Conferences & Events
Events for all Levels and InterestsStay
Jump Start Your Career GrowthStay
Get on the Higher Ed IT MapStay
Uncommon Thinking for the Common Good™Stay
Interaction between FERPA and breach-notification laws
This message posted on behalf of the EDUCAUSE Campus Policy Working Group [*] Several weeks ago, a couple of threads on the POLICY-DISCUSSION list raised the question of how FERPA regulations interact with breach-notification requirements. There is no single, simple, comprehensive answer to this question, but we thought it might be helpful to mention a few relevant parameters and facts that can serve to guide future discussions. - FERPA and state breach-notification laws address different sets of information that may or may not overlap. FERPA protects "education records," a term that is quite broad (though nuanced) and includes almost all records colleges and universities maintain about their students, whether related to academics or not. State breach-notification laws typically cover a narrower scope of information (often name in conjunction with social security, credit card, and/or driver license number) for a broader range of individuals (usually all state residents), but these vary by state. To our knowledge, no state breach-notification law explicitly cross-references FERPA or incorporates the concept of "education records," but some "education records" nevertheless may be covered by state breach-notification laws (for example, a list containing student names and social security numbers). Moreover, both FERPA and state breach-notification laws have exceptions (in the case of FERPA, the category called "directory information," which may be released publicly without consent) and sometimes exceptions to the exceptions (in the case of FERPA, the "opt out" provision for directory information). Whether a particular breach implicates FERPA, state law, or both will thus depend on exactly what data was released and how. - FERPA is not a breach-notification law and imposes no affirmative notification requirement. FERPA does, however, require that the institution maintain a record of each unauthorized disclosure, and this record must be available to students exercising their right, granted by FERPA, to examine their files. And if information that is breached is covered by both FERPA and a state breach-notification law, the fact that there is no notification obligation under FERPA does not exempt the institution from complying with the state breach-notification law. - Regardless of whether an unauthorized release of information requires notification, the institution should conduct a review to determine why the incident occurred and to address any technical or procedural deficiencies that emerge. - In addition to FERPA and state breach-notification laws, unauthorized release of information may implicate other federal and state laws and regulations (such as Gramm-Leach-Bliley or HIPAA), especially if social security numbers are part of the release. - Legal requirements, whether based on FERPA or on state breach-notification laws (or, perhaps eventually, a federal breach-notification law), are only one consideration in determining whether to notify, who to notify, and how. Even if notification is not a legal requirement, your institution may decide for reasons of public relations, policy, or ethics that notification is an appropriate response. [*] The EDUCAUSE Campus Policy Working Group (http://www.educause.edu/policy/campus/community/wg) is a small group of experts and practitioners active in campus IT policy. This group identifies policy and compliance issues that benefit from focused attention, and provides support to the higher education community on these topics through the development of FAQs, best practices, webinars, and other means. ********** Visit the EDUCAUSE Policy website at http://www.educause.edu/policy.