney-client privilege and leverage the cybersecurity team's experience. They also discussed the integration of AI in education, with concerns about the black box of AI and ownership issues. Finally, speakers discussed the importance of evaluating online services' privacy policies and contracts, and the ethical and legal considerations surrounding educational technology.
Resources
Transcript
Narrator 00:02
Welcome to Talking Technology with ATLIS, the show that plugs you into the important topics and trends for technology leaders all through a unique Independent School lens. We'll hear stories from technology directors and other special guests from the Independent School community and provide you with focused learning and deep dive topics. And now please welcome your host, Christina Lewellen.
Christina Lewellen 00:25
Hello everyone and welcome back to Talking Technology with ATLIS. I'm Christina Lewellen, the executive director of the Association of Technology Leaders in Independent Schools.
Bill Stites 00:34
And I'm Bill Stites, Director of Technology at Montclair Kimberley Academy in Montclair, New Jersey.
Christina Lewellen 00:39
Hey, Bill, how are you today?
Bill Stites 00:41
Oh, I'm just Jim dandy. That's
Christina Lewellen 00:43
great to hear. We're missing our co host. Today he is off solving the world's problems. So it's just you and I, together, we're having our podcast recording without Hiram. So hi, Hiram, we miss you. And see you next time.
Bill Stites 00:55
We do indeed,
Christina Lewellen 00:56
I wanted to ask you about a theory that I have today on our podcast, we're welcoming a lawyer. And we're going to talk about in a very positive and proactive way, ways to avoid risks and avoid stepping and potholes. But I have this theory about lawyers. I believe that people who tend to gravitate towards legal professions are problem solvers. They're the kids that solve puzzles, and are good at logic, probability. I love legal stuff. And I've always had it in my head that if I had picked a different career, I probably would have been a lawyer. And something tells me that you might have had those thoughts, too. Did you ever consider going into the legal profession?
Bill Stites 01:35
No, really? No, I did not know, surprisingly, the other thing that I was considering outside of my stint as a fine arts major was actually cooking. I wanted to cook. Oh, I mean,
Christina Lewellen 01:49
that's very Italian of you, as
Bill Stites 01:51
I read through all of the legal ease, and the documentation that we now have to do is part and parcel of our day to day work. I look at that, and I just thank God, I didn’t go into law because I can't parse it. But that is why I in the past, have teamed up with our guest to do some presentations on these very topics, because I just don't understand it. And you get to ask those questions. And it's like, the title of our presentation was “I'm not a lawyer, but I brought one with me”, because we get asked all these questions. We have all these things that come up related to the work that we're doing. Now. I mean, I thought it was a lot when I got to know Adam to begin our relationship. And now it's just kind of grown in ways which I couldn't even have imagined when we first started talking together. So no lawyer for me,
Christina Lewellen 02:46
definitely gets more and more complicated. I'm sure as time goes on, you know, I'm married an almost lawyer. So my darling husband, Richard went to Harvard Law School, and then never took the bar and never became a lawyer. He came in the 99th percentile the year he took the LSAT, and part of me is like, if I ever retire early, I want to take the LSAT, just to see if I can beat him. And I know that that's very messed up. But that's the kind of competition I bring to the table.
Bill Stites 03:15
Very competitive. You are yes, indeed. Well, with
Christina Lewellen 03:18
that less welcome to our podcast, Adam Griffin, thank you so much for joining us. As you heard us bantering back and forth. One of us wishes she could be a lawyer, and the other one won't touch it with a 10 foot pole. So tell us a little bit about yourself, Adam and was being a lawyer and going into the legal profession, always your path. Definitely
Adam Griffin 03:38
not. I actually graduated from an independent school and started in high school when I was legally old enough to do so working in the IT department there. And to date myself slightly. We were re imaging windows 2000 desktops. Chromebooks did not exist, that word did not exist. We were just before the days of one to one, and the proliferation of technology we've seen today. So I did that in high school, got a degree in Management Information Systems and planned to work in technology. And for better or worse, I made the decision to take the LSAT and well enough and decided to give law school a try. I've been practicing about 14 years now. And I'm really fortunate to do something I really enjoy. My practice really heavily involves technology. So some days it feels as much technology as law. And that's what I prefer to do. So I try really hard to not just be a lawyer who understands the basics of technology, but really go deeper than that. I really like to get into the weeds on the technical parts in my practice, and that's just increasingly important. A lot of the work that we do is assisting clients who have had major cybersecurity incidents and so there's no real way to handle this well, unless you understand the technical issues also. You
Christina Lewellen 05:00
gave yourself away as soon as we got on this platform to begin recording the podcast, we were commenting on how many monitors you have. So please share with our audience, your monitor philosophy, three monitors. Okay, explain why that's the perfect number. Three
Adam Griffin 05:15
monitors is the optimal number. I have tried more, and I have tried less. All other answers are wrong. Three is the right answer. So one turned long ways for reading documents, a primary in the middle and one on the right, so that I can always keep my email open. Except for when I'm recording podcasts. I did close it for you guys today.
