Leaders from Blackbaud and Veracross join the panel to discuss the complexities of AI governance and student data privacy . The conversation covers essential steps for establishing AI policies, understanding international regulations like GDPR and NIST, and the shift toward agentic AI. Gain practical insights on vetting vendors and securing your digital perimeter.

1. Blackbaud, cloud software provider serving nonprofits, educational institutions, healthcare organizations, and CSR entities in the areas of fundraising, financial management, and education administration.
2. Veracross, cloud-based student information system (SIS) and school management platform designed specifically for private and independent K-12 schools, connecting academics, admissions, accounting, development, and student health.
3. Data Harmony: Integrating Systems, Empowering Schools, previous episode of TTWA featuring Blackbaud and Veracross
4. NIST Cybersecurity Framework (CSF)
5. NIST AI Risk Management Framework (RMF)
6. General Data Protection Regulation (GDPR)
7. California Consumer Privacy Act (CCPA)
8. Coquito, traditional Christmas drink that originated in Puerto Rico

Dan, welcome to Talking technology with ATLIS,

the show that plugs you into the important topics and trends for

technology leaders all through a unique Independent School lens.

We'll hear stories from technology directors and other

special guests from the Independent School community,

and provide you with focused learning and deep dive topics.

And now please welcome your host. Christina Lewellen,

Hello everyone, and welcome back to

talking technology with ATLIS. I'm Christina Lewellen, the

President and CEO of the Association of technology

leaders in independent schools, and

I'm Bill Stites, the Director of Technology at

Montclair Kimberly Academy in Montclair, New Jersey, and I'm

Hiram

Cuevas, the Director of Information Systems

and Academic Technology at Saint Christopher school

in Richmond, Virginia. Hello, gentlemen. How

are you today?

It's spring break for me here, so it's an

interesting time for sure. Reminds me a little bit of the

summer, because it's nice and quiet, getting some work done.

But you know, doing pretty good is it

kind of weird to be at a school when

there's no teachers, no kids. Like, is it kind of creepy? Do

you feel like maybe it's a zombie apocalypse kind of

situation? She brought it up

first. Impressive she did.

It is interesting because it is quiet. I would say

it's awesome. There are often a lot of dark hallways because the

maintenance crew doesn't turn on the light. So it can be a little

eerie at times, but generally it's pretty nice. It's good to

come in dress a little more casually. Just kind of relax,

settle in, you know?

But we know Bill has his melee weapon if he needs

it. I do.

Yeah, you're not afraid if there is some

zombies wandering the dark hallways over

MKA, no, though I do need to hide it because it's

quite impressive. So it's got to stay in the background.

Otherwise, I do have my trusty letter opener.

I mean, in a pinch, it would work, Hiram,

what are you up to? You're not on spring break

yet, huh? No, we just had our spring break last

week, but it was a nice time. Got to visit my parents down in

Florida. We just missed the airport chaos that happened on

Friday in BWI, Richmond and the DC airports, and my baby girl is

back at Virginia Tech finishing up her sophomore year, so we're

good to go. I think

it's so cute, Hiram, you always refer to

her as your baby girl. And I'm wondering, like, if baby girl

actually listens to the pod, how thrilled or not she would be

about aforementioned nickname of baby girl.

Well, she thinks it's hysterical that a I have a

podcast with two other people.

We think so too.

So she always takes every opportunity to mock

me whenever possible. I am jealous of Cameron that she has

a toddler because they still love you back then.

Yeah, that's right. Well, before we get to

Cameron and our other guests that we have today, I did want

to let you guys know that not long after I wrap up recording

with you, I'm very shortly heading to the airport. I have

some CEO friends who have, I don't know if kidnapped is the

right word, but they basically said, You're not about to change

jobs with no time out, with no moment to celebrate, with no

moment on the beach, and so I'm heading to Puerto Rico this

afternoon.

Oh, nice. Jealous.

Notice how she invited us, Hiram. It's not like

we'd spend so much quality time with her. It's like, I know

she's after the Coquito, and you're Puerto Rican, Hiram. I

mean seriously,

it is about the Coquito first and foremost,

although it's not exactly the season for Coquito, but I will

say that we will have to take a rain check on a poolside podcast

here at talking technology with ATLIS. I don't think our

producer would be very happy. I don't think our editor would be

very happy. And you know, while I would love you guys to be

there, it is, as it turns out, a girl's trip, so I'm not sure how

much you would love it, especially our last pod, I

talked about how I had adult beverages with Brooke and Bill

when I was up in New Jersey, and so Brooke and I started going

down the path of Girl Talk, which, you know what that poor

woman deserves a little bit of Girl Talk in your household, and

poor bill is just sitting there with wide eyes like I don't know

that I need to know about all of this midlife change with women,

things going on in this conversation. So I don't think

you guys could hang that's what I'm saying. Coquito or not. I

don't think you guys could hang with me and my girlfriends in

Puerto Rico. Just saying

you have little faith.

Listeners, I'd like to hear your feedback.

