Guide to Computer Law—Number 329
Practitioner’s Perspective
by Holly K. Towle, J.D.
Holly K. Towle is a
partner with K & L Gates
LLP, an international law
firm, and chair of the firm’s E-merging
Commerce group. Holly is located in the firm’s
Seattle office and is the coauthor of The Law
of Electronic Commercial Transactions (2003,
A.S. Pratt & Sons). Holly.Towle@KLgates.com,
206-623-7580.
Practitioner’s Perspective appears periodically
in the monthly Report Letter of the CCH Guide to
Computer Law. Various practitioners provideindepth analyses of significant issues and trends.
FERPA?
It’s the Family Educational Rights and Privacy Act,1 the federal privacy law
requiring parents and eligible students to provide written consent before
“educational agencies and institutions” (think schools and universities
etc.—“Schools”) disclose “personally identifiable information” (“PII”) from
education records. As of January 8, 2009, covered Schools, as well as their
outsourcers, are impacted by significant amendments to U.S. Department
of Education (“DOE”) regulations.2 Schools have long lived with FERPA,
but significant changes have occurred that require modification of previous
practices as well as new practices.
Some of the Significant Changes. In a nutshell, here are a few impacts of
the new rules:
• Schools need to change their privacy notices and designations of
Directory Information. This is because social security numbers
(“SSNs”) and student identification numbers allowing access to
education records have been removed from “Directory Information”
and placed into PII.
• When a landlord or employer asks a school to confirm a degree or
enrollment and supplies a SSN to help the School do that, the School
may not use the requestor-supplied SSN to do the search or make a
confirmation based upon its use, unless the requestor also supplies a
written consent (student or parental) with particular content.
• If a School decides to “de-identify” data in order to avoid having it
treated as restricted information, there are new, context based rules for
cleansing it.
• The ability to treat outsourcers as “school officials” authorized to deal
with PII without parental or student consent has been formalized and
expanded, but contracts will need to meet new rules. Vendors selling
goods and services are not eligible.
• Schools must record data security breaches as disclosures of PII.
Although FERPA does not require that notice of a data security breach
also be given to students or parents, DOE has explained how to give
notice (the notice that isn’t required to be given). (State statutes requiring
notice of data security breaches largely do not exempt Schools, so those
laws may require notice regardless of FERPA).
• DOE has concluded that FERPA duties inherently include particular
data security obligations for Schools, outsourcers, and service providers,
but these security duties are not apparent from the regulation text.
DOE views compliance as necessary to receipt of DOE funds.
• Schools will need to review and revise procedures used to identity and
authenticate students and others authorized to access education records
or PII—some common practices might not pass muster under the new
rule requiring use of “reasonable methods” to identify and authenticate
CCH GUIDE TO COMPUTER LAW
NUMBER 329
persons seeking access to education records. DOE staff,
at least, has some rather firm views regarding what is
“reasonable,” which are not stated in the regulation.
true privacy law, FERPA, which protects education records
and PII from them, items fitting within traditional views
of privacy:
Focus of the Changes and “Harmonization” (or
lack thereof) with Other Data Laws.
Most of the changes flow from concerns regarding data
privacy and security. In essence, DOE is requiring, or strongly
encouraging, Schools to take the kinds of measures that are
increasingly required for other businesses and organizations,
profit or non-profit. Throughout its introduction to the
regulations, DOE acknowledges that FERPA does not
authorize DOE to impose many direct liabilities; but by
happy coincidence, DOE explains that some obligations
have been inherent in FERPA all along. Whether DOE is
correct can be debated, but part of the outcome would likely
be similar under other data protection and security laws
applying to Schools regardless of FERPA. All businesses are
struggling to find and comply with such laws which exist
in a bewildering, non-uniform array at the federal and state
level—and Schools are seldom exempted from them.