Christina Lewellen 05:32
Oh, perfect. We feel special. Exactly. You heard it here. Three monitors is the only right answer. Thank you very much. Before we kind of dive into some of the cybersecurity risks and issues that you're seeing, as you mentioned, tell us a little bit about your practice. Who do you work for and who are your clients? Sure.
Adam Griffin 05:50
So I worked for a law firm called POLSINELLI. fortunate to be one of a very significant team who works in cybersecurity and privacy. There's a lot of work to be done in this area. And we have a really large team who does it. So around 65 lawyers who work in this every day, that's going to range everything from lawyers who are primarily doing contract negotiation and review work to people who are doing more regulatory compliance work, people doing work associated with mergers and acquisitions. And then my focus, and there's a large group who does this is cybersecurity incidents. So we are assisting clients who have had cybersecurity incidents respond to and recover from that those incidents. And there's a lot of different work streams that go into that, but ultimately, to help, recover, respond and then handle any regulatory obligations that come out of those incidents. So importantly, we try to take what we learned from the incident response practice, and use that to inform the other work that we do the proactive cybersecurity work and the other work that we do, because ultimately, one of our primary goals is to help our clients who have had incidents, not be repeat clients and help clients that have come to us for proactive advice, not have to call us on the incident response. What we do is reduce risk. Unfortunately, as everyone knows, you can't eliminate cybersecurity risk. But there's definitely things you can do to reduce that and always hope to reduce the odds that someone has to call me on the incident response front.
Bill Stites 07:18
So on that topic, the idea of engaging with attorneys when you have a cyber incident, when you have these types of issues, for those that believe that they're dealing with a breach or some sort of event that's impacting their school, at what point in that process, when you think about the runbook, the things that you need to do in order to first mitigate the breach and then engage to figure out okay, what exactly has been breached, so on and so forth, all of those pieces that you're alluding to, at what point in the process should schools or institutions then begin to engage with their legal team around that issue? I mean, is it you know, are they one of the first calls that you're making? Or is that one that you make a little further downstream? When you understand where those issues then come up? Where's the line, as you see it in terms of that level of engagement?
Adam Griffin 08:16
I would much prefer early and often, right, I would rather someone call me and say, Hey, we have this situation going on. We think it's under control. And you know, we'll let you know if we need real help later. If it's gonna be a large incident, we may push and say, Hey, we should go ahead and get involved. But there's a couple of reasons to involve a cybersecurity attorney. One is for the attorney client privilege. So you want the privilege to apply to that investigation. If you go off and retain vendors and start to do work that part of the investigation, then it's going to be more difficult to claim later that that is subject to attorney client privilege. And then two, we just have seen a lot we have a lot of experience with different threat actor groups, different incident types. And so we can often offer advice and thoughts that people may not have thought of themselves, because we've already seen this, given the size of our team. And the sheer volume of incidents we're handling. Of course, there are permutations and variations, but we don't see a whole lot that's just completely net new. And so we can often offer some good insights on initial containment, those types of steps. Another reason to, if you have cyber insurance, you definitely want to make sure that you're notifying your insurance as required under that policy. Some of those carriers are going to assign counsel for you, or you may have counsel that you want to use so you have pre approved with that insurance carrier, but all of that is going to usually be done in the beginning of the incident. So there's somewhat of a notion that well, the lawyers just come at the end and tell us who we need to notify under the various laws and regulations. That's not the case. Our role is a lot more broad than that, including retaining the vendors. So forensic vendors, those types of vendors, we generally retain those on behalf of our clients again for privileged purposes. So because of all that earlier is definitely better than later.
Christina Lewellen 09:59
Do you have a sense of how many schools roughly percentage have cybersecurity insurance? Because sometimes when I speak and I mentioned cyber insurance, I see some deer in the headlights from my audience. So do you have a ballpark on schools that have it versus schools that don't understand they need it and don't have it?
Adam Griffin 10:18
It definitely seems to be more common now than when I started doing this work. So when I speak at conferences, including ATLIS conference, and otherwise, I like to pull the room and say, you know, raise your hand who has cyber insurance? Who doesn't? Who doesn't know what I'm talking about? Right? I would say these days, the I don't know what you're talking about. There's not really any hands going up there. I'm seeing majority of the schools do have some form of cyber insurance in place. Now, whether it is a lot of coverage or not, what carrier how much coverage, what's covered all that is going to vary tremendously. So cyber insurance is a unique product in the insurance market. There's a lot of variance between carriers and forms. So it's important to know what specific coverages you have. But I would say we're seeing anecdotally I'm seeing over 90% of schools and institutions have some sort of cyber insurance. Now, what I like some of them to have more sure, but it's definitely good to see if you'd asked me that question. Maybe four years ago, that percentage would have been much, much lower than that. So a positive development,
Christina Lewellen 11:23
that's great progress,
Adam Griffin 11:25
I think as premiums have become a little bit more manageable, we've seen in the last 12 months or so. And so if people don't have cyber insurance, I've told anyone who will listen screaming from the mountaintops, if you don't have it, now's a great time to go look for it and shop around.
