Millions of Student Records Sold in Bankruptcy Case
When the education technology company ConnectEDU Inc. sought protection under Chapter 11 bankruptcy law earlier this year, 20 million student records hung in the balance, raising many questions for educators and parents alike.
What would happen to the data the company had amassed in its college- and career-ready technology platform for students from middle school through college? Who would own the records? How would they be secured?
Founded in 2002, ConnectEDU had amassed millions of records from school districts, as well as individual students and their parents. Depending on what a district or individual specified, a record could include a student's test scores, grade point average, learning disability, email and home addresses, phone number, and date of birth—among other information. The contracts with various education entities and a trove of individual student records were a substantial part of the company's remaining value as it dissolved.
ConnectEDU, a college- and career- planning company, gathered data from high school and college students, counselors, and parents.
ConnectEDU files for Chapter 11 protection in the U.S. Bankruptcy Court in the Southern District of New York.
The Federal Trade Commission announces that it will seek to protect students’ personal information as ConnectEDU’s bankruptcy moves forward.
Graduation Alliance, a Salt Lake City company, announces its acquisition of key assets from ConnectEDU.
The Bill & Melinda Gates Foundation files a motion in an effort to get back the unspent part of a $500,000 grant it made to ConnectEDU in 2013.
Graduation Alliance notifies nearly 500,000 Connect! users that it has purchased the ConnectEDU data. Fewer than 1 percent ask for records to be deleted.
Seattle school district orders Graduation Alliance to delete all student records.
Graduation Alliance notifies Seattle schools that all student information related to Seattle public schools was destroyed.
The Federal Trade Commission's Consumer Protection Bureau brought this to the attention of the bankruptcy judge in the case in May. It asked the court to have ConnectEDU destroy all personal data; or to notify users that their personal information was about to be sold and that they could have it deleted; or to appoint a privacy ombudsman to ensure protection of the users' privacy.
But none of those scenarios happened, because ConnectEDU had no employees as of the filing date, according to Wojciech F. Jung, a partner in Lowenstein Sandler LLP, the New York City law firm that acted as lead bankruptcy counsel for ConnectEDU in the case.
Instead of registrants receiving notice before the sale, it was left to the acquiring companies that bought the failed company's assets—Graduation Alliance of Salt Lake City, and Symplicity Corporation of Arlington, Va.—to carry out the notifications after the records had been transferred.
"This is a significant red flag for the treatment of student information by education technology companies," said Joel R. Reidenberg, a law professor at Fordham and Princeton universities. "Many ed-tech companies today are small startups, collecting lots of data. Many of them are not going to succeed. What's the protection when these companies go bankrupt?"
For those that do succeed, grow, and become part of an acquisition, he expressed similar concerns: "What's the protection when they merge?"
Seattle Schools' Concerns
ConnectEDU was sold in pieces. In June, Symplicity purchased Experience, a ConnectEDU company that delivers career services to college students and alumni. That same month Graduation Alliance acquired contracts, key team members, and several of ConnectEDU's educational products and services, including the Connect! college- and career-planning platform and the Epsilen collaborative learning environment. Agreements with the Texas Education Agency, and the Miami-Dade, Fla., and Seattle school systems were among the contracts conveyed in the Graduation Alliance sale.
On Oct. 1, 2014, Graduation Alliance announced that —the day before—students, parents, and educators who had established accounts with ConnectEDU's platform since 2002 had been "informed of their rights to request all personally identifiable data be removed and promptly destroyed," and that Graduation Alliance had "enacted all data privacy measures as required by the U.S. Federal Trade Commission." That included the notification of all Connect! users, past and present, whose post-secondary accounts had been transferred to the company.
Fewer than 1 percent of those notified by Graduation Alliance requested that their records be destroyed, according to Ray Kelly, the CEO of the company, which was founded in 2007 and has specialized in dropout recovery and prevention.
But when parents in Seattle received emails directly from Graduation Alliance indicating that they could request that all personally identifiable information be purged from the system, it raised some questions and concerns, according to Carmen A. Rahm, the chief information officer for the district.
Seattle schools had demanded that all records be deleted under its contract when ConnectEDU declared bankruptcy in the spring, but the district had to wait until Graduation Alliance received the data for that order to be carried out, according to a statement from the school system, which pointed out that it had been assured that all student data were "fully secured" throughout the process.
"The ConnectEDU Chapter 11 story demonstrates that student data is treated as a marketable asset," said Sue Peters, a member of the Seattle school board. "Part of the problem is that parents have their children's information transferred around, and it's up to the parents to actively retrieve and protect it."
Issues of Trust
Possessing data about students is central to using education technology effectively, and protecting that information is paramount, industry leaders say.
To that end, nearly 50 companies that sell products in the K-12 marketplace have signed a "Student Privacy Pledge," which goes into effect on January 1, 2015. Among the pledge's dozen provisions is one about acquisitions. It states that, in the case of a merger or acquisition, the company signing the pledge will "allow a successor entity to maintain the student personal information … provided the successor entity is subject to these same commitments for the previously collected student personal information."
Mark Schneiderman, the senior director of education policy for the Software & Information Industry Association, an organization that co-authored the pledge, has said that it is enforceable by the Federal Trade Commission because the companies are making a public pledge.
The student-privacy pledge "is a great step in the direction of having these ed-tech vendors step up and make a public commitment" about how they're safeguarding student information, said Paige Kowalski, the director of state policy and advocacy for the Washington-based Data Quality Campaign, whose goal is to help schools harness data to make better decisions.
She called the ConnectEDU story a case study in what can happen when trust is broken, and the importance of re-establishing that trust with an acquiring company. "It's incumbent upon the new organization to establish the same level of trust that was there when the first company signed up with them," she said. "They're going to have to prove by their actions that they are reliable and worthy of the trust that was placed in them."
"ConnectEDU was not the first, and certainly will not be the last, ed-tech company to be sold or merged or go bankrupt," said James P. Steyer, the CEO and founder of Common Sense Media, a San Francisco-based nonprofit that advocates for safe technology use for children. "You cannot always leave it up to the industry to do the right thing or even stand by their own privacy policies."
Mr. Steyer, whose organization pushed for the passage this year of California's Student Online Personal Information Protection Act, which will regulate ed-tech providers in their handling of student data privacy, called for "clear state and national regulation of student data and personal information" to deal with the issue.
Vol. 34, Issue 14, Pages 1, 13Published in Print: December 10, 2014, as Bankruptcy Case Shines Spotlight on Data Privacy