Every individual has some phases of his life and his
activities and some facts about himself that he does not
expose to the public eye, but keeps entirely to himself
or at most reveals only to his family or to close personal
friends. Sexual relations, for example, are normally
entirely private matters, as are family quarrels, many
unpleasant or disgraceful or humiliating illnesses, most
intimate personal letters, most details of a man’s life in
his home, and some of his past history that he would
rather forget. When these intimate details of his life
are spread before the public gaze in a manner highly
offensive to the ordinary reasonable man, there is an
actionable invasion of his privacy, unless the matter is
one of legitimate public interest.5
One significant exemption is one-half of the federal GrammLeach-Bliley Act (“GLBA”). That act covers “financial
institutions,” a very broadly defined term in the Act. There
are two GLBA regulations, a “privacy” regulation and a
“safeguards” (security) regulation. Colleges and universities
engaged in covered activities objected to being viewed as
“financial institutions,” but the FTC disagreed, saying, “Many,
if not all, such institutions appear to be significantly engaged
in lending funds to consumers.”3 However, the FTC did agree
that FERPA already imposes a significant privacy regime, so
for purposes of the GLBA privacy regulation, the FTC excepted
financial institutions that are FERPA compliant.4 However,
no exception appears in the GLBA safeguards regulation, so
Schools that are “financial institutions” (and that is a question
in itself) likely need to comply with that GLBA rule, as well
as FERPA. Such Schools might already have comprehensive
security programs so the new FERPA push might be redundant.
However, given particular views expressed by the DOE, all
Schools will want to go back to the drawing board and take a
fresh look at their security practices under FERPA.
As for other data security laws, FERPA may (or may not)
provide some preemption. When it does not, Schools are
subject to many state rules regarding data collection (e.g.,
rules prohibiting a virtual classroom from requiring entry of a
SSN over the Internet, absent encryption), data transmission
(e.g., a Nevada school may not email certain PII because
emails are not secure), data breach (giving notice to “data
subjects” of certain data security breaches), payment system
data security rules (e.g., credit or debit cards or direct debits
to parent, student or employee bank accounts) and so on.
Cognitive Dissonance for Schools.
Schools should be particularly confused about all of these
laws, with good reason. Schools are used to dealing with a
In contrast, are data protection laws, the most common type
of modern “privacy” law that is not really about traditional
privacy. Data protection is a broader concept, grounded
less clearly in protecting truly confidential information and
more in simply designating certain data as legally protected.
Some data protection laws embody the premise that the
individual has a right to manage and control use of certain
information (public or private) about that person, at least in
some circumstances. Others simply target particular data
types as protected because of real or perceived harms that
can occur from use of the data in modern commerce.
FERPA provides the best example of this dichotomy and
the confusion it can create. FERPA is a true privacy statute,
i.e., education records and PII from them are confidential
information to be revealed only to the student or parent. In
contrast, the subset of PII known as “Directory Information”
personally identifies the student and is PII, but it is not
traditionally viewed as private. By definition, Directory
Information is information “that would not generally be
considered harmful or an invasion of privacy if disclosed.”
Because Schools are used to thinking of Directory Information
as relatively harmless, non-FERPA data protection laws can
come as a particular surprise to Schools. The new FERPA
regulations increase this confusion because they move
data between categories: until January 2009, Directory
information included social security numbers and certain
student identification numbers; but now those are private PII
and not Directory Information.
Confusion aside, Directory Information has always had
some protection in FERPA and can have further protection
under some data protection laws.
In a sense, FERPA
“Directory Information” rules are “data protection” rules,
whereas FERPA rules for PII are true “privacy” rules. What
is Directory Information currently? It is information such
as the following (but no longer including an SSN or certain
student identifiers):
CCH GUIDE TO COMPUTER LAW
student’s name; address; telephone listing; email
address; photograph; date & place of birth; major field of
study; grade level; enrollment status (e.g., undergraduate
or graduate, full-time or part-time); dates of attendance;
participation in officially recognized activities and
sports; weight and height of members of athletic teams;
degrees, honors and awards received; and the most
recent educational agency or institution attended.
The New FERPA Rules.