Bill Stites 11:38
It's interesting, you say that it's been about a four year window, because one of the things, I think is pretty, fairly well known in air quotes there is that in the past four years, the number of incidents impacting schools, particularly since COVID, have really increased. So the the idea that it's a school, you know, it's not an area that these threat actors are going to be targeting is definitely now more of a myth than it may have once been. But with that, you know, we've gone through our own cyber audits, we have insurance, you know, we're one of the 90%, thankfully. But one of the things that I've seen and I've talked to other people about is really the level of what I call complexity to the insurance policies for schools have gotten much more complicated. And I think a lot of the things that we've seen is that the things that they're asking schools to do, are generally things that they are asking businesses to do that don't necessarily have that school focus on them because of just the nature of the way in which the different types of organizations operate. So with that being said, I mean, it falls on people like myself, or the attorneys that we're working with to make heads or tails of what those contracts are actually saying. Have you come across any schools that have had insurance, then had an incident, but were denied because they did not meet? Those steps that are outlined? Like one of the basic ones is like, do you have MFA? Do you do phishing? You know, they say they've done it, or they check the box just to complete the form, but they're not actually doing it. Have you seen any issues where insurance companies have denied claims from school? And if so on what types of
Adam Griffin 13:32
grounds? Yeah, so I have not seen it specifically for a school. It has happened by insurance carriers with other entity types. And so it is something that happens. I have not personally seen it specifically with a school, which is a positive, but it's something that's possible and out there. And typically, it's going to be if you make what the insurance company considers to be a material misrepresentation in your application. So if you say we have MFA everywhere, and you don't have MFA anywhere, and they find that out, and you have an incident. And in the course of an investigation, the insurance carrier determines you misrepresented something on that application. What we've seen them do is come after the fact and actually sued the policyholder file a lawsuit against their own insured in an effort to void that policy and say, We are coming after the fact this policy should be voided because you essentially lied on your application. So the applications are really important. completing the application accurately and completely is critical. We've seen issues specific with MFA in the school context. So a lot of the applications may ask, do you have MFA and there are checkboxes yes or no. There's no room to explain there. And schools have challenges with MFA specifically with students write. Implementing MFA for students is very challenging. I'm not aware of any school that has MFA for all students K through 12. It just doesn't happen. So on that application, if the question is do you Have MFA on all systems, yes or no, you may have to check No, because we have this population of student users who doesn't have MFA. However, if you can explain to that insurance carrier, we have it on all teacher staff employee accounts. We don't have it on the student accounts, but they're on their separate network, separate VLAN. Most of the carriers are going to accept that. So how you communicate that to the carrier is important. When you're faced with a yes, no checkbox, and you need to provide more information or our advice is generally type it up in a Word document, just write in a Word document, we checked no for this question. But here's the explanation, provide that additional information to the insurance carriers and the application process. The absolute worst case is a ignore it. And that's typically doesn't happen, they will typically look at what you you said and take that into consideration. Yeah,
Bill Stites 15:48
and that's often the line there for me is like, you know, you go through this. And whenever we do any of these things, like we're looking at, where are the critical resources, the critical information, the stuff that is either PII related or simply confidential information, and we're looking to safeguard those areas and those people that are working on them, which as you've alluded to, are generally the employees of the school they're not the students because MFA, particularly with younger students, it's too much of a sticky wicket in terms of just all the things that you would have to do in order to make that work. Where's the line drawn there, so on and so forth? So it's good to hear that. And the idea of writing that little addendum piece that you do, I didn't even consider that. And that's great, because that allows you to articulate what you mean. And it allows at least down the line to show that you did the due diligence, to not only answer the questions, truthfully and honestly, but to provide clarification were one of those answers may have fallen into the gray area that you were just describing. So thank you for that. Adam,
Christina Lewellen 16:54
what are some of the calls that you've been getting lately? or emails or outreach? What are some of the the legal issues that schools are wrestling lately? Or maybe they're evergreen? I don't know. But what are some of the things that you're dealing with at the moment? Yeah,
Adam Griffin 17:09
