Re: Profile issue for Educase

["Lewis, Kevin M (EXP)" <kevin.m.lewis () LMCO COM>]

Great info, but I admit I can no longer keep up with my emails. How do I
remove myself from this group?



Kevin



________________________________

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Allison Dolan
Sent: Friday, February 29, 2008 5:30 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] FERPA question



A recent item from the state of Maryland may be of interest re: what is
public information (e.g. email)



Bill aims to shield student privacy

By: Megan Eckstein

Posted: 2/28/08

State lawmakers took up a bill yesterday that would give public schools
the power to deny companies access to students' information - a step
that could cut down on the flow of spam into university e-mail accounts.



A students' directory information - e-mail address, phone number and
home address - is considered public. That means the university has to
give it out if it receives a written request.



The bill's advocates say public universities around the state often give
information out to predatory lenders and even groups that participate in
phishing, scams in which e-mail recipients are asked to give out private
information such as Social Security numbers.



"Sometimes it actually breaks our hearts to see where this information
is going," said David Robb, the university registrar, who handles
requests for students' information.



The bill would give the university the right to deny requests "if the
information is requested for commercial purposes."



Some senators questioned whether the registrar ought to be the only one
to determine whether a company is allowed access to directory
information.



Laura Anderson Wright, a university lawyer, responded by pointing out
that there is an appeal process for all public information requests.



"We're not asking for a bar," Wright said. "We're asking for a choice.



"This amendment to existing law will allow students of public
institutions to enjoy the same protection to their contact information
as students of private institutions enjoy," she said.



Even high school seniors who apply to a public university but choose not
to attend could have their information sent out, Wright said.



Del. Ben Barnes (D-Anne Arundel and Prince George's), the bill's
sponsor, said the bill has strong support because it "puts no extra
obligation on schools. They can keep doing what they're doing, but they
would also have a tool to protect students.



"I think this stands a good chance of passing," Barnes added. "I think
the committee sees the need in having this kind of law."



Student Government Association President Andrew Friedson testified about
some of the spam mail he has received, mentioning a phishing e-mail sent
to many students' university e-mail addresses that appears to be from
Chevy Chase Bank.



The e-mail asks for the recipient to update his or her account
information, and if a student does, the information the student provides
can be used for fraudulent charges and identity theft. Friedson pointed
out that many students have accounts with Chevy Chase, which has an
on-campus branch.



ecksteindbk () gmail com





Allison F. Dolan

Program Director, Protecting Personally Identifying Information

MIT

(617) 252-1461










On Feb 25, 2008, at 2:37 PM, Kathy Bergsma wrote:





Thanks to Mike Lococo at NYU, I discovered that the 2000 FERPA amendment
explicitly lists email as directory.



http://www.ed.gov/legislation/FedRegister/finrule/2000-3/070600a.html



Kathy Bergsma wrote:

        I'm surveying edus that classify email address as non-directory
under FERPA. Please respond only if you do.  To minimize list traffic,
I'll summarize for the list if you respond privately.



--

Kathy Bergsma

UF Information Security Manager

352-392-2061