Do we think that Bill and Hiram could hang with the women in

Puerto Rico, I think it's a big no. All right, guys, let's get

serious as much as I'd love to sit here and pick on you all

morning, we have some really great guests, and I'm really

excited about this podcast. Many of you who have listened for a

while know that we have, on occasion, brought together some

vendors in our space, some of our vendor partners, to talk

about a topic. We had one in particular that people really

loved, and that was that we had brought together, and we'll drop

it in the show notes, so that you can go back and listen to

this episode. We brought together some folks from

Blackbaud and some folks from Veracross, and together on the

same pod, we explored some. Trends as some of the largest

sis providers in our space, they see a lot. They work with all of

our schools, right with many, many of our schools. And so as

we were sitting in our planning meeting a few months back, we

thought, let's do it again. Let's bring back Veracross And

Blackbaud so that we can have a conversation around kind of

what's shaken right now in our space, in particular, Bill and

Hiram, the three of us talked about wanting to talk about

privacy management in this era of AI. And so we're really

excited today to bring some representatives from these

companies, and it is now going to be my pleasure to introduce

them. We have Cameron from Blackbaud, we have Joe from

Veracross, and we also have Mike from Veracross. I'm going to let

you guys introduce yourselves. Let's start with Cameron. Tell

us a little bit about what your role is, and also, welcome to

the podcast. Thank you

for having me excited to be here at the second

annual Hunger Games, where the winning, surviving vendor

will prevail. That's hilarious and so

appropriate. Thank you. Okay, this is already great. You're

in. You win.

Okay, great, that's a wrap. I am Cameron

Stoll. I am Blackburn, Chief Privacy Officer. I manage our

privacy and AI legal teams, so a group of nerds who just looks at

data regulation all day long to help us inform our product teams

and our data teams and our AI teams. I've been with Blackburn

for almost 10 years, which is kind of unimaginable. I am a

lawyer by trade, so I did some unspeakable years in big law

firms, and then came in house, and I am absolutely never

leaving.

Thank you. And now let's go over to Joe and

Mike,

thanks for having us. My name is Mike

Martel. I have also been working for Veracross for almost 10

years. So Cameron, we're going to have to compare notes see

when we actually started from a Hunger Games perspective, I

think you're outnumbered Cameron, unfortunately. So

probability is on our side for the Veracross team, and that's

very true. So I am not a lawyer, but I am an engineer and a

physicist. Those are my backgrounds. How I ended up

working in the ed tech space is a very interesting story, but I

started about 10 years ago by building out our cloud

infrastructure and building a DevOps team deeply embedded in

engineering, and then decided that I wanted to spend more of

my time focused on security, privacy and compliance. So I

built out our security and compliance team, and now I am

our chief information security officer Emeritus, as I am moving

over to build out a business operations function, and am

happy to welcome Joe

on board. Thank you very much. It's a pleasure to be

here. I am Joe Bentley, and I am the new CISO for Veracross. I

have all of, I think, four plus weeks experience in Veracross.

So I may not be able to answer some of the really hard

questions as it comes to Veracross, but I can answer the

questions as it comes to cyber security. I am true and true a

cyber security professional. I've done all permutations of

cyber a level of privacy, but not to Cameron's level. And I

have built out to date about three highly successful

information and cyber security programs across various vectors

in the industries, from financial services, hospitality

and student loans. So I do have some insights into independent

schools, but I come at it from a student loans point of view.

Now I want to start with the fact that

Cameron and I at BB Con last year, we did this cool panel,

and that's where some of this idea came from. And as the

lawyer on the panel, she was kind of like, look, you know, I

hate to be the bearer of bad news. And yeah, you know, I

thought that the way that she delivered a lot of those

messages was very reasonable and accessible. And so that's where

I want to start, because that's where the idea originally came

from with me and with our planning is like, wow, I'd love

to get some of that on the record. And so Cameron, if I

could go to you first, obviously not asking you to recreate an

entire panel that we did. But a big part of what stood out to me

is that you know, you are kind of sounding some alarms in terms

of your client base and in terms of what you're seeing. So can

you tell me a little bit about, maybe just what keeps you up at

night as someone with your background, and obviously you're

representing to make sure that your clients are safe. So what

is it about what your clients are doing, or what are the

issues that you're thinking about the most from where you.

Sit in the Blackbaud ecosystem. Wow.

Well, if you have eight hours to cover, what keeps

me up at night, I think the number one thing is, I'm still

hearing from schools. We have yet to finalize our AI policy,

and what that means is, all of your teachers are using AI that

you haven't approved, because we are three years almost to the

month down this road of the generative AI explosion. So if

you don't yet have a policy with a firm posture about what AI you

can use, then they are going to be using it without your

approval, which means without your controls, without any

governance. They don't know what data to put in it and what data

not to put in it. So I think that is probably the lowest

hanging and biggest priority. Fruit for me would be to have a

stance, even if that position is going to develop over time. Not

yet having a position because you're risk averse doesn't mean

that you aren't already entertaining all of that risk

and inviting all of that risk into your ecosystem. So I think

that is one big early point I would make for schools. The

conversation around privacy right now is probably 75% AI, so

I would have to say that would be the first place I would

start. It's not the only place I would go, but it's a really good

place to start.

