The Platform > District Privacy and Security

PRIVACY AND SECURITY REQUIREMENTS

Schools expect your digital platform to comply with multiple types of data handling legislation and standards. Careful study of each is recommended, but this overview will introduce the various hurdles Publishers must overcome to meet school compliance demands. Even if your product is supplemental, any product where exchange of student data will occur needs to adhere to these rules.

C2C IS COMPLIANT OR PARTICIPATING IN THE FOLLOWING SECURITY AND PRIVACY PROTOCOLS:

  • FedRAMP (AWS GovCloud)

  • COPPA

  • CIPA

  • FERPA

  • NIST CyberSecurity Framework

  • SOC 2 Type 2

  • Cyber Security insurance included against data breaches

FedRAMP

FedRAMP

Content2Classroom serves the platform on AWS GovCloud and is FedRAMP compliant.

The Federal Risk and Authorization Management Program (FedRAMP®) provides a cost-effective, risk-based approach for the adoption and use of cloud services by the federal government that emphasizes security and protection of federal information. As public institutions hosting personally identifiable information, particularly for young children, school districts are demanding a higher level of security from their vendors to mitigate the risk of sending data to these separate sites. FedRamp as a protocol offers a higher level of security to hold cloud solutions accountable.

Demonstrating FedRAMP compliance outside of a pre-approved system can be difficult, An option for curriculum poblishers to comply with the FedRamp protocol is to move your product to Amazon Web Services’ GovCloud solution. While this is an extra task and will increase the cost of your cloud storage and operation, it is a helpful way to increase security, lower liability, and meet the needs of public schools that wish to mitigate their risks.

COPPA

Content2Classroom is COPPA compliant.

The Children’s Online Privacy Protection Rule prohibits unfair or deceptive acts or practices in connection with the collection, use, and/or disclosure of personal information from and about children on the Internet. In this case, a child means an individual under the age of 13. Under the rule, data about children shared with your system needs to be necessary and should not include anything more than what is needed to operate the site. Personally identifiable information (PII) should never be passed and no emails should be used or created for children under 13. Instead, usernames should be constructed without PII. CMSs may interpret the rule to mean it is acceptable to pass demographic information about children. Privacy advocates have raised concerns about the ease of “de-anonymizing” demographic data. Therefore, Educational Publishers should be very careful and potentially avoid the practice of passing demographic data entirely.

COPPA
CIPA

CIPA

Content2Classroom is CIPA compliant.

CIPA (Children's Internet Protection Act) is a U.S. federal law enacted in 2000 to protect children from harmful online content, particularly in schools and libraries. It's crucial for e-learning platforms to be CIPA compliant for several key reasons:

  1. Legal Requirement: CIPA compliance is mandatory for schools and libraries receiving E-rate funding.

  2. Child Safety: Compliance demonstrates commitment to protecting minors from inappropriate content.

  3. Content Filtering: Platforms must incorporate or be compatible with required filtering technologies.

  4. Acceptable Use Policies: CIPA-compliant platforms help institutions implement required Internet safety policies.

  5. Monitoring Capabilities: Platforms should offer features to track and report user activities.

  6. Market Access: Compliance allows platforms to serve a wider range of educational institutions.

  7. Data Protection: CIPA compliance often aligns with robust data protection measures.

  8. Trust and Reputation: Compliance enhances a platform's credibility in the education sector.

For e-learning platforms, especially those serving K-12 education, CIPA compliance is essential. It ensures they meet legal requirements, prioritize student safety, and gain trust from educators, parents, and administrators. By being CIPA compliant, platforms demonstrate their commitment to creating a safe and appropriate online learning environment, which is crucial in today's digital educational landscape.

FERPA

FERPA

Content2Classroom is FERPA compliant.

