November 16, 2022

Welcome to our 6th edition of The Academic Advisor - our e-newsletter focused on education law insights. In this issue, we look at a variety of topics, including a recent federal court challenge to employment options for F-1 student visa holders; new federal IT requirements coming to higher education; FTC action against an education technology provider; zero trust considerations for education providers; college and university efforts to combat opioid overdoses through campus access to Narcan; and the North Carolina ransomware payment ban that affects educational institutions. We hope these topics and our comments are helpful and provide insight into the ever-changing world of education law.

We are extremely pleased to share that Spilman was named to the 2023 "Best Law Firms" list by U.S. News-Best Lawyers in 61 areas of law throughout our firm’s footprint. The rankings are based on a rigorous assessment process that involves the collection of client and lawyer evaluations, peer reviews from leading attorneys, and review of additional information provided by law firms. You can learn more here.

Finally, in this season of gratitude, we want to express our sincere appreciation for the tireless work of your executive leadership teams, administrators, faculty, and staff to educate students and to provide them with learning and growth opportunities that positively impact their lives and the myriad ways they will contribute to society. We also acknowledge the tremendous loss that educational institutions have experienced this week, and on an ongoing basis, as a result of gun violence, and give thanks for the work that school officials and educators undertake daily to keep campuses’ safe despite the many challenges and risks.

As Thanksgiving break approaches and brings with it a pause in campus activities, we wish you and the institutions that you serve a happy holiday and hope that it brings time for rest and reflection.

As always, thank you for reading and please let us know if we can provide you with any legal support.

Erin Jones Adams, Counsel, Co-Chair of the Education Practice Group, and Co-Editor of The Academic Advisor


Kevin L. Carr, Member, Co-Chair of the Education Practice Group, Co-Chair of the Labor and Employment Practice Group, and Co-Editor of The Academic Advisor
“A divided U.S. appeals court upheld the federal government's decades-old practice of allowing student visa holders to remain in the U.S. and work after graduation, rejecting an advocacy group's claims that the program displaces American tech workers.”

Why this is important: In a 2-1 decision last month, the U.S. Court of Appeals for the D.C. Circuit rejected the Washington Alliance of Technology Workers’ challenge to the Optional Practical Training (“OPT”) program, which allows international students who are F-1 student visa recipients to work in the U.S. in their field of study for up to three years post-graduation based on U.S. Department of Homeland Security guidance (“DHS”). Holding that the OPT program provides an educational value for participants within the purview of student visa programs administered by DHS, the D.C. Circuit was not persuaded that the Immigration and Nationality Act (“INA”) limits the authority of DHS to set conditions on student visas that permit OPT employment post-graduation.

Subject to application and authorization requirements enforced by U.S. Citizenship and Immigration Services, OPT allows for the temporary employment of international F-1 student visa holders when such employment is directly related to their major area of study. A foreign student may apply to participate in OPT before completing their academic program (pre-completion OPT) after the student has been lawfully enrolled on a full-time basis for one full academic year at a college, university, conservatory, or seminary, which has been certified by the U.S. Immigration and Customs Enforcement Student and Exchange Visitor Program to enroll F-1 student visa holders. A foreign student may also or alternatively apply to participate in OPT after completing their academic program (post-completion OPT).

Students authorized to participate in pre-completion OPT may not work more than 20 hours per week while school is in session. Post-completion OPT recipients must work at least 20 hours per week or on a full-time basis. Eligible students can apply to receive up to 12 months of OPT employment authorization through pre-completion OPT and/or post-completion OPT approval; provided, however, that participation in pre-completion OPT reduces the duration of students’ ability to participate in post-completion OPT. In addition, subject to certain conditions established by DHS, F-1 students who have earned a degree in certain STEM (science, technology, engineering, and math) fields may apply for a 24-month extension of their post-completion OPT employment authorization.

As a result of the recent D.C. Circuit opinion, OPT has survived its most recent challenge and continues to operate in accordance with applicable DHS guidance. At least for now, arguments that OPT has a chilling effect on the employment of American workers and that the INA does not permit foreign students to retain their F-1 visa status for work in the U.S. after they graduate have not been persuasive. Universities and colleges that host F-1 students, and also partner with employers to provide international students with experiential learning opportunities that include OPT employment, should continue to monitor the ways in which legal challenges by system opponents could impact this process. --- Erin Jones Adams
“There are some big changes on the horizon for universities’ IT policies, relating to cybersecurity, data privacy, and web accessibility.”

