BreachExchange mailing list archives
Re: Social Security Numbers Exposed in CCSU Letters
From: Dissent <Dissent () pogowasright org>
Date: Sat, 10 Feb 2007 08:51:20 -0500
FERPA "lacks teeth," in part, because SCOTUS held that there is no individual right to enforcement under its provisions (Gonzaga University v. Doe). Furthermore, the US DOE shifted years ago from monitoring and enforcement to an "assistance" mode. They did that because they failed utterly at monitoring and enforcement (cf, monitoring and compliance reports between OSEP and NYSED in the '90's). Although the DOE/OCR does occasionally threaten to cut off federal funding to state education departments, they are not likely to do that, and certainly not for anything like failure to protect privacy. To the contrary, there was a threatened cutoff if schools didn't allow military recruiters access to student information, pursuant to the provisions of NCLB (20 U.S.C. ยง 7908). Nice, huh -- they won't cut off funds if the school violates or breaches student privacy, but would cut off funds if the schools refuse to make student information available to the military recruiters (as well as businesses and post-secondary institutions). I haven't yet gone through the new Leahy-Specter bill proposed in Congress, but I had a conversation with one of Senator Feinstein's staffers this week about how her proposal (S. 239) relates to students and educational institutions. One of their lawyers got back to me to clarify the bill's application to unis. Basically, any uni that orders anything from out of state would be considered to be engaged in "interstate commerce" and would therefore be covered by the notification requirements and provisions of S.239, subject to the same exemptions as businesses and agencies -- i.e., the risk assessment exemption, etc. His (counsel's) position was that although FERPA would continue to permit unis to voluntarily publish and share "directory information" on students under the provisions and restrictions of FERPA (e.g., name, address, phone number, date of birth, other details), if those very same data were involved in a security breach, the uni would be responsible for notification, etc., subject to the same exemption provisions as businesses and other covered entities. Under S.239's provisions, there is no need for the compromised records to include SSN or financial details -- even "just" name, address, and full date of birth would trigger the notification requirements. And no, I'm not saying I support S. 239. But you're right in that the reputation of a uni is not tied to or really affected by its data security record. And I can't imagine Peterson's adding that type of info to their guide. /Dissent At 07:56 AM 2/10/2007, B.K. DeLong wrote:
Of course, FERPA violations have no teeth as we don't hear about colleges and universities losing Federal funding. So, per usual, it's left to Civil Action to force penalization. Educational institutions don't seem to be as effected by "loss of reputation" when these things happen.
_______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tracking more than 146 million compromised records in 570 incidents over 7 years.
Current thread:
- Social Security Numbers Exposed in CCSU Letters Sharon Besser (Feb 10)
- Re: Social Security Numbers Exposed in CCSU Letters B.K. DeLong (Feb 10)
- Message not available
- Re: Social Security Numbers Exposed in CCSU Letters Dissent (Feb 10)
- Message not available
- Re: Social Security Numbers Exposed in CCSU Letters B.K. DeLong (Feb 10)