Can I ask the same question then of our

Veracross friends, what is it that's keeping you guys up at

night? Does that ring true? Pretty similar ideas.

Yeah. So I typically come at this question

from a technology perspective, because I'll always be an

engineer at heart. We struggle to draw a boundary around AI, I

feel like with a lot of other traditional technologies, we

were able to differentiate the technologies and put it into a

category and put it into a bucket. But AI just breaks

through a lot of those categories, a lot of our

security perimeters because of its ability to access so many

different types of data, provide data reason over connect with

other systems. And that's probably the thing that keeps me

up most at night. Is not necessarily the technology

itself, but all of the connections that the technology

has to various systems, auditing those connections, understanding

and providing governance for those connections, and I'll echo

what Cameron said, many of our schools are still catching up.

They don't quite understand just the scope of what's going on

here, and they need to figure out a way to express their

values in a policy that helps to prioritize and protect what

matters most of them, while also providing access to a

revolutionary technology, which is AI, and that's a really, I

mean, it's a traditionally tricky balance, because there's

always going to be tension between security, privacy

compliance and the ability to innovate and the ability to

educate. But the fact that drawing that security perimeter,

that boundary, can be so difficult with AI tools, I

think, really amplifies the struggle.

So that we don't bury the lead on this

episode, can I ask the follow up in terms of the punch line and

get to it right now, which is, if there was one or two things

that you would hope to see schools do in the next 12 months

to respond to those things that are keeping you up at night.

What would it be?

I would say, just leaning into AI, have a clear

policy and have a governance structure. But apart from that,

as you continue to engage in AI, it's really exciting. Putting a

tech hat on it is Uber exciting. It's seamless. It's easy to

engage with it. It answers all of those questions that most of

us had dreamt of asking without having to go to an encyclopedia

or whatever else. But that simplicity that ease equally

translates to a loss of data, a compromise of an environment, an

ill use of the data. So if anything, be clear about what

your intentions are, include it in a policy. Have a structure

that allows you continuously understand how you're

interacting. But I will also add have fun with it. You know,

AI is in every episode that we talk about

outside of AI, what are the things that you're thinking

about here? Because it's something that when we think

about risk, when we think. About what we're looking at when you

know, you mentioned evaluating and reviewing a lot of these

tools outside of AI, like, what is it that you're worried about

at this point, or should we be worried about,

for me, outside of AI, the sheer amount of

regulatory requirements that we have to interact with, both from

a cyber and a privacy point of view, and the changes those

requirements are introducing into the ecosystem is dizzying,

and for someone like me, that keeps me up at night. When

you're a global company, there are various permutations of

these requirements that you have to adhere to, and that in

itself, is a full time job just keeping tabs on what one country

requires versus the other, how to appropriately engage both on

the privacy side of the House and then on the cyber side of

the house, because, God forbid, they're the same. Generally

they're not. They are distinct requirements, and they're coming

fast and furiously.

I'd pick up on that, and say somewhat related

again, from a technology perspective, aside from Ai

perimeters, it's identity. We've been talking about identity

being the new perimeter for security for quite a while, even

before the AI boom about three years ago, the idea that

identities can be very easily faked at this point, and the

idea that zero trust framework is table stakes at this point

when it comes to identity verification, I've found that

many believe that a zero trust paradigm is this technology you

can buy, but it isn't. It's a way of thinking. It's a way of

designing systems, and I feel like it is more important than

ever, now that even the ability to have an identity that is

unique to yourself is being threatened every day online,

I would say, Bill, just to address your

question head on, other than AI, there is still a lot of movement

in the privacy field. And to Joe's point, we are seeing an

explosion of regulation, and it feels like in the past couple of

years, lawmakers worldwide have discovered a few things. A

technology can be harmful for children, not a surprise,

probably B some vendors, not as much, vendors like Veracross and

Blackbaud, which act as very strict data processors, but

vendors you might use that are actually data controllers,

they're collecting a ton of data about your kids and from your

kids, and they're using them in whichever ways you want. And so

these have become uniting principles for a lot of

politicians that agree on absolutely nothing else. And so

you are seeing an explosion of regulation. We see very little

movement on the federal stage because we can't seem to pass

anything. So as a result, these laws are very localized and very

specific. So you're going to have laws that apply to only

public entities. You're going to have laws that apply only to

consumer facing entities, and then you're going to have laws

that maybe try to regulate different types of technology

use, like social media. And so when you have these laws that

are not broad and they're not federal, you get a lot of them,

and that is very challenging for both schools and for vendors,

because the way jurisdiction works for many of these

organizations that regulate in the US schools are not subject

to them, but then you have laws that do apply to their vendors.

So you're stuck in this position where maybe the school is having

to follow principles that the vendor's subject to, even though

the laws aren't necessarily designed for them, which leads

really, it doesn't do anyone a lot of good. It's not helping

the schools. It's not helping the vendors, because it is this

complex patchwork of things that we have to build into our

products and try to keep customers apprised of and it is

challenging, and it is super fast moving.

