E-Discovery and Information Management: Electronic Data Breach Of Student Records—The University’s Obligation To Disclose (3/15)

Data security breaches have become unfortunately prevalent amongst higher education institutions. In fact, colleges and universities suffer data breaches at a rate of just over one per week.(1) The Privacy Rights Clearinghouse reports that thirty (30) educational institutions experienced data breaches in 2014. Notably, the University of Maryland suffered a data breach including names, birth dates, university ID numbers, and social security numbers dating back to 1998.(2) In 2014, Butler University (Indianapolis campus) warned more than 160,000 students, alumni, faculty, staff, and even past applicants that their personal information had been exposed during a data breach in 2013.(3)

Although the media tends to focus on the harm to individuals whose personal identifiable information (PII) has been compromised, the higher education institution subjected to a cyber-attack involving a data breach is also harmed in multiple ways. The institution may incur fines, costs associated with notifying individuals, and legal expenses. Further, the institution’s reputation in the community will suffer, possibly resulting in a decrease in enrollment.

University administrators are tasked with understanding their reporting obligations in the event of a data breach. Although there is currently no federal data breach notification statute,(4) most states have created data breach notification laws, and university administrators must be aware of the applicable laws. Forty-seven states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private or government entities to notify individuals of security breaches involving PII.(5)

In New York, PII includes information such as a social security number, driver’s license number, account number, or "any other information concerning a natural person which because of name, number, personal mark, or other identifier can be used to identify such natural person."(6) Institutions of higher education may have to notify the New York Attorney General, Department of State’s Division of Consumer Protection, and the Office of Information Technology Services’ Enterprise Information Security Office if a data breach including PII occurs, along with those individuals affected.

Additionally, the New York Attorney General, Eric T. Schneiderman, plans to propose legislation to update New York’s information security laws by revising the definition of "private information" to encompass (1) email addresses (in combination with either the password or security question and answer), (2) medical information, and (3) health information. If such legislation passes, university administrators will need to work with general counsel and their IT departments to ensure proper procedures are in place to provide sufficient and timely notice in the event of a data breach.

1 See Just in Time Research: Data Breaches in Higher Education, Educause Center for Analysis and Research, https://net.educause.edu/ir/library/pdf/ECP1402.pdf (2014).

2 See 309,079 UMD Social Security Numbers Compromised; The Diamondback; Abutaleb, Yasmeen, Amenabar, Teddy, and Hottle, Jenny (2014).

3 See Data Breach Impacts Over 160,000 Butler Students and Staff; Ayers, Christopher; http://indianapublicmedia.org/news/data-breach-impacts-160000-butler-students-staff-68948/ (2014).

4 The Family Educational Rights and Privacy Act (FERPA) does not require an educational agency or institution to notify students that information from their records was stolen or subject to a data breach, although it does require the institution to maintain a record of each data breach. 34 CFR §99.32(a)(1). Although FERPA does not contain specific requirements relating to data breach, the United States Department of Education recommends that students be notified if the compromised data includes student social security numbers and other identifying information that could lead to identity theft. FERPA, Final Rule, 73 Fed. Register 74843-74844 (December 9, 2008). FERPA, though, does not contain strong liability provisions against schools for data breaches. See How Little Data Breaches Cause Big Problems for Schools, Bathon, Justin, http://thejournal.com/Articles/2013/10/17/How-Little-Data-Breaches-Cause-Big-Problems-For-Schools.aspx?Page=3 (2013).

5 See National Conference of State Legislatures, http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx (2015).

6 U.C.C. Law §208(a)

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Bond Schoeneck & King PLLC | Attorney Advertising

Written by:

Bond Schoeneck & King PLLC

Bond Schoeneck & King PLLC on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.