Skip Repeated Content

Privacy is a multi-faceted challenge  in higher education, in part because complex academic institutions collect and maintain high volumes of different kinds of protected data, ranging from health benefits information pertaining to their often large workforces, to education records created for their students, to financial information relating to donors, to extensive health care provider information collected and used by academic medical centers, and to protected health information and other protected information collected in the course of research.  Colleges and universities are comprehensively (if not always logically) regulated in all aspects of their collection, storage and use of such information.

We appreciate that private information is collected by higher education institutions from not only large numbers of people, but also from a wide range of geographies often stretching across numerous states and countries. U.S. Federal laws provide a sectoral approach to data privacy protection, offering separate laws protecting students’ rights through the Federal Educational Records Privacy Act (FERPA), patients’ rights through the Health Insurance Portability and Accountability Act (HIPAA), as well as personal financial information through the GrahamLeach-Bliley Act (GLBA). In addition to these Federal laws, colleges and universities may be required to comply with the payment card industry data security standards (PCI DSS) if they process credit card payments, such as at the campus bookstore or dining halls, state data privacy laws, and international data privacy laws such as the European GDPR.

Bryan Cave Leighton Paisner has the experience and knowledge of higher education institutions’ operations, practices, privacy cultures and protocols, as well as thoroughgoing expertise with the montage of various data protection rules under a number of different information privacy and data security regulations for personal and financial data that may be stored across multiple different academic and business office areas. 

Our Data Privacy and Cyber Security team, including its world-class data breach response practice, has earned national recognition from leading publications. In 2020, Lexology, one of the top publishers of legal news and information with more than 500,000 readers, identified BCLP as the No. 1 “Legal Influencer” among law firms in the field of United States technology, media and telecommunications law – which includes data privacy and data security.

 From understanding the institutional impact of the latest law that attempts to organize certain privacy rights, to acting fast in the face of a breach, we are well prepared to address the issues that face institutions of higher education.

Representative Experience

Here is a sampling of the data privacy, security regulation and data breach management work we’ve done for a number of higher education institutions:

  1. Conduct Data Protection Impact Assessments (DPIA) for higher educational systems that collect information from European students and professors.
  2. Create action plans for migrating institutions into compliance with data privacy best practices and the European General Data Protection Regulation (GDPR).
  3. Identifying the diverse laws affecting institutions and ranking those which generate the greatest risks and exposures in light of the institution’s particular operations and footprint.
  4. Respond to data security incidents that may involve sensitive and/or regulated information collected about students, employees, health care providers and alumni.
  5. Guide institutions on how to create data privacy offices or dedicated data privacy .