Why this is important: As we have discussed in the past few editions of The Academic Advisor, the education sector has increasingly become the target of cyberattacks. This includes both school districts and colleges and universities. One development is the fast approaching deadline for colleges and universities to comply with the December 9, 2022 deadline for implementing certain cybersecurity protections and requirements imposed by the Federal Trade Commission (“FTC”). Those requirements include appointing a person or team to coordinate an institutional information security program, conducting risk assessments, and developing information-security controls. Despite the impending deadline, because the FTC does not see the educational sector as particularly problematic in instituting such requirements, the FTC is likely to be flexible in requiring the implementation of all of its provisions.  

Both the states and the federal government continue trying to address cybersecurity and cyber accessibility issues. Cyber incident reporting is a new proposition that is still being discussed by the FTC. If implemented, it could require educational institutions to report a data breach to the FTC if the breach affects at least 1,000 people. Clarification is being sought regarding whether this will affect colleges and universities. While a comprehensive federal data privacy standard has currently stalled in Congress, discussions at the state and federal levels continue. This includes potential changes to web accessibility requirements as put forth by the U.S. Department of Justice and the U.S. Department of Education’s Office for Civil Rights. --- Alexander L. Turner 
“FTC order against Chegg will require company to shore up its security against data breaches, and delete unnecessary data.”

Why this is important: The FTC recently took an enforcement action against Chegg, Inc. (“Chegg”). Chegg markets and sells direct-to-student educational products and services. Pursuant to Section 5 of the FTC Act, the FTC has the ability to bring enforcement actions against companies for unfair and deceptive trade practices. In relation to cyberattacks, for the past few years, the FTC has been focused on unfair practices by companies that result in a data breach. These unfair practices include when a company fails to implement adequate protective measures for sensitive personal information.

The enforcement action against Chegg was related to four data breaches Chegg experienced between 2017 and 2020. These data breaches were significant because Chegg collects sensitive data on its high school and college student customers, including information about religious affiliation, heritage, date of birth, parents’ income range, sexual orientation, and disabilities. These attacks included two phishing incidents and an infiltration by a former contractor. The attacks were successful because, as alleged by the FTC, Chegg engaged in an unfair practice when it failed to implement basic security measures to protect students’ sensitive information. This included the fact that Chegg failed to require employees and contractors to use multifactor authentication to login to databases, failed to monitor networks and databases for threats, did not properly encrypt personal data and passwords, and did not maintain adequate security policies and training. As a result, 40 million Chegg customers had their data stolen. In a resolution of the FTC enforcement action, Chegg agreed to limit data collection, use stronger protections, and implement a training and compliance program. While Chegg was not required to pay any penalties, it was required to notify customers of how to protect their identities. Chegg got lucky and was not assessed a financial penalty by the FTC, but the requirement that it notify its affected customers may result in costly civil litigation. --- Alexander L. Turner
“As cyberattacks and ransomware threats against K–12 institutions rise, more IT leaders are learning about the zero-trust cybersecurity model.”

Why this is important: K-12 institutions historically have been prime targets for threat actors because they hold sensitive information and traditionally have deployed underdeveloped security measures. This situation was made worse by the COVID-19 pandemic as many schools quickly transformed to virtual learning without first having in place protections against cyber vulnerabilities. These issues have forced educators and IT staff to rethink cyber protections for K-12 institutions. Many times, the concept of zero trust is being considered. “Zero trust” is the name given to a security system that begins every interaction in an untrusted state. Its name is a bit of a misnomer as a zero trust system is not configured to literally trust no one. Rather, in a zero trust environment, instead of grouping internal users into different network segments and providing varying degrees of security or separating the internet from the internal network, a zero trust environment focuses on individual users and requires them to pass strong identity confirmations to gain access to the network.