so a couple of things on the incident response side, it's been ransomware. It's been a lot of ransomware. And specific in the ransomware space and the data breach space. We've seen in the last several months, a pretty significant uptick in threat actors accessing systems through unpatched devices that are Internet facing. So I'm talking about firewalls, VPN appliances, we still see some via phishing, email, drive by attack, etc. But really a large number of incidents that were a threat actor gets into an environment, because something was not patched. So I tell anybody who will listen, patch patch patch, if you have firewalls, VPN appliances, anything Internet facing make sure you're running the latest and greatest version. Don't wait, don't say, Oh, we're a couple versions behind it's on the list to get to it, patch it today. pause the podcast, go patch it right now. Right, I would prefer to see a client break something than to have to call me because a threat actor got in and caused a catastrophic incident. We've also seen the FBI take an active role with the threat actor groups or ransomware as a service groups, they're making strides to try to shut those down. There were some news about them disrupting lock. But what we've seen as a practical matter is it's really just a game of Whack a Mole, you knock one down, another one pops up, lock that was unfortunately back up and running within days. And so it's really difficult. Law enforcement is trying but I think it's really difficult. And then we continue to see smaller startup threat actor groups, you have kind of these larger, more established groups like lock, which are charging really significant ransoms. And then you have some smaller startup groups that charge cheaper ransoms. All those ransoms are negotiable with all those groups, and we retain a nice professional negotiators. Some of those groups have rules. Sometimes discounts are harder to come back. You know, we always ask for the educational discount for our school clients and say we are we don't have a lot of money, and try to get those as low as we can. But it depends on the threat actor group as to how low we can get those. We've also seen a proliferation of vendor incidents. So you all want to do everything you can to secure your systems and devices and data networks. But as everything moves to the cloud, we're outsourcing more things. And I think that makes sense from a practical standpoint, but that means more vendors who have your school's data, and we only have some degree of control over that, right, we can get them to contractually agree to do certain things. But at the end of the day, we can't really force the vendors to do things. And so we've seen a number of vendor incidents and then when those happen, they can impact significant numbers of schools as well as other threats as well. But those are the primary things on the incident response.
Bill Stites 19:44
When you talk about the vendors, you know, I can remember about a year ago there was with one of the major SISes out there there was an issue with a breach. Christina mentioned it you know one of the evergreen topics that I always think of just contracts looking at con tracks trying to figure out contracts back in the day. And the reason I'm lamenting that Hiram is in here is it was contracts and COPPA that kind of brought us together. And I know, you know, you and I have talked about this and presented on this in terms of how these things work. But when you're looking at contracts, and this is where I think I mentioned earlier, I've seen the exponential growth, mostly because the way in which so many of these services are going to the cloud, we're not dealing with applications, the way in which we traditionally are used to using them, where you install it, and it's a base contract. And it's fairly simple. Now that everything is gone cloud based. This is where, again, those contracts have exploded. What are some of the things if I'm sitting down and thinking about engaging with a software as a service, a web hosted cloud based system? What are some of the things that I should be looking at or looking for? When I'm reading through the contract? Like what are the three or four things that everyone needs to be mindful of, above all else, when looking at those contracts? So
Adam Griffin 21:05
one of the first things I'm going to look at is what that contract says in relation to cybersecurity. So again, you as a school are doing things to secure your data, are you then sending that data outside to a vendor who's not even doing as much as you are? Right? So what does the contract say about what they're doing for cybersecurity? And then do those obligations follow the data? So if that contractor is using subcontractors to perform certain services? Do they have to do those things as well, these obligations should follow the data, not necessarily just the vendor. So, you know, there could be subs and subs of subs. Right now, most vendors, they're not hosting the data that you send them in some on prem data center in the year 2024. Right? It's in some cloud based storage system. It's AWS or Azure, somewhere like that. Hopefully, it's in one of those, but not always. So we need to know where it is and who has access to it and what's being done with it. Also, I just like to make sure that the contracts cover the what ifs, what if there's a cybersecurity incident who's responsible for notice, the default under the law is that that vendor just has to tell you the school, this happened, here's what happened. And here are your constituents who are impacted. Unless you change that legal default, they don't have to incur the costs of mailing legally required notifications or doing those things. So especially if it's a vendor, you're paying a lot of money, I like to change his defaults. We also like to account for the what else? What if we cancel? What if the relationship ends? What if the contract expires? Whose data is it? And do we get it back? Do we have to pay to get our own data back. So accounting for those what ifs in the contract is really important. And it's important to keep in mind when we're talking about vendor agreements, most of those are going to, if not, all of those are going to have what's called a merger clause. And I'm gonna try not to get too far down my lawyer path here. But the merger clause essentially says, this document governs the relationship. So anything that a salesperson or someone else told you extraneous late, it doesn't count, it's not part of the agreement, the four corners, what's in that document is what counts. So it's just critically important to not only rely on what vendors tell you, but to read and understand what they're legally obligated to do in that agreement.
