May 24, 2023
Welcome to summer and the fifth edition of The Academic Advisor for 2023 – our e-newsletter focused on education law insights.

As institutions of higher education prepare to host youth summer camps, please take note of our article on the subject with important reminders about Clery Act coverage and how to comply through several straightforward steps that extend the use of existing campus infrastructure to include campers and camp staff. Other trending topics covered in this edition include:
  • The importance of cybersecurity in university research projects;
  • How to combat school swatting;
  • New AI technologies headed for schools; 
  • Budgeting for cybersecurity costs at K-12 schools
  • Growing ransomware threats
  • Student debt relief and the Higher Education Act;
  • The impact of Ohio’s Save Women’s Sports Act and House Bill 151; and
  • College affordability and student loan forgiveness. 

We also are pleased to introduce you to three new attorneys – Jeremy E. Carroll, Michael W.S. Lockaby, and Julian F. Harf – who have joined our Roanoke team.

Jeremy Carroll is a Member, and his primary areas of practice are local government law, civil litigation, employment law, land use and zoning, school law, government contracts, and public finance. Jeremy also serves as the Lexington City Attorney, Vinton Town Attorney, and Halifax County Attorney.

Mike Lockaby also joins Spilman as a Member, and his primary areas of practice include local government and public entity representation, infrastructure, land use, affordable housing, public finance/bonds, public-private partnerships, and economic development. Additionally, Mike serves as the Botetourt County Attorney and Town of Bedford Attorney.

Julian Harf joins the firm as a Senior Attorney and litigator with an emphasis on the defense of local government entities, public officials, and commercial entities. Julian is a member of the Board of Trustees for the Roanoke County Public Schools Education Foundation and also serves as County Attorney for Bath County.

As always, thank you for reading. If our firm can assist your institution with its education law needs, please let us know.

Erin Jones Adams, Member, Co-Chair of the Education Practice Group, and Co-Editor of The Academic Advisor


Kevin L. Carr, Member, Co-Chair of the Education Practice Group, Co-Chair of the Labor and Employment Practice Group, and Co-Editor of The Academic Advisor
“Regarding compliance and safety, many institutions have youth protection policies that camps must follow.”

Why this is important: The Jeanne Clery Disclosure of Campus Security Policy and Campus Crime Statistics Act (“Clery Act”) is a federal consumer protection law that provides campus members and the public with information about campus safety. Every educational institution that participates in federal student financial aid programs under Title IV of the Higher Education Act must comply with the Clery Act and also certify such compliance as part of its Program Participation Agreement with the United States Department of Education (“Department”). Included among schools’ Clery Act obligations is the designation of campus security authorities (“CSAs”). CSAs include institutional officials who have significant responsibilities for student life or activities. CSAs are obligated to report any alleged crimes that occur in college-owned or controlled buildings or on campus grounds and adjacent public property to campus police or security departments. In accordance with the Clery Act, crimes reported by CSAs are included in institutions’ daily crime logs that are available for public inspection and also used by campus safety to issue timely warnings and emergency notifications about ongoing threats impacting the campus community.

As highlighted by this article, educational institutions’ summer youth camps are no exception to these requirements. In its Campus Crime Final Program Review Determination involving Baylor University, the Department noted that the institution hosted dozens of summer camps comprised of hundreds of high school-aged students who lived in residential student housing during their programs. Though the university required camp employees to complete minor safety training that explained how to report and respond to student incidents, the Department indicated that the training failed to meet fundamental CSA requirements for reporting of crime statistics and the issuance of timely warnings. Specifically, the Department found that the university failed to ensure its camps’ directors and staff, who were entrusted with campers’ safety, were aware of relevant CSA policies and processes and prepared to handle CSA duties and responsibilities.

Separately, in its Campus Crime Final Program Review Determination involving Pennsylvania State University, the Department stated that the required recipients of Clery Act timely warnings are not limited to university students and employees and specifically include campers. As a result, covered institutions must be prepared to extend their emergency notification infrastructure to reach summer camp attendees as well.

