Federal legal and regulatory developments concerning information security and breach notification, net neutrality, and web accessibility directly impacted the EDUCAUSE community in 2018. Those effects will continue into 2019, possibly in conjunction with renewed efforts to pass comprehensive national privacy legislation.
With the midterm elections behind us and a new—and newly divided—Congress on the horizon, the EDUCAUSE community can take stock of a year in which our policy issues generally flew below the radar in the legislative space. Taxes, spending, health care, and immigration, as well as the continuing investigation of foreign interference in the 2016 presidential election, consumed the Congressional calendar, leaving little time for consideration of other issues, such as the years-delayed reauthorization of the Higher Education Act. In the legal and regulatory arenas, however, major areas of concern for the EDUCAUSE community continued to develop, presenting significant implications for the year ahead.
Information Security and Breach Notification
EDUCAUSE began the year by submitting formal comments to the US Department of Education (ED), Office of Federal Student Aid (FSA), concerning breach notification and information security reporting compliance actions that FSA had initiated late in 2017 and carried over into 2018. Over the course of a few months, FSA had sent compliance letters to a number of college and university presidents, asserting a failure by their institution to report actual or suspected data breaches to the agency. As a result of these alleged failures, the letters attempted to enforce requirements for in-depth reporting about the purported incidents and each institution's overall information security program.
Working with members from the affected institutions and other member experts, EDUCAUSE responded by highlighting disconnects between the authority and requirements FSA was asserting and the underlying laws, regulations, and agreements on which FSA indicated they were based. In particular, EDUCAUSE expressed deep concern about the assertion of institutional responsibility for reporting undefined "suspected" breaches, as well as breaches with little if any relationship to student financial aid data. The American Council on Education (ACE) subsequently filed separate comments in support of our position, and the two associations worked together to encourage FSA to change course on the existing compliance cases and adopt a more accurate and effective approach moving forward.
Those efforts proved successful, as FSA ceased issuing problematic form letters and engaged collaboratively with institutions' IT and student financial aid professionals to evaluate and address relevant issues directly. Formal documentation of relevant compliance authority, guidance, and processes by FSA remains to be developed, however. As a result, EDUCAUSE has shifted its dialogue with FSA to focus on potential opportunities for the agency to collaborate with our members and other higher education stakeholders to develop an appropriate compliance infrastructure. Continuing to advance this conversation remains a top policy priority for EDUCAUSE heading into the new year.
The Federal Communication Commission's action in late 2017 to repeal its network neutrality rules carried over into legal action in 2018, as twenty-two state attorneys general and a number of public interest groups filed suit in federal appeals courts to "repeal the repeal." Those lawsuits were ultimately consolidated in the DC Circuit Court of Appeals, which is currently reviewing the legal briefs submitted by various parties in anticipation of oral arguments on February 1, 2019. EDUCAUSE joined other leading higher education and library groups, twenty in all, to file an amicus brief in support of the states and organizations seeking to restore the enforceable network neutrality protections established by the Obama-era FCC in 2015.
EDUCAUSE and its partners submitted a brief highlighting the importance of the learning, research, and public-service uses of the internet that often go overlooked in the largely commercially focused debates surrounding network neutrality. Our groups argued that the loss of network neutrality protections has the strong likelihood of harming those uses—first, by increasing the costs our institutions and ultimately our stakeholders must bear for online content and services due to paid prioritization; second, by opening the door to distortions in the flow of internet traffic due to throttling and paid prioritization that would inhibit the effective use of our online courses, programs, services, and content (unless institutions themselves pay for prioritization); and third, by allowing broadband service providers to compromise academic freedom and freedom of speech through blocking access to potentially controversial research and views.
As the direct legal challenge to the FCC repeal unfolded, a number of states implemented their own laws and/or executive orders to protect network neutrality for their citizens. Most sought to avoid concerns over whether federal law or regulation in the telecom space would preempt state actions by focusing on state procurement, where the authority of the states over their own expenditures is clearer. Those states essentially barred state agencies from contracting with broadband providers that don't follow the FCC's previous network neutrality rules. Other states, most notably California, decided to tackle the FCC's assertion of federal preemption head on and passed laws applying the original network neutrality protections to broadband services in their jurisdictions. (California went further still by barring providers from giving preferential treatment to specific apps and services by exempting their traffic from end-user data caps, known as "zero rating.")