Christina Lewellen 23:18
What about the rush of AI? Can we go there for a second? Because obviously, that opens up a lot of doors and issues when it comes to data privacy. So can you kind of talk to us a little bit about what you're seeing ever since Chat GPT sort of burst onto the scene. But now I think there's a lot more tools and resources being used in the classroom, does that give you concern? You know, high level, I
Adam Griffin 23:42
think that these tools and these services, we can't ignore them, they're important to be aware of and important to know about. And I don't think that we can pretend that they're the same as any other vendor or service. However, I think it's important to remember that the AI companies are doing this, they are in a lot of ways vendors. And so they have contracts and Terms of Use, too. It's important to not ignore the fact that they have terms. And there may be an agreement associated with that as well, just because they don't present you a PDF and an email that you have to review and sign and send back does not make it any less a contract. There are terms applicable to Chat GPT. Also, we've seen that like the technology itself, like the use cases, those terms have changed over the last several years as well. So open AI specifically has changed the Chat GPT terms a number of times, including around the minimum age to use it, and that that applies directly to schools and students. So I looked just this morning and right now it says you must be at least 13 years old or the minimum age required in your country to consent to use the services. If you're under 18. You have to have your parent or legal guardians permission. So I think there are provisions in those terms that a lot of people are not aware of. It's important to review that it's just like any other contract on the other side as a practice. No matter how we use these tools, I think that we're all figuring this out and learning together to some degree. I don't know that there's a lot of clearly right and wrong answers on how and where it's appropriate to use the technology. I think that the key from a school administration standpoint is to give clear guidance to the students and to the teachers as to what is appropriate use of this technology. So that's where we've seen issues is where there's no guidance, right? The head in the sand approach is not a good one. If you give no guidance, and then a student uses it to assist in writing an essay. It's challenging, letting go that soon. And so you shouldn't have done this. They'll say, Well, you, you didn't tell me not to do this. And there's also I think, a key difference from the teacher standpoint of teaching the tool, or using the tool to teach. So is the teacher using the tool to develop the curriculum? Or is the curriculum augmented by the tool? Or is it a class that specifically says this is how you can use these tools. So again, I don't think we can ignore them. I think this technology is here to stay. But clarity and direction, internally is the key to making sure that those expectations on use are met.
Christina Lewellen 26:09
It's interesting, because I think that what you're talking about is where a lot of people fall right now as they're trying to provide guidance, but not quite sure what the role of the tool is. But then it's also been baked into tools that we trust, when you're writing an email and the sentence is finished for you. That is AI that has learned, of course, how you write emails. And so it's already baked into a lot of these tools. So there's some concern I think about like, the black box of AI, if we're putting information into the system, where does it go? Who has it? Who owns it? And I know that this isn't necessarily your specific area of practice. But there's a lot of copyright and ownership issues that I think schools are wrestling with there too. As schools are wrestling in the turn to guidance for you. I'm curious, do you use AI in your practice? Seems like you're kind of a tech forward person. So are you using AI to shape the work that you're doing as a lawyer.
Adam Griffin 27:03
So far, all the news stories about lawyers using AI have not been very good stories. What we've seen in the news is lawyers using AI for research and to generate case law that they use in legal briefs that they file, there are multiple instances some high profile, where Chat GPT essentially invented cases that do not exist, not a good look for a lawyer to submit something to a judge with a case that just was fabricated. So we've been really careful with how we use it my personal experience, and I like to experiment with the tools my personal experience has done. For what I do for legal research and those type purposes, the technology from an accuracy standpoint is just not quite there yet. I can see looking forward the future that it may be there. But in my world, the stories are all about ethical and other issues from people using it and getting in trouble. I've used it some ironically in presentations, and sometimes to demonstrate how powerful it is. And I've done one presentation where I have a slide and reveal at the end, hey, this, I didn't write a word of this text, right, it was all written by Chat GPT. And that it goes to show how difficult it can be to detect what's written by human versus Chat. GPT. But so far, from a legal standpoint, accuracy is really key for what we do, especially if it's something examining what statutes apply and how those statutes apply to a situation. We're just not quite ready to turn that over to a
Bill Stites 28:29
one thing that comes up in a lot of the conversations we're having right now is the confidentiality issues. When you're doing that the conversation has been unless your data's sandbox, like unless you know it's just yours and even then proceed with caution. But the idea that you shouldn't put anything that can identify students, parents, you know, any names, you know, those types of things. Where do you see confidentiality, those types of issues? If people are asking you, what are you telling them on that front?
