In October, personal financial data — including social security numbers, loan repayment histories and bank-routing numbers – of thousands of college students was exposed on the Department of Education’s (ED) direct loan website. For seven minutes, anyone surfing the direct loan website could find personal information about students who had borrowed from the Department of Education.
In and of itself, this data security breach is quite alarming, but it is even more so considering the aggressive data gathering efforts ED is spearheading. For example, the ED’s changes to the Family Educational Rights and Privacy Act (FERPA) regulations will provide the government with greater powers to gather and use longitudinal data about students to track their performance over time.
The new regulations define two previously undefined terms in FERPA in order to expand the sharing of student personal data. FERPA permits the access of student personal data — without consent — to “authorized representatives” of state or federal “education programs.” The new regulations expand both definitions to allow a myriad of types of third parties to access student data. Under the new regulations, educational agencies can designate “representatives” quite liberally, and this threatens to allow student data to be disseminated much more widely. Indeed, this is ED’s goal — to allow for greater study of student longitudinal data.
But it comes at a great cost to privacy. ED only has power over the schools and education agencies it funds. Researchers and other organizations designed as “authorized representatives” aren’t subject to ED sanctions. Moreover, FERPA’s enforcement is quite minimal, lacking a private right of action and having a sanction so implausible it has never been imposed in the 35+ year history of the law. The result is to allow greater sharing of information with woefully inadequate protection. A 2009 study by Fordham Law School’s Center on Law and Information Policy found that “privacy protections for the longitudinal databases were lacking in the majority of states.” Even more strongly, the study characterized the privacy protections as “weak.”
Indeed, a recent story in The Huffington Post noted that many school districts are collecting student Social Security numbers and providing inadequate safeguards, leading to a rash of incidents of child identity theft.
The ED’s recent Gainful Employment regulation is another example of more data gathering without responsible privacy protections. Students who attend proprietary colleges and universities would be specifically at risk of this serious privacy infringement which allows the Department of Education to use Social Security data in calculating default rates. The Department’s final rule lacks specific details on how it will collect and treat this data — permitting the department to simply inform institutions and students that they have failed to meet the 12 percent income-to-debt ratio as written in the final regulation.
Salary data for students attending proprietary colleges and universities will be available online for all to see two years from now. Although data can be de-identified, doing so is challenging and demands rigor and responsibility. There is little indication that this rigor or responsibility will be heeded. Students will be at a greater risk of their personal information being shared with the public.
The ED’s use of personal information and their recent blunder of exposing private information is extremely alarming, especially given their plans to collect more data for the future. Department officials attempted to correct their actions by notifying students of the mistake, offering credit monitoring services and shutting down the website for 48 hours. With the ED moving to collect additional personal data from students, were these steps enough?
One thing is for certain: the Department of Education’s mishandling of personal student financial data in this latest data breach proves that we should be wary of how the Department will utilize this type of data in the future. Maybe it is time to reevaluate the ED’s rush to have enormous quantities of student data collected and disseminated. There are certainly problems with our educational system, and there is nothing inherently wrong with wanting to gather more data about this system. But it is irresponsible to do so when the ED and the other entities that collect and maintain the data are ill-equipped to safeguard privacy and provide appropriate data security. The entire FERPA legal structure is inadequate. Before racing to gather so much personal data, ED should ensure that the appropriate privacy and data security reforms are in place to protect that data. Otherwise, in its zeal to solve some problems with the educational system, the ED might be opening up an enormous and greater problem, putting all students at serious risk.
Originally Posted at Huffington Post
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. Professor Solove also posts at his blog at LinkedIn. His blog has more than 1 million followers.