So Cameron, what was fascinating is I attended

that webinar from the responsible AI Institute. I was

the only K to 12 participant in the audience. Everybody else was

corporate, and it was fascinating talking about. Out

the complexities that you've just articulated from a global

framework that corporate is also struggling with this. And it

brings me a little bit of solace to know that, even as a K to 12

school with just over 1000 boys, that you know, we're in a very

similar place, but at least we are engaging in the

conversations that people like Bill and myself have to deal

with without cyber staffs. We don't have a chief privacy

officer, we don't have a cyber security team. We are it, we're

vetting, we're pulling wire, we're doing it all.

Hiram, does that make you, like, more

reliant on your vendors? Absolutely.

And you know, I think about the pathways that

Veracross and Blackburn have taken in terms of something like

AI and some of the policies that they're building, and I think

it's safe to say, you know, they're doing it slowly. They're

rolling things out slowly because there's intentionality

behind it. And I would love to hear some more about the why

behind that intentionality as it relates to this complexity,

to answer your question directly, Hiram as to

the why behind the intentionality, there are two

different sources of that intentionality. One has to do

with the way in which we adopt AI as upward entity, and that

comes down to what I was mentioning before, really trying

to carefully understand the data perimeter, trying to carefully

separate our customers data, as Cameron pointed out, we are a

processor from our corporate data, and making sure that our

corporate uses of AI are done In a very thoughtful and a careful

way that strictly maintains that separation, while also allowing

us to take advantage of some of the tools that are fairly

revolutionary, even in the past few months compared to what they

were previously. So that's the first source. The second source

actually echoes back to the complex patchwork of global

compliance frameworks that we're all subject to, and that is AI

in our product that is an even slower role, because not only do

we have to be very careful about those security perimeters and

understanding what it is that the technology will do, but also

we have to be respectful of the requirements and the rights that

each one of our customers brings, which is very different

for a school in Virginia versus a school in Dusseldorf or a

school In Australia, and trying to marry up all of those

requirements takes time and takes thought and has a real

impact on the product itself, because there are additional

technical requirements that have to be met in order to be able to

safely apply an AI reasoning technology to customer data,

I think I'll add something a bit more simpler to

that, which is really being careful about what your use

cases are, as we would like to think with everything appended

with AI at the beginning of every sentence, the assumption

is AI does it all in reality, it doesn't. You have to be clear

about how you intend to use it and for what purpose and what

value it brings to the overall delivery chain, so that in

itself, is extremely important understand your use case, and

ensure that you're delivering the value that you actually

intend to to your customer base, so that there's that level of

intentionality. What is it? Why? I would also

say there is something very unique about

serving this customer base that also it changes some of the

normal R and D steps. So you

have unique use cases. You also have a very

vulnerable data subject population, which are our

students, and you have a generally fairly risk averse

group of organizations. And to give you an example, there are

state laws that are being passed and were passed in 2025 so two

years after chat GPT really entered the scene, there are

laws in different states being passed that, say, form a task

force about how we should be using AI two years after the

explosion, and also laws saying you cannot use AI in certain

school settings, and so you have conflicting advice and

conflicting requirements come. From state level legislatures,

and I think it's leaving schools very confused, which just adds

to that hesitation around adopting AI. And so when we

build, you know, we're two companies that are building AI

specific for social good and for educational purposes versus open

AI and anthropic. They are building a Swiss army knife for

all different types of utilization. We are building fit

for purpose. Ai, which takes longer. There's more analysis of

customer sentiment and how they're going to use these tools

and what they actually need. Like, what do they need in the

classrooms? What do they need in the back office? Versus, oh, I

have aI chat. This is really cool, and I can serve all manner

of things right? Open AI, ask people to start submitting their

medical files into chat GPT to get medical advice. Then, of

course, the first comment was okay, but this is not

appropriate for medical records because open AI is not regulated

by the HHS. They're not subject to HIPAA, and so they don't need

to comply with HIPAA, so you can put your medical records in

there. It's fine, but it's not a fit for purpose solution, and so

I think that sort of adds to some of the challenges and

longer, more thoughtful development cycle.

Yeah, Cameron, I'm always saying when

I'm out on the road, I always use the analogy of like, the

early days of social media, and we were assured that our data

would be protected, it would not be monetized, but there was no

oversight, there was no implications. And then, lo and

behold, 18 or 20 years later, we found out, Oh, oops, our data

was monetized. And we were told it wasn't going to be back then,

when we started wondering about that, like, Hmm, what are they

doing with all this? Right? And so I feel like we're in that

same moment with AI. It's like, you know, just because the

current leaders of those organizations or those companies

say, Oh no, no, no, we're not training the model or whatever,

who's to say that they're not or that they won't, like, there's

no implications if they do. So. I'm with you on that.

Years ago, I did a presentation at ATLIS called not

an attorney, but I brought one with me to the conference with

Adam Griffin, who's a good friend of ATLIS, an attorney,

because at that point, there were things that we were talking

about that as we were trying to make sense of whether it was

Copa or whether it was issues around our ability to digitize

media, so on or so forth. You know, we were trying to

interpret what we were reading, because we're not lawyers,

because we don't have that CISO hat on, and nothing has changed.

