[Dataloss] Social Security Numbers Exposed in CCSU Letters

Dissent Dissent at pogowasright.org
Sat Feb 10 08:51:20 EST 2007 

FERPA "lacks teeth," in part, because SCOTUS held that there is no 
individual right to enforcement under its provisions (Gonzaga 
University v. Doe).

Furthermore, the US DOE shifted years ago from monitoring and 
enforcement to an "assistance" mode.  They did that because they 
failed utterly at monitoring and enforcement (cf, monitoring and 
compliance reports between OSEP and NYSED in the '90's).  Although 
the DOE/OCR does occasionally threaten to cut off federal funding to 
state education departments, they are not likely to do that, and 
certainly not for anything like failure to protect privacy.  To the 
contrary, there was a threatened cutoff if schools didn't allow 
military recruiters access to student information, pursuant to the 
provisions of NCLB  (20 U.S.C. § 7908).  Nice, huh -- they won't cut 
off funds if the school violates or breaches student privacy, but 
would cut off funds if the schools refuse to make student information 
available to the military recruiters (as well as businesses and 
post-secondary institutions).

I haven't yet gone through the new Leahy-Specter bill proposed in 
Congress, but I had a conversation with one of Senator Feinstein's 
staffers this week about how her proposal (S. 239) relates to 
students and educational institutions.  One of their lawyers got back 
to me to clarify the bill's application to unis.  Basically, any uni 
that orders anything from out of state would be considered to be 
engaged in "interstate commerce" and would therefore be covered by 
the notification requirements and provisions of S.239, subject to the 
same exemptions as businesses and agencies -- i.e., the risk 
assessment exemption, etc.

His (counsel's) position was that although FERPA would continue to 
permit unis to voluntarily publish and share "directory information" 
on students under the provisions and restrictions of FERPA  (e.g., 
name, address, phone number, date of birth, other details), if those 
very same data were involved in a security breach, the uni  would be 
responsible for notification, etc., subject to the same exemption 
provisions as businesses and other covered entities.  Under S.239's 
provisions, there is no need for the compromised records to include 
SSN or financial details -- even "just" name, address, and full date 
of birth would trigger the notification requirements. And no, I'm not 
saying I support S. 239.

But you're right in that the reputation of a uni is not tied to or 
really affected by its data security record. And I can't imagine 
Peterson's adding that type of info to their guide.

/Dissent

At 07:56 AM 2/10/2007, B.K. DeLong wrote:
 >

 >Of course, FERPA violations have no teeth as we don't hear about
 >colleges and universities losing Federal funding. So, per usual, it's
 >left to Civil Action to force penalization. Educational institutions
 >don't seem to be as effected by "loss of reputation" when these things
 >happen.
 >

More information about the Dataloss mailing list