The Family Educational Rights and Privacy Act protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. Any one curriculum provider is unlikely to be the only provider of curriculum and it is extremely unlikely that your system will be the system of record for the student’s total performance within a grade or class. Rather, the performance data you are producing will contribute to a student’s record or inform a teacher’s evaluation in another system. As such, offering grade passback or easily exportable performance records (exportable reports) is very helpful to the teacher. However, in accordance with FERPA, the level of information and performance data should be restricted to the minimum necessary to connect data back to the student’s personally identifiable records in the main system of record.
NIST

NIST CYBERSECURITY FRAMEWORK

Content2Classroom Follows the NIST Cybersecurity Framework.

The NIST Cybersecurity Framework is a vital set of guidelines developed by the U.S. National Institute of Standards and Technology to help organizations manage and reduce cybersecurity risks. For e-learning platforms, adopting this framework is crucial in today's digital landscape.

E-learning platforms handle sensitive data including personal information of students and educators, academic records, and proprietary educational content. By following the NIST framework, these platforms can better protect this valuable data from breaches and unauthorized access. The framework also helps ensure operational continuity, preventing disruptions to learning activities that could result from cyber attacks.

Moreover, implementing the NIST Cybersecurity Framework demonstrates a commitment to security that builds trust among users and helps platforms comply with data protection regulations. As cyber threats continue to evolve, the framework's flexible approach allows e-learning platforms to adapt their security measures accordingly.

In an era where online education is rapidly expanding, robust cybersecurity is not just an option—it's a necessity. The NIST Cybersecurity Framework provides e-learning platforms with a comprehensive, structured approach to safeguarding their digital assets and maintaining the integrity of the online learning environment.

SOC 2

SOC 2 COMPLIANCE

Content2Classroom has completed its SOC 2 Type II audit.

The Systems and Organization Controls 2 (SOC 2) security framework covers how companies should handle customer data that’s stored in the cloud. It provides auditors with guidance for evaluating the operating effectiveness of an organization’s security protocols. A SOC 2 compliance audit will evaluate:

  • Access controls—logical and physical restrictions on assets to prevent access by unauthorized personnel.

  • Change management—a controlled process for managing changes to IT systems, and

  • methods for preventing unauthorized changes.

  • System operations—controls that can monitor ongoing operations, detect and resolve any deviations from organizational procedures.

  • Mitigating risk—methods and activities that allow the organization to identify risks, as well as respond and mitigate them, while addressing any subsequent business.

There are two types of SOC 2 reports:

  • Type I describes the organization’s systems and whether the system design complies with the relevant trust principles.

  • Type II details the operational efficiency of these systems

A SOC 2 audit is thorough and comprehensive. The entire process can take from six months to a year and most SOC 2 audits are conducted yearly. Recommendations for organizational practices may need to be adopted before the next audit, adding more time to the process. So, be forewarned, if a CMS you buy or build (or any component program within) is not at least within the audit period of its SOC 2 compliance, it will likely be more than 6 months before SOC 2 compliance is achieved.
CYBER INSURANCE

CYBER SECURITY INSURANCE INCLUDED

Content2Classroom maintains a comprehensive Cybersecurity Insurance policy.

Cybersecurity insurance is a specialized insurance product that helps organizations manage financial risks associated with cyber incidents. For e-learning platforms, this insurance is crucial for several reasons:

  1. Financial Protection: Covers costs related to data breaches, cyber attacks, and system downtime.

  2. Legal Liability: Helps with legal fees and settlements if users sue due to a cyber incident.

  3. Data Breach Response: Covers expenses for notifying affected users and providing credit monitoring services.

  4. Business Continuity: Assists with costs of restoring operations after a cyber attack.

  5. Reputation Management: Covers PR expenses to mitigate reputational damage.

  6. Regulatory Compliance: Helps meet financial requirements of data protection regulations.

  7. Expert Assistance: Often provides access to cybersecurity experts for incident response.

  8. Third-Party Damages: Covers claims from affected partner organizations or users.

  9. Investor Confidence: Demonstrates commitment to risk management to stakeholders.

While essential, cybersecurity insurance should complement, not replace, robust security measures. For e-learning platforms handling sensitive data, this insurance provides an additional layer of protection against evolving cyber threats, helping to ensure financial stability and maintain user trust in the event of a cyber incident.

WANT TO SEE MORE?