It's only, as you know all of you have mentioned, it's only

gotten worse with regards to the compliance issues that come out,

particularly with the complications with AI. So I'm

I'm looking for from each of you, a really practical

direction to go in when we start engaging with vendors like

yourselves, who are holding on to large amounts of data from a

PII perspective, or from an academic or financial

perspective, depending on which one of the modules you have, if

we're dealing or looking at companies that deal with that,

what are some of the first things that we need to be

focused on as we start our process of review and vetting

for each one of those in The

10 years, or almost 10 years that I've been

working in this space, we've seen this explosion of

requirements, and we have schools who have a lot of

expertise and a lot of resources that they put towards compliance

and privacy. They have internal counsel. And then we have

schools on the other end of the spectrum who it's, you know, one

person doing many things, and on average, it's somewhere in

between those two. I would say that approach a vendor, after

doing a little bit of research about what regulations you're

subject to, depending upon what jurisdiction you're in, have a

general idea of what the requirements are, and then come

to your vendor with a simple set of questions about, How will you

help me to meet these requirements, understanding that

the onus typically is on the school who, from a GDPR

framework, is a controller, but that the school's responsibility

is to Select vendors that meet the requirements that they are

subject to, just understanding that is a really big step

towards understanding how to have a really good relationship

with a vendor from a security and a privacy perspective, and

frankly, it echoes the same thing. Process that we go

through with our own third party vendors, understanding first,

what requirements we're subject to within a given jurisdiction

and within a given type of data, and then going to our vendors

and having a dialog with them about, how do you help us to

meet our requirements?

Yeah, audit reports. Take a look at the

audit reports. I mean, at a minimum, SOC, two PCI for

payment processors, for any payment data. I think that

there's so much complexity in these laws, but ultimately,

there are really good standards that already exist that maybe

aren't legally binding standards, but are great

frameworks for best practices. So NIST is an amazing source

where, if you do, they call them crosswalks. If you take the

requirements of NIST, crosswalk, it against HIPAA, security

crosswalk, it against CCPA, the new security regs that just came

out a few months ago. They're very, very similar. And so I

think vendors that talk about adherence to a particular

standard like this, like ISO, is a great international standard

that will help a lot. I think that'll get you 99% of the way

there. There are a couple of local state laws that might have

some deviations, but I think that's a really good place to

start. And it's very easy to ask for, if you remember, like, I'm

looking for NIST CSF, NIST AI, RMF, which is their risk

management framework for AI, those are very easy to remember.

Companies that adhere to those, again, will cover so many of

your bases. The other thing that I would really focus on is

vendors with purpose limitation language in their contracts, and

that is a privacy principle, which basically means you can

use data, personal data only for these things, and if a vendor

has purpose limitation, language that is super broad, that is

pretty much anything other than providing you with what You

bought. Really examine those closely, and I think that will

help you understand this vendor's posture with respect to

how they're going to use the data. Are they going to use your

student data for promotional purposes? Right to show ads to

kids, to sell to data brokers? There's any number of horrors

out there. And so if you look at data, the purpose limitation,

language in your contract, I think that will go a long way

too.

I'll cap it really quickly. First, I'll go to Bill

and say this, CISO is not a lawyer. So when I turn up, I

would have to turn up with a lawyer as well, but more

practically, augmenting everything Mike and Cameron has

said, first and foremost, it seems simple, but it's

important, what problem am I trying to solve? What vendors

solve that problem? And once you've established that, and you

go into conversations about due diligence and things like that,

it becomes a case of whatever problem you're trying to solve,

you're going with your asset, the most important thing to you.

So always remember in the room, it's your asset. Whoever's going

to engage with it, is required to protect it. So you'll be

looking for first, are they meeting my the needs, the

problem I've defined, do they meet those needs and whatever

asset I entrust to whoever the vendor is, are they going to

protect it in the way I would have done myself, very simply.

The other thing to remember, though, is when you entrust an

asset to someone else, you are still accountable for that

asset. So that goes to Cameron's. Look at audit

reports, look at audit trails, because you also want to know

that anyone you entrusting an asset is doing exactly what you

expect them to do, out of sight is not out of mind. With your

most important asset, you must know that they're doing exactly

what you expect them to do, and have a way to engage them so

that they can prove to you that they are doing exactly that they

are meeting the requirements of the law. They're meeting all

your data requirements. They're meeting your recovery

requirements, in the event, for some reason, they're no longer

there, and if you've given them your data, how do you get your

data back when you no longer want to do business with. Them.

So very practically simple terms, we can overlay with regs.

We can talk about the complexity. Remember, it's your

assets. Remember you need it treated well, and you need proof

that it's done in the way that you expected it

to be. So when you're working with the third

party vendors at your respective corporations, there's likely an

opportunity for you all to create an addendum based on the

requirements that your respective institutions are

interested in. Similarly, I'm finding in the conversations

that tech directors are having around the country, we're having

to customize our individual vetting and frameworks based on

in Virginia, a whole bunch of new legislation just came out,

and I need to be cognizant of those changes. We have alums

that are in the European Union, so I've got to be aware of GDPR.