As this article demonstrates, the implications of these determinations are clear: minor safety training alone for summer camp staff will not suffice in a Clery Act compliance audit; summer camp directors and staff should be formally identified as CSAs, notified of this designation, and trained accordingly; and colleges must be prepared to issue timely warnings under the Clery Act to summer camp attendees and staff. For many colleges, summer camp compliance with the Clery Act may be achieved by simply expanding the use of existing infrastructure (e.g., Clery Act training modules; emergency notification systems) to include camp staff and campers. In any event, Clery Act compliance is not an insurmountable challenge, but planning is essential. Including colleges’ youth camp organizers on Clery Act compliance committees, formally identifying camp staff as CSAs in summer camp policies, mandating completion of CSA and minor safety training by camp staff, and developing a system for enrolling campers and their parents in the colleges’ timely warning notification system are a few measures that schools can deploy to ensure their summer camps comply with the Clery Act and support campers’ safety. --- Erin Jones Adams
“To help strike that balance, UC has created a liaison between the school’s information security and research leaders, making the school one of several that are creating new systems to shore up cybersecurity for research projects.”

Why this is important: Protecting academic research from theft or ransom is of paramount importance to colleges and universities. With academic researchers collaborating with research partners at other academic institutions or in industry, the risk of a data breach or ransom attack is high. One data breach or ransom attack could not only delay a research project, but it can also result in lost data, compromised data, and lost funding. In response to this threat, academic institutions have implemented both common sense tools, including anti-virus software, encryption, and multifactor authentication, along with novel approaches to encourage researchers to adopt cybersecurity as a fundamental part of their research protocols.

Traditionally, academic researchers have been wary of a school’s cybersecurity team because they perceive the academic institution’s cybersecurity professionals as an obstacle to easy communication and transfers of information. Cybersecurity professionals are working hard to change this perception by implementing innovative new approaches to cybersecurity in order to facilitate widespread acceptance. The University of Cincinnati has instituted a program of connecting research teams with information security professionals, including the creation of a committee that is mostly staffed by researchers to make sure that the University’s projects comply with National Institute of Standards and Technology security standards and guidelines. Indiana University has created an opt-in cybersecurity program that has seen enthusiastic acceptance because researchers and security professionals work together to create a cybersecurity plan that integrates current workflows. UC Berkeley is working to prevent researchers from implementing their own cybersecurity work-arounds by collaborating with them early in the research process and by creating research specific cybersecurity services. By intervening early in the research process, and by not utilizing a one-size-fits-all approach, these higher education cybersecurity professionals have seen that 80 percent of the cybersecurity problems researchers are having can be solved in a few minutes. The key to adoption is focusing on a positive message that explains how cybersecurity protocols can help researchers preserve their research instead of being perceived as an obstacle to advancement. --- Alexander L. Turner
“Years ago, the most common form of swatting within a school environment was a bomb threat, often placed by students looking to get out of a test or hoping for a long weekend.”

Why this is important: Recently, four Harvard University students were held at gunpoint after having their dorm suite raided by police officers as a result of a false 911 call warning of an armed individual on campus. Unfortunately, this scenario has become far too familiar to institutions of higher education. In the fall of 2022, more than 50 historically black colleges and universities and other faith-based and academic institutions were targeted by false bomb threats.

The practice of making or reporting false threats that prompt emergency response from law enforcement is known as “swatting.” Law enforcement officers respond to these false reports because it is impossible at the outset to tell the difference between a false and a real report. A false bomb threat was the most common form of swatting, as these threats were often placed by students attending the school. However, the rise in gun-related violence in schools has led to increased swatting events commenced by false active-shooter threats. False threats of active shooters on campus threatens the personal safety of everyone on campus, including students, faculty, staff, and visitors.

Institutions should consider fostering open and effective communication with law enforcement agencies, providing active-shooter training to students, faculty, and staff, and implementing a fast-response reporting system. Institutions that are impacted by a false report that leads to an incident of swatting should promptly notify students through their emergency notification system, work with local law enforcement to investigate the threat, and offer mental health resources to impacted individuals. --- Kelsie A. Wiltse
“How can schools stay on top of this rapidly changing technology? And how can educators separate hype from substance?”