While implementing a zero trust approach might sound like an easy decision, it should be remembered that this approach only will work if it is adopted schoolwide. It is not as simple as purchasing a piece of hardware and flipping a switch. All levels of school personnel must support the move to this approach. Then, IT staff experienced in deploying and maintaining a zero trust environment will be needed to properly manage the system. Schools also need to consider issues related to any applicable budget, insurance coverage, data backups, and disaster plans, among other things, if they are to successfully implement a zero trust environment. --- Nicholas P. Mooney II
"As concerns grow over the presence of fentanyl and other opiates on campus, more colleges and universities are making the overdose-reversal drug naloxone widely available."

Why is this important: A Virginia Commonwealth University professor carries the torch with regard to innovative thinking in order to bring awareness to stigmas surrounding substance use, addiction recovery, and harm reduction by using an electric bike to distribute naloxone. Naxolone (also known as “Narcan”) can be used in emergency situations to temporarily combat an overdose. In recent years, educational institutions have begun implementing creative new ways to combat the opioid epidemic on their campuses. For some institutions, this includes Naloxone training and opioid education, while others welcome the founding of student-led organizations that encourage peer educators and student/faculty training in Narcan administration. 

An institution interested in implementing similar programs or distributing/administering Narcan should consider factors such as the review of state-specific laws or regulations that govern the maintenance, administration, and distribution of Narcan; the development of campus policies and procedures that govern the proper storage, administration, accessibility, and distribution of Narcan; implementation of training to recognize and respond to an overdose, to understand state-specific Good Samaritan laws, and to follow any associated school policies; and review of any related insurance requirements imposed by carriers. In addition, schools should be prepared for mixed responses to the implementation of such a program and plan for public statements that campus leaders may need to share in reply.  

As institutions of higher education continue to experience the tragic effects of the opioid epidemic, and most recently the impact of counterfeit pills like fake Adderall being laced with fentanyl, is likely that support for the implementation of policies and procedures that permit the distribution of Narcan on college campuses will increase. --- Kelsie A. Wiltse
“Nearly a year after the state passed a law making it illegal to pay cyber criminals to regain access to encrypted systems, not everyone is convinced the ban is going to put a dent in the number of cyber attacks in the state.”

Why this is important: Recently, we discussed the ransomware attack on the Los Angeles Unified School District (“LAUSD”). In response to that attack, the LAUSD reached out to the White House for assistance on how to respond. The Biden administration responded with instructions not to pay the ransom, which the LAUSD followed. If this same ransomware attack had occurred in North Carolina after April 5, 2022, the school district would not have a choice on how to respond.

As part of North Carolina’s 2021-2022 budget appropriation, a new law prohibits government entities from paying a ransom to a ransomware attacker. In fact, the law prohibits the government entity from even communicating with the attacker. Instead, all ransomware attacks are to be reported to the North Carolina Department of Information Technology (“NC DIT”). This law applies to all governmental entities, including local governments, public schools, and the University of North Carolina system. While the new law does not apply to private entities, they are still encouraged to report cyber attacks to the NC DIT. The North Carolina law is the first of its kind in the country. Pennsylvania subsequently passed a similar law, and New York is considering passing an analogous law.

The question now is whether the new law is working to prevent ransomware attacks against governmental entities in North Carolina. In the first half of the year, two cities, two school districts, three colleges, and one state agency in North Carolina experienced ransomware attacks. The State of North Carolina says that the new law has been successful in lowering cybersecurity incidents from 2021. Cybersecurity experts are more skeptical as to the effectiveness of the new law, and need more time to evaluate its ability to deter ransomware attacks. One issue is that prohibiting payment of a ransom may not deter attackers because they do not necessarily act rationally. Instead, some cybersecurity professionals believe that it is better to promote cybersecurity training and funding, which the new law does not do. Overall, the effectiveness of the new law will have to be judged over time. --- Alexander L. Turner
This is an attorney advertisement. Your receipt and/or use of this material does not constitute or create an attorney-client relationship between you and Spilman Thomas & Battle, PLLC or any attorney associated with the firm. This e-mail publication is distributed with the understanding that the author, publisher and distributor are not rendering legal or other professional advice on specific facts or matters and, accordingly, assume no liability whatsoever in connection with its use.
Responsible Attorney: Michael J. Basile, 800-967-8251