We've got folks in Australia, when you start mentioning this

to the senior exec team, they don't have that where with all

about the impact of data regulations across product

lines, do you encourage schools to continue to in looking at

these frameworks, to add these addendums to protect the

schools, such that we can have a little bit more peace of mind?

And should that come from an attorney, as opposed to a bill

Stites or Hiram Cuevas, who are tech directors. We have lots of

frameworks that we use and share amongst our communities, but I

think this actually has to come more from an attorney. I think

what our schools are really asking for is, who do I ask to

help me develop these addendums and actually pass that

information on what would be the best practice.

This is something that I work with

literally even today. I still work with this every day again,

the strategy that I would advise schools to take is to find

counsel that you trust, that is going to provide you with easy

to understand advice and guidance about the environment

you operate in, not necessarily someone who's going to list off

a million bullets of legalese, but someone who can understand

what your operating conditions are. You know, Virginia or

Germany or New South Wales, wherever you are, and then

provide back to you practical guidance about what you need to

look for. And then to your vendor. We do this every day.

Veracross maintains a DPA. We maintain other papers that are

privacy and compliance related. And when a school comes to us

and asks us and provides us with that succinct, practical

guidance, we are always willing to work with them to make

updates, changes or addendums, to make a specific version of a

contract or a specific version of a DPA that meets that schools

requirements, and we continue to do so today, but for schools,

the most efficient way to do this is again, sort of getting

back to what I said earlier. Know, the environment you

operate in bring someone in who can help to bridge the gap

between your practical day to day experience and the ever

changing regulatory framework and knows the right keywords,

and then someone who can consume a DPA or a contract or an MSA or

a privacy policy and actually do that mapping between the

concepts that matter Most and how it's expressed typically in

these privacy papers. I would also say another practical step

that a school could take when they're in this discovery phase

before they engage with a vendor is to take a look at the way

that the vendor expresses security information publicly. I

found that you can really take the temperature of a vendor. Are

they speaking to you in simple terms? Do they understand that

you aren't a DPO or something like that? Are they open about

what they're doing with your data? Do they have something

like a Trust Center that you can access or request access to? I

feel like and I mean, we do this internally as well, with our own

vendors when we're selecting third party vendors, taking the

temperature, the security, privacy, compliance, temperature

of that vendor, and coupling that up with someone who can

provide that translation, really goes a long way towards being

efficient and being open when it comes to engaging with your

vendors about things like custom addendums or other changes that

might need to be made to the relationship that you have with

your vendor to make sure data is protected the way that it should

be. I would

also, and not to throw shade on my fellow global

lawyers, we get very precious about our unique. Like laws that

we have drafted and passed, but we're really working with a

pretty common set of principles here. So if you are working with

a vendor that is a large vendor, maybe a global vendor, most

likely they have tailored their DPAs to the most stringent laws

that apply to customers that they sell to. And so oftentimes,

we get this all the time. Hey, I'm in Arkansas, and we have a

new student privacy law, and so we have to append this onto your

GPA. And if you go through point by point, maybe the language is

slightly different, but they're all the same concepts. You've

got that purpose limitation, you've got a data breach

notification provision, you've got security language. So of

course, they're each perfect, unique little unicorns, but

these laws really can be very similar, and there aren't a huge

number of deltas that need to be separately accounted for. The

other thing that's going to get me in a lot of trouble with the

lawyer mafia is if you have an enterprise version of an AI

tool, you can put these documents into the tool and ask

to see what the delta is. Of course, it is not a substitution

for legal advice, but it gives you a really good start. Hey,

this is what I'm required to do. This is what Blackbaud is

offering me, what is not covered. And then you have a

really good starting point where you can go to their trust team

and say, and our trust team deals with questions from

customers all the time. Where is this provision in your DPA?

Where is it covered? Hey, I need encryption of this. Where is

this addressed? And any good vendor is going to be able to

point out, oh, it's in number seven. And so I think that's a

really good place to start as well.

So I'm curious what you each think. I

mean, we're in this moment where AI is complicating things.

Global reach is complicating things. What do you think the

role is of ed tech companies in terms of offering security

services to schools, just making sure that we understand

cybersecurity and student data privacy issues. I mean, I would

imagine that you're doing more education than you ever have.

Correct me if I'm wrong, but I'm just really curious, what do you

think the appropriate role is for our vendor community to help

us out and get this right?

This is an interesting question, because

the answer, I feel has changed dramatically, even over the past

five years. I would say that when I started in this space,

around 10 years ago, the idea of an ed tech vendor providing

security advice or information to one of our customers was

pretty far fetched. First of all, there's the whole Thou

shalt not provide legal advice to your customers, which is

still true today, but also it just wasn't as front of mind

because schools just had different concerns 10 years ago,

even five years ago, from my perspective as a system of

record, sis vendor, these days, there isn't a contract

negotiation that goes by without questions about security and

compliance, and it is top of mind for many people. And I

would say that a principle that I like to see vendors adopt,

that we've adopted as well, is the idea that a rising tide

lifts all ships, especially for our customers who don't have

entire teams of security and compliance professionals

available to them, we will have deep conversations with them to

help them understand what their own positioning is from a

technical and a legal perspective, although we still

don't really provide legal advice to our customers, but we

also take further steps to provide them with some technical

insight into what is your network security perimeter

looking like right now. We're seeing some interesting stuff

going on that's not actually within the box of Veracross, but

it's actually in your perimeter. Let's try to help you fix some

of those things, because nobody wants an account to be

compromised. That's not good for anybody. And if we can help our

schools get a bit of an edge in that space through technical,

consultative and other approaches. We're absolutely

going to do that, because that investment is worth it for

everyone.