Why this is important: As technology continues to advance at an unprecedented pace, it's not just ChatGPT that is making its way into schools. A multitude of AI technologies are finding their place in educational settings, revolutionizing the way students learn and teachers teach. However, staying on top of these rapid changes and discerning the real value of these technologies can be a challenge for schools and educators. To effectively navigate the ever-evolving AI landscape, schools need to prioritize ongoing professional development for teachers. Providing educators with the necessary training and resources to understand AI technologies and their potential applications in the classroom is essential. This can be achieved through workshops, conferences, online courses, and collaborations with AI experts. By investing in their teachers' knowledge and skills, schools can empower them to effectively integrate AI tools and platforms into their teaching practices.

Another crucial aspect is fostering a culture of critical thinking among educators. With the influx of AI technologies, there is bound to be much hype surrounding their capabilities. Educators need to be able to distinguish between genuine educational advancements and overhyped promises. This can be accomplished by encouraging teachers to engage in research, consult with experts, and evaluate the evidence-based impact of AI tools on student learning outcomes. By developing a discerning mindset, educators can make informed decisions about which technologies truly enhance educational experiences.

Collaboration and sharing best practices are also vital in keeping schools abreast of AI developments. Educators should be encouraged to join professional learning communities, both within their own school and across broader networks. These communities can serve as platforms for discussing AI technologies, exchanging ideas, and discovering innovative ways to implement them effectively. Additionally, schools can establish partnerships with technology companies and universities to access the latest research and receive guidance on integrating AI into their educational programs.

Furthermore, schools must prioritize student data privacy and security when incorporating AI technologies. As these tools often require collecting and analyzing student data, it is crucial to establish robust privacy policies and protocols. Schools should work closely with technology providers to ensure compliance with data protection regulations and to maintain the confidentiality of sensitive information. By safeguarding student privacy, schools can create a trustworthy environment that encourages the responsible use of AI technologies.

In conclusion, as AI technologies become increasingly prevalent in schools, educators and institutions must stay ahead of the curve. By investing in teacher professional development, fostering critical thinking, promoting collaboration, and prioritizing student data privacy, schools can successfully navigate the rapidly changing AI landscape. Ultimately, it is through a balanced approach, separating hype from substance, that schools can leverage the true potential of AI to enhance teaching and learning experiences. --- Kevin L. Carr
“To help strike that balance, UC has created a liaison between the school’s information security and research leaders, making the school one of several that are creating new systems to shore up cybersecurity for research projects.”

Why this is important: Schools are emerging as a prime target for ransomware attacks and other cybersecurity events. Some of the reasons for this are due to budget shortfalls, operating with older equipment and lacking up-to-date cybersecurity protections. As a result, threat actors have found them to be an attractive target. The U.S. Government Accountability Office recently reported that cyberattacks on school districts caused learning losses ranging from three days to three weeks. Complete recovery took as long as nine months. The financial harm ranged from $50,000 to $1 million per school district.

The fact that schools are increasingly targeted by threat actors has led schools and districts (like nearly everyone else) to pay increasing attention to bolstering cybersecurity protections. Those protections come at a cost. What does a school or district do when it lacks the funds to adopt best-in-class protections? This article discusses some of the ways that smaller schools and districts and those with smaller budgets have adopted creative solutions to get the best cybersecurity protections without breaking the budget. Some have petitioned government agencies to increase funding for cybersecurity solutions. The article also discusses at length the success one Texas district had in creating a consortium encompassing 120 members. It purchased cybersecurity protections and retained professionals at the district level for use by all of its members. This allowed them to benefit from high-volume purchases and the price discounts. Hiring virtual Chief Information Security Officers (“CISOs”) is another cost-effective solution that schools and districts have implemented. Hiring a full-time CISO requires them to compete with the private sector to attract and retain CISOs at a time when they are in high demand. Hiring a virtual CISO allows them to have a resource available when needed at a fraction of the cost. Finally, schools and districts are finding it helpful to make cybersecurity part of everyone’s mindset. Focusing on security makes it front of mind for everyone and may reduce the number of cybersecurity incidents schools and districts experience.