There are too many new rules to discuss here, but the new
rule regarding identification and authentication illustrates
the fact that the new regulations should not be taken at face
value. The new rule says this:
An educational agency or institution must use
reasonable methods to identify and authenticate
the identity of parents, students, school officials, and
any other parties to whom the agency or institution
discloses personally identifiable information from
education records.6
“Authenticate” means different things under different laws
(e.g., under the Uniform Commercial Code it means “ to sign”
something). For purposes of the DOE, it means ensuring that
the person identified as being authorized to access PII is, in
fact, who he or she purports to be, and “identification” means
determining who is the intended or authorized recipient of
information.7 Thus, “John Doe, Principal” may be identified
as authorized to access PII, but determining whether the
person purporting to be John Doe is actually John Doe, is
authentication.
What about the new rule? It requires Schools to use
“reasonable methods” to identify and authenticate users.
Most Schools likely think they already do that, such as for
their online courses or records access. But what would
those Schools say if they read DOE statements regarding the
regulation, statements that are not printed in the Code of
Federal Regulations? Would the School’s identification and
authentication procedures be “reasonable” if viewed light of
the following DOE statements?
• “The use of widely available information to authenticate
identity, such as the recipient’s name, date of birth, SSN
or student ID number, is not considered reasonable
under the regulations.”
• “We assume that educational agencies and institutions
that require users to enter a secret password or PIN to
authenticate identity will deliver the password or PIN
through the U.S. postal service or in person.”
• “As noted in the preamble to the [Notice of Public
Rulemaking] single-factor authentication of identity,
such as a standard form user name combined with a
secret password or PIN, may not provide reasonable
NUMBER 329
protection for access to all types of education records or
under all circumstances.”
• “Likewise, an educational agency or institution must
ensure that it does not deliver a password, PIN; smart card,
or other factor used to authenticate identity in a manner
that would allow access to unauthorized recipients. For
example, an agency or institution may not make education
records available electronically by using a common form
user name (e.g., last name and first name initial) with
date of birth or SSN, or a portion of the SSN, as an initial
password to be changed upon first use of the system.”
• “Under the proposed regulations an educational
agency or institution may determine that single-factor
authentication, such as a standard form user name
combined with a secret PIN or password, is reasonable
for protecting access to electronic grades and transcripts.
Single-factor authentication may not be reasonable,
however, for protecting access to SSNs, credit card
numbers, and similar information that could be used for
identity theft and financial fraud.”
73 FR 15574, 15585-86 (3/24/08) and 73 FR 74806, 74848
(12/9/08) (emphasis added).
Many of these DOE statements are consistent with what is
going on under “non-FERPA” law. The point here, however,
is that if the DOE actually intends the rule to encompass each
of these specific assumptions or particularized applications,
then the appropriate place for such “rules” is in the regulation
itself or official interpretations, not in analysis accompanying
a proposed or final regulation
In short, the new rules should not be taken at face value, at
least from a compliance perspective—there is more to them
than meets the eye. With that in mind, Schools may wish
to take a long, close look at the new rules and attempt to
conform their existing policies, practices, and notices.
Endnotes
1
2
3
4
20 U.S.C. § 1232g.
See 34 CFR Part 99, 73 FR 74806 (12/9/08).
65 FR 33646, 33648 (5/24/2000).
16 CFR 313.1(b), the privacy regulation, says this:
Any institution of higher education that complies with the
Federal Educational Rights and Privacy Act (‘‘FERPA’’),
20 U.S.C. 1232g, and its implementing regulations, 34 CFR
part 99, and that is also a financial institution subject to the
requirements of this part, shall be deemed to be in compliance
with this part if it is in compliance with FERPA.
5 Reid v. Pierce County, 136 Wash. 2d 195, 961 P2d 333 (1998).
6 34 CFR § 99.31(c).
7 The distinction made here between authentication and
identification is a distinction made by the Department of
Education under FERPA. See 73 FR 15574, 15585 (3/24/08)
(Notice of Proposed Rulemaking).