Adam Griffin 28:58
Yeah, so the first thing, I go back to read the terms, and typically, the service should tell you what they're doing with your data, they should tell you who owns that data. And then they should tell you what it is they are going to do with it, what they're permitted to do with it, it should be in either their terms and conditions or their privacy policy. So a lot of times, they'll be upfront, hey, we're going to use this data for these purposes. And that may be a purpose that you do not desire or intend, but because frankly, very few people read the online Terms and Conditions. People don't realize that it's going on. So my first piece of advice is read and see, are they telling you what they're doing? And then follow on to that? Is that what we want them to do? Is that compatible with our goals, our objectives, our approach to data sharing? Would we allow any other vendor to do what they say they're doing? That answer is going to differ by school and institution. Some take different approaches to that and some may say we would never allow the stage to be shared in this way and some may say we're okay. have that and then I think you're also going to have some parents who say, we're not okay with this, right you as a school maybe. But as a parent, I'm not. And that's going to be really challenging to navigate, I think going forwards. As
Christina Lewellen 30:12
a side note, I just want to mention that one of the ways I've used Chat GPT is to analyze privacy policies for programs I'm using. So I'll take the privacy policy and copy it into Chat GPT and ask it to summarize any red flags or concerns in this language. And so I think that you can kind of use AI to help you evaluate AI. I don't know if anyone else does that. But I found it kind of useful. I've done it.
Adam Griffin 30:37
Well, it sounds a lot better than reading all of those terms and conditions, which, unfortunately, is what we ended up doing as lawyers. And those terms. And conditions, again, are contracts. And so it's important to know what they say, People rarely do. And I know that people rarely do not just in the AI context, but in other online services, because we do read them and we see misspellings, and we see the names of companies who are not involved, because someone copied and pasted. I have on more than a few occasions, emailed a company and said, Hey, I noticed there's a spelling error, this grammatical error, this copy and paste error and your privacy policy, your online terms and conditions, because no one reads them.
Bill Stites 31:13
So as a follow up to that, you know, we talked earlier about the contracts that you engage with when you're dealing with larger vendors, particularly those that are online. One of the other things that kind of blew up as a result of COVID, were all these online services that you just need to click here to sign in with Google and boom, you've created an account, you got all your students doing it, you've done all this. But none of that's been vetted. And the one thing that we're harping on here a lot is teachers, when they're thinking about using a service, they need to be vetted, because just because it doesn't cost anything, just because it's easy to click sign in with Google or sign in with, you know, whatever service you're using, there's very little overhead in terms of the work to get started with these things. As you said, you're entering into a contract with all these companies, and you don't know what you're agreeing to, you know, if it's free, it's coming at a cost free is not free. We had Robert Olson on from Ankura while back, we got off on a long topic about that, because of just those levels of risk. So one of the things I always like to do, where I tried to ground it is I go back to our faculty, and sometimes our staff and I say, we have cyber insurance that requires X, Y, and Z. If you're doing this, it's violating that. We've got all these other things that we don't know what they're doing. How do you or do you? Is there a way I'm looking for this for myself? How do you counsel schools or people like myself to have those conversations with our employees, faculty staff included around these free things that are definitely not free? And we definitely don't know what they're doing with our data?
Adam Griffin 32:59
Yeah, so that's a huge issue. I want to start by saying the people who, usually teachers or other employees who are signing up for these things, they're always well intended, right? They don't intend to do anything malicious. They're usually just trying to do their job to bring value to bring additional tools to the classroom, all admirable goals, right? Especially during COVID. As you mentioned, when frankly, all of us were in varying degrees of survival situation every day, as someone with young kids at home, that definitely felt like the case for me. So it's well intention actions. However, I think that a lot of times people don't realize the consequences of those actions. So a teacher, or an IT professional at a school may not realize that by signing up for this, you are potentially binding your school to this contract that no one has read, no one has looked at. So it's a huge problem. I think that the way to grapple with it. First of all, is not to be adversarial. Internal is to say, Let us help you, you as a teacher or as an employee, we know that you want to do the best for the students, we know that you need tools, we also know that you don't have the time or resources to vet all these out. And teachers don't have time to read these terms and conditions. So let us help you. You don't want to be contractually obligated to school to things we don't want you to either. Let us help you vet these out, knowing what is being used as key. I've learned a lot of teachers are using the same thing. So the second grade teachers will all talk to each other right and share that there's this great tool. So a lot of times the list of what's being used may not be as long as we think it is teachers talking to information there. They're using those tools. Another thing to think about in this context is COPPA, the Children's Online Privacy Protection Act, which is enforced by the FTC. The FTC, the Federal Trade Commission has come out and said essentially, you are giving consent under COPPA if it's someone under 13. You're giving consent on behalf of their parents. It's called in loco parentis consent, that's Latin. That's my one Latin phrase for the podcast.
Christina Lewellen 34:58
Well done. You're
Adam Griffin 35:00
giving that consent. And the FTC has said, that consent and that vetting should be done at the administration level, not at the teacher level, because that's not part of the teacher's job to read a legal agreement and vet it and make determinations. So that comes in different schools and different setups to different people. Sometimes it's gonna go to your attorney, we've seen where the school IT department has an apparatus set up to that the services, you know, there's different ways to handle there's not one correct approach. But it does need to be done in my view and an administration level. By the way, there may be some changes to COPPA on the horizon. And that would be the subject of a whole much longer discussion, but the FTC has published some additional proposed revised rules. And so those new proposed revised rules would give schools additional rights, you could review some of the information collected, there would be some limitations on what schools could consent to. And then there's also potentially some additional burden that could come in place if those rules are passed as proposed, and that there would be a contract that meets specific requirements. So again, that's not going to be done by a teacher that needs to be done. If it's drafting a contract, or ensuring that a contract is compliant with a law regulation that really needs to be done by an attorney. It's interesting, Adam,
Christina Lewellen 36:19
because it leads me to a question that I have around pending legislation, because I think that certainly some of these behaviors and best practices could come from an ethical obligation, you know, like the littles can't make decisions about their data. And so we, as the adults in the room, need to make decisions on their behalf to protect their data before they're old enough to make those decisions. So there's those ethical obligations, there's some legal obligations with some of this legislation. But something that I keep an eye on, I'm curious about what your thoughts are, you know, the United States we are behind, compared to our friends over in the UK, even some privacy regulations in Canada. Do you think that we're gonna get our act together when it comes to, in particular protecting the data of our minors? Do you think legislation will ever come and help us make great decisions for these kids?
Adam Griffin 37:15
I think we're starting to very slowly see a cultural shift in America towards favoring privacy of personal information, especially when it comes to children and minors. So you made a good point, if you look at the EU GDPR, it's a very different framework than we have here. Europeans generally culturally, favor their privacy around their data, much more than we do in America. We're nowhere close to what they have in the EU. But what we have seen is, is a patchwork in a few States every year come out with a new data privacy law. So California is obviously first. Interestingly, most of these don't apply to nonprofit entities, most of them have an exemption for nonprofit entities, which means for the most part, schools are not going to independent schools specifically are not going to be subject to these laws. That's not always the case. And I think that that shift will change as well, and will occur as well. I think over time, the entities that are subject to these laws will broaden as well. So I think that that's probably long term in the future. And I think it's been a really slow shift, I think that there's still a pretty prevalent attitude in America of indifference to privacy of one's data. Now, when we talk about minors and people's kids, there's definitely a different view there. So I think that's on the horizon. I mean, to your point, right now, there's not just a whole ton of laws and regulations that tell us what to do and what we can and can't do with student data for independent schools. So as those cultural shifts happen, it will continue likely to be a state by state approach for the near term. That's super challenging, too. It's challenging to keep up with what each of these states are doing. There are some schools that may be close to a state border, right, and may have to think about multiple states, depending on how this shakes out. Yeah,
Christina Lewellen 39:04
it's really interesting. And, you know, when we had Bob Olson on from Ankura, he talked about how some bad actors are willing to play the long game on data, like they get a hold of data from, you know, let's say, an independent school roster. And it might make sense to hang on to it, because you don't know where these kids are gonna go in life. It could be that they act on it later. And so that just is really interesting to me that we haven't quite rallied consensus around trying to protect the data in some kind of comprehensive nationwide way so that it's not state to state. But maybe we'll obviously push for that and hope that we go in that direction. And maybe it's going to take something huge, or some kind of critical mass where people are finally paying attention to it. Our heads are in this game all the time. But I'm sure many people just don't think about it.
Bill Stites 39:51
I think back to when you and I first met I'm trying to put a placeholder on when that actually was back at one of the ATLIS conferences. is, and one of the things that I think really drew me originally to the session that you offered at that conference at that time, but also to reaching out to you on a number of other occasions, and then teaming up with you, for some of the presentations that we've done is that, as you said earlier, you were somebody who is interested in technology early on, and then got into law. That, for me was like the unicorn. Here's somebody that understands tech that I can talk to about all these legal concerns and questions that I have. Because, you know, as I said, we're not lawyers. I'm not a lawyer. And the other thing is, is I'm not the Chief Information Security Officer, I'm not a CISO. At my school, I mean, that seems to be a role or a job that is, given the amount of contracts that we have to involve ourselves in seems like a role more and more schools need to think about and consider. So I have a two part question for you. On that point. Do you see attorneys functioning for schools to some degree as that seaso, you know, being able to help in that evaluation of those contracts and understand what's working? And the second part of that is, what are the things that you would tell a person like me or another school member to look for in choosing an attorney that understands those technical pieces, because, like you said earlier, you know, this is very nuanced. And you really need to understand what's going on. So you may get somebody that's giving you advice, that's being overly cautious, or, you know, not that there's usually a problem with that, but is not understanding the full scope of things. So how do you make that choice? In that case,
Adam Griffin 41:47
I'm gonna take your questions up in the order that you ask them, I think there is a great role for outside counsel to play to augment or supplement some of that CISO role, especially when it comes to vendor vetting. Ultimately, what vendors do and have to do is largely going to be controlled by that agreement, reviewing contracts, editing contracts, negotiating contracts, is a legal function, right? It is something that outside counsel can and I think should take on for the school and say we're gonna do this CISOs if you have a C, so if you're fortunate enough to have one, it'd be great if they can focus on more technical security measures that someone outside really can't do. So I think there's definitely a great role for outside counsel to play to augment or supplement some of that CISO role. Finding an attorney, it's really important to find the right attorney, especially when you're talking about cybersecurity issues, whether it's in a contract or its incident response. The key is to not ask, can you do this? Because almost every attorney is going to say, Yes, I can. The question is, have you done this? And if so, how often? For whom? How many times? Have you done Cyber Incident Response? have you handled an incident response matter? Yes. How many for what threat actor groups? What insurance carriers have you worked with? How many are you handling a year? How big is your team that handles these? How many does that team intake? What's the seniority and experience of the team? really diving deep on those questions is key. If you ask an attorney, can you do this? They'll say yes. And you may land with someone who's learning it as you're getting your legal advice. And that's not really an ideal situation. Right?