At bottom, cybersecurity protections are a must, and they come at a cost. When a school or district has budget constraints that affect those protections, they should consider creative solutions to help them employ the most up-to-date solutions. This article provides some ideas those schools and districts should consider. --- Nicholas P. Mooney II
“Ransomware attacks targeted the education sector more than any other industry in the last year, with 79% of surveyed higher education institutions across the world reporting being hit, according to an annual report from Sophos, a U.K.-based cybersecurity firm.”

Why this is important: This article discusses a recent report by the U.K.-based cybersecurity firm Sophos regarding cybersecurity events and ransomware attacks directed at education institutions. It underscores the points made in another article in this issue that schools and districts are increasingly finding themselves targets of cyberattacks and ransomware events. Sophos’ report found that 79 percent of the higher education institutions it surveyed around the world reported being hit by at least one attack in the past year. Of those, 59 percent reported the attack resulted in them losing “a lot of” business and revenue. The leading cause of these attacks was system vulnerabilities, which was reported in 40 percent of the attacks. The second most common cause was compromised credentials. Though unsaid in the article, compromised credentials commonly result from phishing (or other similar) attacks or social engineering. This confirms the need for increased training and attention focusing on credential security.

One of the reasons education institutions are a target of threat actors results from the student data they hold. In one event late last year, the attacker group broke into a college’s system and accessed data about 63,000 students. To ramp up the pressure on the college to pay ransom, the group communicated directly with the students whose data it accessed. It sent an email to students that detailed the types of data it accessed (including medical records and psychological assessments) and then told them “To us, this is a normal business day. For you, it’s a sad day where everyone will see your personal and private info.” It’s easy to imagine the students’ and parents’ reaction to this and the resulting clamor to the school to resolve the attack. In fact, in that instance, the attack caused multiple students to file lawsuits against the college, alleging that it failed to have in place up-to-date security protections. In the end, the Sophos report is a much-needed reminder that ransomware events are still a major threat to education institutions. --- Nicholas P. Mooney II
“The Higher Education Act could provide an alternate legal route for the up-to-$20,000 per borrower student debt cancellation plan to proceed, if the Supreme Court strikes down plan A.”

Why this is important: The Supreme Court may reject President Biden's student debt relief plan this summer, but there is still hope for the more than 40 million eligible borrowers for up to $20,000 in loan cancellation if the White House pursues an alternative. The Higher Education Act (“HEA”), enacted in 1965, provides the foundation for the U.S. college funding system and grants the Secretary of Education the power to “compromise, waive, or release” federal student loans. While the HEA has been expanded over time, its core purpose is to make higher education more accessible. The government has used the HEA in the past to implement debt cancellation measures, such as the Public Service Loan Forgiveness program and income-driven repayment programs, and could do so again to cancel large swaths of student debt without the requirement of a national emergency.

The Biden administration has not yet announced a “Plan B” and continues to confidently support “Plan A,” which relies on the Heroes Act of 2003 and calls for debt cancellation as an emergency measure in wake of the coronavirus pandemic. However, having additional avenues available keeps hope alive for those 40 million borrowers who are getting anxious as the deadline for repayment looms. Pursuing debt relief under this alternative plan has its potential pit-falls, as it could result in a long congressional review period or be subject to judicial challenge. Nevertheless, some experts remain hopeful that a Supreme Court decision against the current plan would not eliminate the possibility of broader student debt cancellation. Borrowers are advised to be prepared for the resumption of loan payments and explore alternative payment options. --- Shane P. Riley
“House Bill 6, dubbed the ‘Save Women’s Sports Act’, has received lots of pushback from parents, students and advocates.”