Mike has said it extremely well, I think it's

important to inform and educate, and I think in my mind, that.

Where the security services needs to sit, I would say I

would be remiss as a security professional if I didn't say

that. I can't roll up my sleeves and walk into a school and

interact with their network, but I can inform you and educate you

on how best to proceed. I can point you to resources. I can

have a webinar with you, but I can't go in and interact with

your underlying structures. I think that's probably where they

would need to be.

I want to make sure that I give you guys

each a few moments to talk about what's coming at you in the

context of your companies, and so what we will be able to look

forward to in terms of what's next. So you know, many of our

listeners are either Blackbaud or Veracross customers. So I

know that you stay in communication with them. I know

that you're talking to them about these issues on a regular

basis, but I guess I just want to give you the floor for a

moment. You know you've got the mike. What would you want your

customers to know and what's coming next? What are you

thinking about? What are you working on? What is it that

you're helping get out ahead of for our community, for

Blackbaud,

it's certainly about the agents we have just

released, just to GA yesterday, a development agent, which is an

AI powered fundraising Virtual Employee, and we are rolling out

agents in a variety of different solutions and different ways. So

I can't talk about specifics, because we're publicly traded,

but I will say that for some of the more predictable and

annoying workflows that y'all deal with in school

administration, perhaps admissions, we are certainly

looking to identify that experience give you all a bit

more capacity to do the things that matter, and less manual,

annoying tasks but eat up your day. So I think that's where I

personally spend a lot of my time, is with the agentic team.

It's all very exciting. It requires a robust risk

framework, governance framework, and certainly a more of an

appetite, because there are certain places where a human is

not as in the loop, as if you were just creating content in

chat GPT and porting it over here, the ability to send

emails, for example, have a conversation. But that is very

exciting. On the less exciting front, for sure, it is keeping

up with all of these laws. We're seeing some attempted amendments

to COPPA. So there's COPPA 2.0 there is a talked about

amendment to FERPA, which will be the 10th since the 1970s to

update FERPA to accommodate AI, who knows if that's going to

pass or not. We're seeing these things called age appropriate

design codes. There's a very robust one in the UK, but some

US states are starting to adopt it, and that is basically

requirements around how you build user experience for

products that interact with children. So that is really a

huge focal point for us right now. They're getting blocked in

courts and all sorts of First Amendment concerns, not humans

first amendments, but corporations First Amendment

online safety laws. So keeping tabs on these, plus all the AI

laws and cybersecurity laws that are coming out. But again, if

you refer back to a nice, robust standard, hopefully you can

accommodate all these. So I'm

going to turn over to Veracross. But I

also just want to mention Cameron, it's interesting that

you're talking in this space of agentic AI. I've been on the

road a lot in the last couple years, naturally talking about

AI, and what I'm seeing in AI with schools. And I remember two

years ago, some schools would say, you know, we want to build

our bots, and then later on, they said, We want to build our

agents, and are you doing this? And I remember saying in those

earlier moments, I'm not going to do this. I don't have the

money to do this. The companies I pay my subscription service

companies will do this right, like, let them do it. Let them

figure it out. Let them protect us. And chances are, just like,

all of these bells and whistles were baked into either our

Google workspace or the suite of products that we're already

using in any including like our accounting and credit card

coding software's right, like they're auto generating what

they believe the code would be for a transaction. And I'm just

going to let them do it right? And so it's really interesting

to hear that that's something that you guys are working on and

thinking about. Because not that I am a genius in the way of

tech, but when certain schools who are sitting on a good amount

of money were like, we're going to build this ourselves, I said,

Yeah, that's cool, but my guess is that the vendors you're

already paying are going to be doing this as well. So maybe, if

you're a smaller or less resourced school, hang tight,

because I'd be willing to bet that in very short order, the

things you're looking for, the bells and whistles, will be

baked into the base model, just because they're competing with

each other. And so I'm having a full circle moment where I'm

like, See guys, everybody who's listening, who heard me speak

two years ago, I told you to just hang tight. They were

working on

it. You feel so validated.

I do. It

is important to point out we made the decision I

think last year, nothing would be baked in to the products by

default such that you don't know that you're using it.

That's an important distinction.

We took into consideration that many of our

customers are very risk averse, so you have to actually go in

and turn things on so you're not bringing shadow AI into your

network. You have to be authorized to do so, and you

have to affirmatively do that. So that is a choice we made,

just to be as transparent as possible, because you'll be

editing a PDF and be like, wait a minute, why is there

generative AI in my PDF editor, this is a unnecessary and B, a

little sketchy.