Christina Lewellen 43:30
Don't learn on my case, please. So Adam, as we kind of round out this conversation, I'm curious, what are the things that sort of make you smack your head when it comes to independent school clients? Like, if they would have just done acts? Like, what are the simple things that kind of drive you crazy? Can we get a little dirty laundry in the intention of trying to share what could be done better? What our schools could do better? What drives you crazy, like if they had just done acts, they would have really saved themselves a lot of heartache. It seems
Adam Griffin 44:01
like I hear a lot of times, oh, that system, that network that appliance, that entry point for where the threat actor got into the network was on the list to be deprecated. We were gonna take it offline. It was old technology. This was about to be unplugged. We just hadn't gotten to it. Take the things offline, right, reduce your attack surface. The other thing is just Well, we had been asking for this, but we didn't have the budget approval. It's easy for me to say that because it's not my money. It indirectly is for the school where my kids attend, and I pay their tuition. But other than that school, it's not my money. And so it is challenging. I get and understand the budget challenges. But I think overall, we see a lot of our school clients not devoting enough money and resources to cybersecurity. Keep in mind, this is asymmetrical warfare. We are on the defensive side. The bad guys, the criminal threat actors are on the offensive side. We have To be right, and accurate and true and good and protective 100% of the time, if we fail one time out of a million, that may be the threat actor getting in our system and ruining our day. And days and weeks beyond that, on the other side, the threat actor, they can fail millions of times and only succeed one and wreck somebody's day, week, month. So it's inherently asymmetrical. It is unfair. But that's just logic and reasoning, unfortunately, and we need to behave as such. So it does call for significant resources. I'll also just share, a number of clients have come to school clients have come to us and there are a few things they could have done and spent a little bit of money on the front end, rather than spend a whole lot of money on the back end. So, you know, deploying EDR, making sure that you're taking action on the alerts from EDR. There's kind of technical things that do seem expensive, right when you get price quotes, but the cost of those pales in comparison to the costs of a major cybersecurity incident. Incredible
Christina Lewellen 46:02
advice. Thank you so much for that. I think that schools need to hear it because it's not fun. It's not fun work to prevent cyber issues. It's tedious and challenging. And so thank you for saying that. Before we wrap up where we started was Bill indicates that he would have been a chef in another life, another fork in the road, I indicated that I would have loved to play with law. And you know what, who knows in this world? Maybe I will still someday? If you hadn't been a lawyer? Would you be a technology person director leader at an independent school? Or what other path would you have taken? Adam,
Adam Griffin 46:38
I'll tell you, there was a time where what I considered was being a COBOL programmer. So I took COBOL. And I actually taught COBOL as a student tutor to other students. That was at one point what I thought would be a good path I thought about being an IT admin, but I also thought there would just be some a lot of benefits to waking up every day and sitting in a computer and writing COBOL what I do now is probably pretty far from that. But I think that would have been my other path in life.
Christina Lewellen 47:08
You know, sir, I think we've learned a lot about you and why you are a unicorn. This is why our tech leaders need to just call you you're a lawyer who loves tech. I am loving this whole situation. You are definitely the perfect person for this podcast. 100% Thank you so much for your time and for joining us and for sharing your expertise. Truly, I'm sure that all of this important information bounces around in your head but to share it with our community is such a valuable gift and I do want to thank you for your time and for sharing all this advice with our community.
Adam Griffin 47:39
Thanks for having me really enjoyed.
Narrator 47:43
This has been Talking Technology with ATLIS produced by the Association of Technology Leaders in Independent Schools. For more information about ATLIS and ATLIS membership, please visit the atlis.org If you enjoyed this discussion, please subscribe, leave a review and share this podcast with your colleagues in the independent school community. Thank you for listening.