What did CSU do to verify vendors’ data security – and what might FTC do?
When California State University decided to purchase a We End Violence program, Agent of Change, they reportedly did consider data security. The Press-Telegram reports:
Laurie Weidner, spokeswoman for the Chancellor’s Office, said CSU has not terminated its relationship with We End Violence, which administered the training program called Agent of Change. The vendor was one of three offered to campuses, when the sexual violence prevention program was rolled out, she said.
Weidner said in an email the vendor was one of several reviewed and was recommended by the White House task force on campus sexual violence prevention.
Did the White House task force review data security of the products?
“The vendor agreed to the required contract terms and conditions regarding information security, including accepting CSU definitions for what constitutes confidential data, and the requirement to maintain the privacy (of) confidential information,” Weidner said.
And what, exactly, were those terms and conditions? DataBreaches.net has emailed We End Violence to ask whether the sensitive student information was stored in plain text. Did CSU know the data would be stored in clear text? Did they accept that?
CSU has no plans to change the screening process of vendors delivering the online sexual assault prevention training, Weidner said.
So CSU has no plans to learn from this experience by investigating data security more before they make arrangements with a vendor?
“The breach occurred with one vendor not the others,” she said in the email. “The CSU has other contracts with other vendors, and there has been no data exposure.”
Perhaps she should add, “… yet.”
Keep in mind that all enrolled students in the 23-campus CSU system are reportedly required by federal law and the state auditor to take sexual assault prevention training. That is a tremendous number of students who may have their sensitive and/or personal information exposed through a vendor, as CSU’s statement about over 79,000 students being impacted illustrates.
If the U.S. Education Department and Congress are serious about data security and EdTech, maybe they should investigate the We End Violence breach and all the vendors’ contracts and assurances of data security (if they have not done so already).
And while the FTC cannot take action against CSU, it does have authority to enforce data security in the vendors. Maybe they, too, should look into whether We End Violence has a reasonable security program or if they violated Section 5 by failure to deploy commercially reasonable and appropriate safeguards for sensitive information that left consumers at risk of substantial injury.