I'll hop in and share some of the themes. We're

going in a lot of different directions, and we're very

excited about them, but there are two that I think will

resonate most with this overlap between security compliance and

AI. I'll start, I think, with the second first, helping our

customers find comfort in what we can bring to them from a

security and compliance perspective is very important to

us. I'll use Australia as an example. Australia has a very

interesting perspective on data, privacy and security that is a

little bit different from a GDPR model. It's a little bit

different from the way in which many US states and other

jurisdictions adopt it and having meaningful conversations

with our customers so we can bring to them what they need and

what their underwriters need and what their communities need, is

a big direction that we continue to go in. At the end of the day,

I feel like, as Cameron pointed out, there are themes and

principles that underlie all of these regulations and laws. And

being able to connect with people on a human level and help

to understand what their values are in that space is very

important to us from an AI perspective. Yes, Veracross is

working on AI tooling for our customers as well. The idea

behind it is that we like to think of ourselves as a

community operating system because, like many other large

ed tech spaces, we are just so embedded into our customers

lives and their parents lives and their students lives. And so

being able to safely and transparently bring tools to our

customers, agents, chat, etc, to our customers that helps to

support their community in a healthy way is a big part of

where we want to go from an AI perspective and to echo what

Cameron said, do so in a transparent, safe and opt in

sort of way. I also get really annoyed when I'm editing a PDF

and something pops up and says, Would you like me to help you

write this? No, thank you, but maybe, maybe someday. So those

are just a couple of the directions that we're heading

in, trying to keep the human element forefront, because at

the end of the day, schools are communities. They're collections

of people who have shared values and a shared direction, and

trying to be able to reflect that in technology is something

that matters very much to us.

Okay, so I know we're running out of time,

and we could probably be here all day talking through some of

these details, and we'll make sure that all of your contact

information is in the show notes, so that people can reach

out to you if you've touched a nerve in any way with some of

the things you've said. But before I let you guys go, I know

that the three of us have been in the chat, framing up a final

question for you, and that is this, in this moment that we're

sitting in right now with AI with all the privacy issues, how

would you describe a gold standard, whatever that means to

you, for schools who are really trying to pursue excellence and

make sure that their schools and their student community is.

Protected. What's the gold standard?

It really depends on where you are, and I'll explain

why. I say that instinctively, the ISO standard will pop to

mind as the gold standard, especially when we're talking

about cyber security. But it depends now comes into play when

you're talking about portability and expense. So for that gold

standard of ISO, you can use it internationally, but at a

significant expense when it comes to standards that are

usable in most places. I would go out on a limb and say, NIST

is becoming the de facto standard for the simple reason

that you don't have in quotes. And I say in quotes because

taxpayers in the US cover the costs of the NIST standards, but

from the outlay, you don't have to cough up a significant amount

of money to go to NIST and pick up a standard that allows you

baseline they do a very good job at defining AI structures, AI

governance and underlying cybersecurity controls and even

privacy in the last couple of years, so NIST CFS, in that

scenario, becomes the gold standard. But also be aware, if

you're international, you might then have folks asking you for

more than just that, especially when they're dealing with

particular regulators. So baseline NIST CFS, its beauty is

you can go deep, as deep as you want to go to the special

publications if you just want to stay on the surface with NIST

CFS, that gives you pretty much everything you need at an

advantage, you now have privacy in there as well. So it covers a

decent landscape for good practice.

Yeah, I totally agree. I like NIST CSF for

security. I like NIST AI, RMF for AI, and I like GDPR, good

old GDPR for privacy. I do. I think the way they define their

terms just makes sense. I think the whole structure makes sense,

and that, to me, is the gold standard for privacy laws. So

those are the three that I typically look for adherence to.

I agree NIST is fantastic because of the breadth

and the depth that it provides. I also agree that GDPR feels

like home. It was really one of the first frameworks that got us

all thinking about this, aside from PCI, DSS, which also has

been around forever, and of course, HIPAA and other

specialty frameworks, but aligning on GDPR makes sense to

me, because so many of the world's privacy frameworks are

derived from the GDPR, not all of them, but that, and I have to

say, CCPA, from a US based perspective, if I were to pick

outside of NIST CSF, if I were to pick two really privacy

focused ones, it would be aligning on the GDPR, because

you get so much for free from other jurisdictions if you do

that, and then from a US perspective, aligning on CCPA,

because Up until recently, they've really been the thought

leaders in that space, even extending beyond some of the

protections that the GDPR traditionally had.

Mike Joe Cameron, thank you so much for

joining us. Please. Thank your teams at Veracross and Blackbaud

for all the work you guys do to help keep our community safe. We

appreciate you more than you know, and I appreciate your

time.

Today, this has been talking technology with

ATLIS, produced by the Association of technology

leaders in independent schools. For more information about Atlas

and Atlas membership, please visit the atlas.org if you

enjoyed this discussion, please subscribe, leave a review and

share this podcast with your colleagues in the independent

school community. Thank you for listening. You.