Why this is important: On May 10, 2023, Ohio’s Higher Education Committee voted 8-6 to pass House Bill 6 (“HB 6”), dubbed the “Save Women’s Sports Act,” which would prevent transgender athletes from participating in Ohio women’s sports and youth athletics. Proponents of the bill deem it a fairness issue. HB 6 would require separate single-sex athletic teams and would permit athletes to file a civil lawsuit “if the participant is deprived of an athletic opportunity or suffers harm as a result of a violation of the bill’s single-sex participation requirements or if the participant is subject to retaliation for reporting such a violation.” There are presently six transgender female student athletes in Ohio, although only three of them have been approved to play in the current spring sports season. Currently, in accordance with the Ohio High School Athletic Association, a transgender girl must go through hormone treatments for at least one year or show no physical or physiological advantages. However, this could change if further consideration is given by the House. As in other states, there is both support and opposition from various organizations, parents, students, and religious/clergy members. Twenty-one other legislatures across the country have enacted their own versions of this bill. A few states have rejected efforts at similar bills. As time passes, legislation is being challenged in other states, setting up a potential “final word” by the U.S. Supreme Court.

Also heard by the Ohio Higher Education Committee was House Bill 151 (a companion bill to Senate Bill 83). The original version of HB 151 mainly impacted public schools and banned programs with Chinese schools, banned mandatory diversity training, prohibited university staff and employees from striking, required American history courses, and mandated tenure evaluations on whether the educator showed or taught with bias. Recent revisions included clarifying that the segregation of faculty and staff based on race, ethnicity, religion, sex, and sexual orientation is only prohibited in classroom settings, orientations and graduation; allowing mandatory diversity training for certain exemptions; and permitting existing college programs with Chinese institutions to remain in place as long as certain requirements are implemented. Proponents of the bill argue that it would open Ohio up to a larger pool of students and faculty while opponents of the bill argue it will drive professors and students away and add to the bureaucratic work of colleges and universities. Both sides claim to want to ensure diverse perspectives on campuses and not have professors or administrators push one perspective or narrative on the students. This begs the question of whether enacting more statutes and legislation or significantly overhauling what is currently in place actually accomplishes this goal or puts up more roadblocks along the way. --- Lisa M. Hawrot
“This year’s incoming freshman class can expect to borrow as much as $37,000 to help cover the cost of a bachelor’s degree, according to a recent report.”

Why this is important: Tuition and fees at both public and private colleges have been on the rise. The average student loan debt for college graduates is nearly $30,000 per borrower. This report also highlights that incoming freshmen in 2023 could potentially accumulate an average of $37,300 in student debt over an average five years to earn a bachelor's degree. The share of parents taking out federal parent PLUS loans to support their children's education costs also has increased.

The facts and figures show that education debt will continue to be an issue for many Americans regardless of the decision on student loan forgiveness currently playing out at the Supreme Court. Even with up to $20,000 of debt per borrower forgiven under the Biden administration’s plan, future borrowers appear no less at risk of overwhelming financial burden after graduating. This report shows that more action may be taken to address college affordability so emergency loan forgiveness does not become a regular necessity. In the meantime, borrowers should not assume they will receive loan forgiveness in the future and pursue all options available to fund their educations, including scholarships and grants, before turning to loans. --- Shane P. Riley
If there are particular issues that you would like to hear about, please let us know. We have a deep bench of attorneys willing to weigh in on the issues that impact your educational institution. 

If you would like to subscribe to this newsletter or know someone who would, please email us with contact information and THE ACADEMIC ADVISOR in the subject line. We will add you or your acquaintance to the email list. 

If you have any education law questions, please feel free to contact us.
This is an attorney advertisement. Your receipt and/or use of this material does not constitute or create an attorney-client relationship between you and Spilman Thomas & Battle, PLLC or any attorney associated with the firm. This e-mail publication is distributed with the understanding that the author, publisher and distributor are not rendering legal or other professional advice on specific facts or matters and, accordingly, assume no liability whatsoever in connection with its use.
Responsible Attorney: Michael J. Basile, 800-967-8251