Private Eyes: FERPA & Student Data Security Breaches
Wednesday, April 2, 2014 at 8:50PM
CJ Ryan in FERPA, FERPA and state data systems, Family Educational Rights and Privacy Act, online legal information, privacy

It is something of a truism to say that data collection is integral to individualizing student learning, providing educators with immediate feedback on the success of pedagogical delivery methods, and supporting successful educational methods with evidence-based rationale. To serve these important goals, states now have large-scale longitudinal information systems and upload large quantities of student data in an effort to track student performance over time. [1] Even local school districts now contract with third-party providers of database management, [2] storing everything from contact information and curriculum planning, to grades, test scores, disciplinary data, Social Security numbers, health information—representing extremely confidential information. [3] But, as with all data, when this information is not properly guarded, it is low-hanging fruit for the unscrupulous digital underworld. [4]

It should be noted that recent changes to the Family Educational Rights and Privacy Act (FERPA), relaxed security measures for this data. For example, under the prior regime, schools were required to obtain parental permission before sharing information in their school’s educational record. [5] Now, schools may disclose directory information (such as name, address, phone-number)—even to third-party vendors—so long as parents are provided the opportunity to opt out of any such releases. [6] But a concern greater than third-party vendor access to student information is that security breakdowns in confidential student data, particularly P-12 student data, may result in identify-theft fallout, which may not be known for years.

The call for safeguards to student data [7] exposes the shortcomings of the latest changes to the FERPA regime. While debate may continue over whether a student or student’s family’s ability (or right) to limit who collects or maintains information, including the data that companies and schools collect and retain, at the very least, students should have a right to responsible, secure data collection practices. A lot of ground lies between codifying this right into FERPA and granting a private right of action for violations of FERPA (which is currently unavailable to a victim of a FERPA violation); perhaps, it is time that policy and law makers tilt the pendulum back in the direction of privacy.


[1] See Benjamin Herold, States Make Progress on Data Systems, Advocacy Group Reports, Educ. Week (Nov. 19, 2013), available at http://www.edweek.org/ew/articles/2013/11/19/13data.h33.html.

[2] See Natasha Singer, Deciding Who Sees Student Data, N.Y. Times (Oct. 5, 2013), available at http://www.nytimes.com/2013/10/06/business/deciding-who-sees-students-data.html?_r=0. Yet, for a fairly nascent cottage industry, the education technology software industry for pre-kindergarten to twelfth grade represents an $8 billion market. Id. See also, Natasha Singer, Regulators Weigh in on Online Educational Services, N.Y. Times (Feb. 25, 2014), available at http://bits.blogs.nytimes.com/2014/02/25/regulators-weigh-in-on-online-educational-services/?_php=true&_type=blogs&ref=education&_r=0.

[3] See Benjamin Herold, Danger Posed by Student-Data Breaches Prompts Action, Educ. Week (Jan. 22, 2014), available at http://www.edweek.org/ew/articles/2014/01/22/18dataharm_ep.h33.html?tkn=LSOFCCaHP3qLAhA8rjypHkxMwnf%2BBfllt9Vy&cmp=clp-edweek.

[4] In recent months, student data breaches have occurred in Loudon County, VA, Chicago, IL, Tallahassee, FL, and Long Island, NY. “The 71,000-student Loudoun County [Virginia] public schools was thrust into damage-control mode last month after an outside vendor, New York City-based Risk Solutions International, inadvertently uploaded and left unprotected some schools’ emergency evacuation plans, as well as ‘directory information’ that included students’ names, addresses, telephone numbers, dates and places of birth, course schedules, and attendance histories . . . . Last November, the [Chicago school] district reported that 2,000 students participating in a free vision-examination program offered by the city had their names, dates of birth, gender, and ID numbers, as well as information from their exams, accidentally posted online. . . . In June, the Tallahassee Democrat reported that roughly 47,000 participants in state teacher-preparation programs had their personal information—including names and in some cases Social Security numbers—posted on the Internet for two weeks last spring. The information was being stored by Florida State University. . . . The 12,000-student Sachem Central School District [on Long Island, NY] suffered three data-security breaches in recent months, including one in which the names, ID numbers, and designations for free-lunch programs of 15,000 former students were posted online, according to a Newsday report.” Herold, supra note 3. Florida State is not the only postsecondary institution to fall victim to a data breach; Indiana University has spent more than $80,000 responding to a data breach that exposed the names, addresses and social security numbers of students enrolled at any of the IU’s campuses from 2011 to 2014. Data Breach Response Costs IU More Than $80,000, Diverse Issues in Higher Educ. (March 17, 2014), available at http://diverseeducation.com/article/61254/.

[5] See, generally, 20 U.S.C. § 1232g (2007); Parents’ Guide to the Family Education Rights and Privacy Act: Rights Regarding Children’s Educational Records, U.S. Dept. of Educ. (Oct. 2007), available at http://www2.ed.gov/policy/gen/guid/fpco/brochures/parents.html.

[6] See, generally, 20 U.S.C. § 1232g (2011); Revised FERPA Regulations: An Overview for Parents and Students, U.S. Dept. of Educ. (Dec. 2011), available at http://www2.ed.gov/policy/gen/guid/fpco/pdf/parentoverview.pdf.

[7] In December 2013, the Electronic Privacy Information Center, a Washington-based nonprofit, filed a complaint with the Federal Trade Commission accusing the popular financial-aid website Scholarships.com of selling sensitive student information to third-party marketers without adequate disclosures. See Herold, supra note 3. To that end, Common Sense Media announced a new initiative last week to encourage the educational technology industry to safeguard student data from falling into the hands of corporate interests. See Ben Kamisar, Group Calls on Companies to Safeguard Student Data, Educ. Week (Jan. 22, 2014), available at http://www.edweek.org/ew/articles/2013/10/23/09privacy.h33.html?tkn=XVTFfIPR7XvFa3FV7mZ0a5%2B8aYacxuog25JF&cmp=clp-edweek. See also Valerie Strauss, Why a ‘Student Privacy Bill of Rights’ is Desperately Needed, Wash. Post (March 6, 2014), available at http://www.washingtonpost.com/blogs/answer-sheet/wp/2014/03/06/why-a-student-privacy-bill-of-rights-is-desperately-needed/; Adrienne Lu, Protecting Student Privacy in the Data Age, USA Today (Dec. 17, 2013), available at http://www.usatoday.com/story/news/nation/2013/12/17/stateline-student-privacy-%0A%0Adata-education/4054307/.

 

Article originally appeared on The Edjurist - Information on School and Educational Law (http://edjurist.com/).
See website for complete article licensing information.