Privacy Law Blog : Privacy Lawyers & Attorneys : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

The Family Educational Rights and Privacy Act (20 U.S.C. 1232g; 34 CFR Part 99) (“FERPA”) imposes various requirements on educational institutions regarding the privacy of personally identifiable information contained in education records of students.  On December 9, 2008, the U.S. Department of Education (“DOE”) published final rules amending the regulations that implement FERPA.   

Originally proposed on March 28, 2008, the DOE published a notice which proposed various changes to FERPA and its implementing regulations “to implement various statutory changes made to FERPA to implement two recent US Supreme Court decisions, to respond to changes in information technology, and to address other issues identified through the Department’s experience in administering FERPA.”  (73 FR 74806).  According to the DOE, approximately 121 parties submitted comments in response to the March, 2008 NPRM.  The Final Rules become effective January 8, 2009.

Some of the significant changes brought about by the Final Rules include the following:

·         Amending several key definitions, including the definition of “directory information,” which expressly excludes therefrom a student’s Social Security number or student identification number (except where a student ID is “used by the student for purposes of accessing or communicating in electronic systems, but only if the identifier cannot be used to gain access to education records” without one or more additional authentication factors, such as a PIN number or password).

·         Revising the definition of “personally identifiable information” to, among other things, add a definition of “biometric record.”

·         Expanding the circumstances under which prior consent is not required to disclose personally identifiable information from education records, including, for example, disclosures to “a contractor, consultant, volunteer, or other party to whom an agency or institution has outsourced institutional services or functions… .”  

·         Amending the exception that allows educational institutions and agencies to disclose information from education records, without consent, to organizations conducting studies for or on behalf of the agency or institutions for purposes of testing, student aid and improvement of instruction. (Specifically, the Final Rules added a requirement to this exception, that the educational agency or institution enter into a written agreement containing specific provisions with the organization conducting the study.)

·         Clarifying an educational agency or institution’s obligations with respect to the handling of opt-out requests to the disclosure of directory information.

·         Requiring an educational agency or institution that discloses information without consent under the health and safety emergency exception to record “the articulable and significant threat to the health or safety of a student or other individuals that formed the basis for the disclosure; and the parties to whom the agency or institution disclosed the information.”

·         Implementing the provisions of the USA Patriot Act that amend FERPA to provide that an educational agency or institution may disclose, without consent, information from education records pursuant to and in accordance with an ex parte court order issued under the USA Patriot Act.

·         Implementing the provisions of the Campus Sex Crimes Prevention Act (CSCPA), which amend FERPA to allow educational agencies or institutions to disclose, without consent, information concerning registered sex offenders provided to the agency or institution under the federal statute, the Violent Crime Control and Law Enforcement Act of 1994.

Additionally, in the preamble to the Final Rule, the DOE republishes, “for the administrative convenience of educational agencies and institutions and other parties,” certain information and recommendations regarding the safeguarding of educational records.  These “Department Recommendations for Safeguarding Education Records” include suggested steps to take in the event of an unauthorized release or disclosure, or other breach or compromise involving, education records.

FERPA seeks to protect the privacy of education records of students, and applies to all educational institutions and agencies that receive federal funding under a federal education program. FERPA provides to parents of children under the age of 18 (and “eligible students” over the age of 18) certain rights with respect to their education records maintained by an educational institution or agency, including the right to access and copy education records.  Additionally, with certain exceptions, FERPA prohibits educational institutions and agencies from disclosing personally identifiable information (not including “directory information,” however) from education records without prior consent.  Under FERPA, “directory information” means “information contained in an education record of a student that would not generally be considered harmful or an invasion of privacy if disclosed.” FERPA sets forth a non-exhaustive list of data elements that would be considered part of such definition.  Thus, FERPA permits an educational institution or agency to disclose “directory information” without consent, provided that such institution or agency give notice to parents and the ability to opt out of such disclosures.

For a copy of the Federal Register notice containing the Final Rules, click here.  For the Federal Register notice containing the NPRM, click here.

 Jerome Heckenkamp, a student at University of Wisconsin at Madison, was charged under 18 U.S.C. § 1030(b)(5), the Computer Fraud and Abuse Act, in connection with an alleged attempt to hack into protected systems at University of Wisconsin and Broadcom. At trial, Heckenkamp moved to suppress evidence obtained from two searches of his computer. The first search occurred after Broadcom security alerted the University that a University computer was being used in an attack on Broadcom. A University computer investigator, Jeffrey Savoy, identified the IP address of the offending computer, determined that it also posed an immediate threat to the University’s sensitive systems, and performed a remote search of Heckenkamp’s computer to confirm that it was the computer responsible. Later that day, Savoy suspected that Heckenkamp changed his computer’s IP address in an attempt to mask his activities. Notwithstanding the FBI’s recommendation that Savoy wait for a warrant before proceeding, Savoy, with the help of campus police, entered Heckenkamp’s room when the door was ajar and ran a series of commands that confirmed Heckenkamp was responsible for the attacks. Savoy justified the warrantless search on the grounds that the University’s systems could have been critically damaged and that Heckenkamp could gain access to confidential student files. Heckenkamp was a skilled computer programmer and was familiar with University systems; he had been fired from his position at the University computer help desk for attempting to access University systems without authorization.

Heckenkamp reaffirms the importance of establishing and distributing policies regarding the monitoring of computer use. The panel relied heavily on the fact that the University had no such announced policy, and in fact had assured students of data confidentiality:

A person’s reasonable expectation of privacy may be diminished in transmissions over the Internet or e-mail that have already arrived at the recipient. However, the mere act of accessing a network does not in itself extinguish privacy expectations, nor does the fact that others may have occasional access to the computer. However, privacy expectations may be reduced if the user is advised that information transmitted through the network is not confidential and that the systems administrators may monitor communications transmitted by the user. United States v. Angevine, 281 F.3d 1130, 1134 (10th Cir. 2002) [professor using university computer]; United States v. Simons, 206 F.3d 392, 398 (4th Cir. 2000) [federal employee using federal computer system].

In the instant case, there was no announced monitoring policy on the network. To the contrary, the university’s computer policy itself provides that ‘[i]n general, all computer and electronic files should be free from access by any but the authorized users of those files. Exceptions to this basic principle shall be kept to a minimum and made only where essential to . . . protect the integrity of the University and the rights and property of the State.’

 Heckenkamp at 3888 (citations and quotations omitted).       

The Ninth Circuit likely will have to clarify in future litigation the scope of reduced privacy expectations where users are advised of monitoring.

A copy of the Heckenkamp opinion is available here.