The US Department of Justice and industry groups filed suit against California, seeking to overturn its law on the grounds of federal preemption. Both sides agreed, however, to delay that court challenge in exchange for California not enforcing its net neutrality law pending the DC Circuit's ruling on the "repeal the repeal" case. That makes the federal appeals court case once again the dominant concern, and a ruling on it isn't expected until late spring or early summer. EDUCAUSE and its partners will continue to monitor that process and subsequent developments to ensure the interests of higher education and libraries are represented.
The digital instructional materials accessibility bill that EDUCAUSE, ACE, the National Federation of the Blind (NFB), the Association of American Publishers (AAP), and the Software and Information Industry Association (SIIA) have worked together to advance, the AIM HIGH Act, slowly gained additional Republican and Democratic support in the House of Representatives, where it now has 83 bipartisan cosponsors. In addition, both parties' Higher Education Act reauthorization bills in the House incorporate versions of AIM HIGH. Unfortunately, those versions differ from each other in substantive details and also differ from the version of the bill introduced in the Senate. More work therefore lies ahead in 2019 to ensure reconciliation of the various iterations of the AIM HIGH Act so that it may either pass on its own or as part of a larger legislative package.
As the end of 2018 nears, the management of web accessibility compliance complaints by the ED Office of Civil Rights (OCR) has reemerged as a major issue that could have a significant impact in 2019. Earlier this year, OCR issued a revised manual for the handling of civil rights complaints, which included a change designed to address the mass filing of what OCR deemed to be repetitive, small-scale web accessibility complaints attributable to specific individuals. The change in the case-handling manual directed ED officials to largely dismiss such complaints as nuisance filings that inappropriately diverted departmental resources from pursuing substantive cases. (Again, that was the OCR characterization.) Unsurprisingly, the relevant individuals and disability advocacy groups did not agree with OCR's categorization and dismissal of such complaints; they filed a lawsuit seeking to force a revision in the office's compliance guidance and approach.
While the case remains in progress, OCR announced just before Thanksgiving that it would reverse course on its handling of mass filings and revisit at least some of the previously dismissed complaints. What this means for web accessibility complaints against educational institutions in practical terms moving forward, however, is still unknown. ED OCR has made clear that it will emphasize a collaborative, problem-solving approach with institutions in resolving individual complaints, as compared to pursuing broad consent agreements based on determinations that a set of complaints indicates broad "systemic failures." In the absence of a shift in that enforcement emphasis, the return of mass filings to the complaint process could lead to even less action on the part of OCR (unless it sees a dramatic increase in its resources) as it struggles to work through a greatly expanded caseload one complaint at a time.
Federal Privacy Legislation in 2019?
EDUCAUSE's major policy issues in 2018—information security and breach notification, net neutrality, and web accessibility—will all continue to evolve in 2019, but they will likely be joined by another issue of major interest to EDUCAUSE members: potential federal privacy legislation. The emergence of the European Union (EU) General Data Protection Regulation (GDPR) this spring, followed by California's adoption of the California Consumer Privacy Act (CCPA) this summer, generated substantial interest in a renewed effort to achieve a single, national privacy law that would prevent a patchwork of state privacy laws from developing (as is the case with data breach notification). Further momentum in Congress for exploring the topic stalled as representatives and senators turned to the midterm elections, but strong concern among the business community (and especially by web and technology companies) ensures that the next Congress will renew consideration of the issue.
As yet, though, Republicans and Democrats are still far apart on whether a new federal law should completely preempt any state laws (the Republican position) or whether it should serve as a floor for national privacy protection, with stronger state laws allowed to stay in place (the Democratic position). Until both sides and both chambers of Congress reach a compromise on this fundamental disagreement, prospects for actually achieving a comprehensive federal privacy law remain uncertain.
The EDUCAUSE community was largely unaffected by federal legislation in 2018, but federal legal and regulatory developments were another matter. The EDUCAUSE policy and government relations team, informed and guided by the EDUCAUSE Policy Advisory Committee, worked to actively address concerns related to information security and breach notification, net neutrality, and web accessibility. Those issues will continue into 2019, and most likely beyond, with the potential for comprehensive national privacy legislation to join them. EDUCAUSE will continue to work with members to effectively define and represent the community's interest in these federal policy developments, and others, as they take shape.
Jarret Cummings is Senior Advisor for Policy and Government Relations at EDUCAUSE.
© 2018 Jarret Cummings. The text of this work is licensed under a Creative Commons BY-NC-ND 4.0 International License.