by Daniel J. Solove
In 2007, Seung Cho, a student at Virginia Tech, killed 32 students and faculty and wounded 17. He then committed suicide.
One of the most troublesome things about this incident was that it might have been prevented if school officials and employees had a better grasp of privacy law. Appointed by the state governor, the Virginia Tech Review Panel issued an extensive report revealing that several University officials and employees knew about Cho’s mental instability but failed to share what they knew with each other. And nobody ever told Cho’s parents about his problems, his stalking of a female student, and his dark writings and erratic behavior. Cho’s parents said that if they had known, they would have taken him home and made him go to therapy. This is what they did when Cho had problems in high school.
According to the report, school officials and employees didn’t share what they knew because they thought privacy laws prohibited it. They were wrong. The Family Educational Rights and Privacy Act (FERPA) and other privacy law allow for sharing of personal information about students in distress, and in many circumstances, FERPA permits schools to share the data with a student’s parents.
Afterwards, the Department of Education issued new FERPA rules to clarify when information may be shared in a health or safety emergency. But the problem wasn’t just with the FERPA rules – it was that people didn’t understand them, didn’t know about them, and weren’t effectively trained about them. The problem also stemmed from the lack of a privacy officer whom various school officials and employees could have called to figure out what to do with the information they had.
The situation at Virginia Tech can still readily happen again. That’s because higher education is lagging behind other industries in at least two key privacy protections: (1) having a privacy officer; and (2) engaging in training and awareness education.
In many other industries, such as the health and financial sectors, it would be unusual not to have a privacy officer or awareness training. Although most institutions of higher education have now have information security officials, the number of privacy offers in higher education remains very low. And institutions often lack sufficient awareness training about both privacy and security.
Why? One main reason is that FERPA, the primary law regulating privacy in higher education, is antiquated. FERPA was passed in 1974, and it was one of the earliest privacy laws. FERPA is now quite outdated.
FERPA just covers a fraction of the privacy issues facing schools, and it fails to require a privacy officer or training.
Why Have a Privacy Officer?
When we think of the organizations that most implicate our privacy, we often think of Facebook, Google, Amazon, and other similar types of companies. But schools also maintain a ton of personal data, and they face an extremely wide array of privacy issues. That’s why it is so important for schools to have a privacy officer.
Schools are regulated by countless federal and state laws with much more significant consequences than FERPA. Privacy compliance is very hard, which is why so privacy officers are commonplace in so many other industries.
Although schools have made great strides on data security protection, these efforts are held back – and sometimes undermined – because of a lack of attention on privacy. Many privacy problems affect security. People around campus will take data, circulate data, use data, and do all kinds of things that are ill-informed and deeply problematic.
People need someone to go to with questions about privacy. And a privacy officer can assess various departments of an institution and identify risks and areas of non-compliance.
Why Have Training?
One of the most important things an institution can do to protect both privacy and data security is to provide training. Many data breaches and privacy incidents are not caused by technical problems, but by the human factor. A school may have great technical safeguards and great policies. But all it takes is one person who lacks sufficient awareness to make a stupid mistake – and there’s an incident.
Good data security is a collective effort. It cannot solely rest on the shoulders of security officials. Everybody – staff, administrators, students, and faculty – need to be educated about how to use the Internet responsibly and safeguard personal data.
Privacy and security training is commonplace in most other industries; in schools it is still in its infancy. Higher education is premised on the idea that that education is one of the primary solutions to problems, so it is surprising that higher education is lagging behind in providing privacy and data security training.
This state of affairs will change. I predict that a decade from now, most institutions of higher education will have a privacy officer and privacy and security training. All that is needed are more institutions to start leading by example.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, FERPA training, HIPAA training, and many other forms of training on privacy and security topics. This post was originally posted on his blog at LinkedIn, where Solove is an “LinkedIn Influencer.” His blog has more than 600,000 followers.
If you are interested in privacy and data security issues, there are many great ways Professor Solove can help you stay informed:
* Professor Solove’s LinkedIn Influencer blog
* Professor Solove’s Twitter Feed
* Professor Solove’s Newsletter