BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

E-number spreadsheet with Eastern Illinois University student data leaked

From: Erica Absetz <eabsetz () opensecurityfoundation org>
Date: Thu, 24 Jan 2013 12:13:00 -0500
http://www.databreaches.net/?p=26760

Chacour Koop reports:

The grade point averages of 430 students were released to 65 students
about two and a half weeks ago, which is a violation of the Family
Education Rights and Privacy Act (FERPA).

Robert Miller, Eastern’s general counsel, has refused to comment on
the violations. Sue Harvey, Eastern’s registrar and FERPA officer, has
not responded to multiple emails about the violations.

The spreadsheet was accidentally leaked and also included the E-number
of each of the 430 students. Eastern designates E-numbers as public
directory information, unless students file a petition with the
university registrar.

[...]

OK, while I give the student publication credit for trying to cover a
privacy/data security breach,  the real headline should be that
students generally have no real recourse when there’s been an
unintentional release of their education records. FERPA does not
provide for an individual cause of action, the U.S. Department of
Education does not require it be notified of breaches, and this is all
going nowhere.  Even taking a worst case scenario: someone is horribly
embarrassed by their grades and a recipient of the spreadsheet
anonymously uploads it all to the Internet, there is generally no
recourse for students who feel they have been harmed by a breach.  The
university would have an obligation to try to mitigate harm, but other
than asking recipients to securely delete the attachment and following
up on that, what does the university really have to do?

In this case, the University should tell the students what it intends
to do to prevent a future recurrence of this type of e-mail breach.
But other than that, what do you think they have to do or should do?
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.
Previous By Date Next
Previous By Thread Next

Current thread: