Higher Ed Law Prof Blog: Student privacy and intellectual property rights: a primer

« NACUA News | Main | Judge dismisses suit against Turnitin.Com »

March 15, 2008

Student privacy and intellectual property rights: a primer

by Jim Castagnera

In a world that is changing so much and so quickly, the rules that govern it are forced to do the same. Privacy rights and intellectual property laws are no exception, and they are two issues that cannot be ignored by universities.
The first issue of privacy rights in regard to students’ records has a very direct impact on higher education. The Federal Educational Rights and Privacy Act of 1974 (FERPA) provides the guidelines concerning educational records, student and parent access to them, and the obligation of universities to protect that information. The US education system has had over 20 years to test these boundaries with recent circumstances demonstrating new interpretations.
With intellectual property, two areas apply on a large scale to universities. The first is written media. Plagiarism has been a matter of concern for a long time, and it isn’t difficult to imagine that it is an exceptionally large problem on campus. With the Internet have come new rules and possibilities when it comes to information and, therefore, also plagiarism.
The second area is perhaps not as obviously an issue for universities. Piracy of copyrighted audiovisual media has increased immensely since the Internet’s debut. Of course on-line downloading and copying of songs and movies occurs off campus, but a particularly large amount of attention is being paid to higher education institutions by organizations fighting these crimes. With the advanced on-line networks most competitive universities offer, it is no wonder that many students choose to take advantage of the opportunity to create enormous digital libraries at virtually no cost. But to what degree are universities responsible for enforcing copyright law?

9.1 Students’ Privacy Rights and The Federal Educational Rights and Privacy Act (FERPA)
FERPA was put through in 1974 to help colleges, students and other third parties understand their rights of access to student records. The law pertains to all schools receiving funds from the US Department of Education. At first glance, it may seem cut and dry. Students and parents have access to their records at any time, and the university is obligated to protect the data from anyone else. However, the law, like most laws, is not that simple and leaves room for much more interpretation. (U.S. Department of Education, 2005)
University students are guaranteed access to their records within a 45-day period of request, but the school is not required to offer a hard copy. If the student is located far enough away from the campus to hinder visiting, the university may choose to send the records to another institution in the student’s area where the documents can then be viewed. Many universities do offer hard copies of student records with, of course, the applicable copy fees. (Lipka, 2006)
Parents and guardians have no guaranteed access to a student’s records. Should they request this access, the student must first be claimed as a dependent on their tax return. Even then, the university does not have to comply. FERPA more or less says that universities may choose when they do or don’t want to offer records to parents and guardians. LeRoy S. Rooker, director of the Family Policy Compliance Office at the U.S. Department of Education, notes that, while it is a school’s right to conceal a student’s records from these third parties, for public-relations reasons, it is generally in the school’s interest to maintain “institutional consistency on what kinds of records are or are not disclosed” (Lipka, 2006). The same can apply to the issue of hard copies. (Lipka, 2006)

9.1a Data Protection and Collection
Exceptions to FERPA include allowing appropriate officials to view records for legitimate legal, health or safety reasons. One recent example is an antiterrorism investigation following September 11th, 2001. The FBI received information about students who had applied for financial aid in order to determine whether suspected terrorists were using student identities to obtain federal money. The investigation was within the legal limits of FERPA; in fact, the government is more or less guaranteed access to all information on Fafsa forms. Only if the university adds information to the form can a violation of FERPA be considered. (Selingo, 2006)
This investigation, which was discovered around the middle of 2006, is of particular interest now due to a controversial new system proposal for tracking student records. The most controversial issue at the moment is government access to student records for the purpose of tracking individual student progress and evaluating institutions. The federal government has been considering a plan to follow student progress and more accurately determine university statistics since 2004. (Gidjunis, 2004)
The unit-record system, which was put into motion by the Bush administration and Republican Congress leaders, would give the government the right to track any individual’s educational progress upon enrolling at a higher education institution. The new system would replace Ipeds, surveys of colleges that report on figures such as enrollment, tuition and faculty salaries. Many now consider Ipeds inadequate. They focus only on colleges’ full tuition prices and not what students actually pay after financial aid. They also do not follow transfer students; “those who earn a bachelor's degree from a four-year college other than the one in which they first enrolled are counted as dropouts” (Gidjunis, 2004).
The proposed system should, of course, take these things into account because it literally would follow a student’s every move with access to personal, academic, financial aid and enrollment data. Private colleges are especially against the new system due to concern that student data is at enough risk as it is. The system was first proposed at a time when identity theft was already an increasing problem and the removal of social security numbers and other personal data from student records was being considered. The new policy is a step in the opposite direction. (Gidjunis, 2004)
A poll in 2006 showed that the majority of Americans are against the unit-record system (Walters, 2006). On the other hand, schools like the University of Georgia have replaced student IDs with biometric scanners. Students must place their hands on sensors to gain access to the university library, gym or cafeteria. The biometric data is, consequently, also a part of the University of Georgia’s files. (Kiernan, 2005)
It is not yet clear whether FERPA would need to be amended in order to accommodate a unit-record system, but either way, proponents of the system are promising protection of student data. Others fear that this is not possible. Identity theft is a large concern, and there is no hard evidence that an infallible data protection system would be feasible. (Fischer, 2006)

Ohio University Security Breach (Wasley, 2006)
In April 2006, the FBI brought a security breach to the Ohio University’s attention. The administration at first thought that the breached server did not contain any sensitive data, but upon further investigation they discovered that 35 Social Security numbers had been exposed. Things turned far grimmer when IT found an alumni-relations office server had been unintentionally left online. Hackers had broken into the server in March 2005 and been using it for music file sharing. What this meant for Ohio University was that “300,000 files containing personal information about alumni and university staff members, including 137,000 Social Security numbers, had been exposed for more than a year.”
And that was not all. Three other servers/computers had also been breached over the 13-month period. Thousands of tax forms, medical records, a dozen credit card numbers and even more Social Security numbers had been made available to hackers.
The University of Ohio’s reaction. $77,000.00 was spent notifying hundreds of thousands of alumni of the security breach through e-mails and letters. In the three weeks following the discovery of the breach, Ohio University spent $750,000.00 re-securing its main servers. A consultant was also hired to determine how and why the breach occurred.
In short, the disaster was attributed to negligence. Ohio University had not been providing sufficient funds to maintain security of its electronic files, and its IT departments were disorganized and inefficient. There is also evidence that Ohio University had seen warning signals before the incident, including a student who accidentally stumbled upon sensitive student data, but failed to act.
Outcome. In addition to the over $800,000.00 spent directly after the shock, Ohio University quickly invested $4 million in its IT program. Two system administrators were fired, and the IT chief information officer resigned. 800 angry e-mails and letters were received from alumni, and, as stated in many of the complaints, the university lost many regular donators. Ohio University so far faces one potential class-action lawsuit and knows of more than thirty other cases of identity theft among alumni.
The breach was a big wake-up call not only for the Ohio University but the higher education world in general. The costs and ramifications have so far been great, and it is yet to be a closed case. Although it is doubtful that a link between much of the identity theft and the incident can be proven, the university has certainly suffered a terrible blow to its reputation, a public relations nightmare.
Advice. Computers and Internet have proven to be practical for a variety of jobs, but they are luxuries that require caution. Organizations responsible for sensitive data must exercise extreme caution. The Ohio University breach may be the biggest to date, but it is not an isolated incident. Eighty other universities’ systems have been hacked into in the last two years. Many, such as the University of San Diego, are well-financed institutions.
Universities are by nature difficult to secure. They are decentralized and store information in different computers and systems across the campus. One student’s information can be available on several databases concerning library fines, enrollment, meal plans and campus activities. Ohio University has introduced a plan for tightening IT security. Social Security numbers will be used within fewer databases, a strong and clear structure will be created in the IT departments and the necessary security levels will be maintained for sensitive data.
Educause, a higher education technology organization, recommends that such policies be standards at universities. Rodney J. Peterson, a policy analyst at Educause, points out that “the challenge for college system administrators is to develop security policies that protect the institution's data but are flexible enough to accommodate its varied missions” (Wasley, 2006). It is unlikely that colleges can offer 100% security of data without turning into police states. Some college officials believe that there is no way to be sure all systems are safe. "No matter how much we invest in technology, no matter how good our IT staff is, there's nothing we can institutionally do to protect ourselves completely,” says Dennis A. Trinkle, chief information officer of Valparaiso University (Foster, 2006).
Many states have adopted laws requiring public and private colleges to notify individuals affected by data breaches. Although not yet mandatory, many colleges invest in offering credit-monitoring services to clients whose data was exposed. As shown by Ohio University, these are costly measures, but they may only be the beginning. Should the case against Ohio University be certified as a class-action lawsuit (the first of its kind), hundreds of thousands of people would be eligible to receive damages for the university’s failure to secure their data. (Foster, 2006)
Based on these circumstances, some institutions have invested in cyber insurance policies similar to those used by banks, hospitals and retailers. The number of colleges to buy policies has gone up this year, but it is still relatively rare. Many still feel there is not enough evidence of financially significant breaches to justify cyberinsurance. The general opinion seems to be that there isn’t enough information to be sure one way or the other. The decision for a class-action in the Ohio University case would most likely provide the turning point and put cyberinsurance on its way to becoming a higher education standard. (Foster, 2006)
The near future should offer more concrete facts regarding the issue, but until then, a cyberinsurance policy is certainly a safe move. It should not, however, replace solid Internet security. Insurance may cover the financial costs of data theft, but not the damage done to a school’s reputation and public relations.

9.2 Intellectual Property
“The concept of intellectual property is almost dead thanks to the Internet” (Khanna, 2004). That is a grim statement that cannot be ignored. The Internet has changed our world enormously, opening new doors of communication and access to knowledge. Such privilege does not come without responsibility, as the degree to which it can be taken advantage of is enormous. The idea of intellectual property is to treat knowledge like private property, using copyrights, trademarks and patents to enforce the notion.
Some see turning intellectual property into private property as an “enclosure of the commons” that hinder the advancement of science and democracy (Monaghan, 2005). On the other hand, one of the first statements of fair use dates back to the Talmud. It is written that a person “who reports something in the name of the one who said it brings redemption into the world" (McLemee, 2004). As interpreted by rabbi Joseph Telushkin, the statement means that when a person fails to accredit a piece of information, he/she uses it for personal gain. When properly accredited, the information is being used for the purpose of expanding everyone’s knowledge. (McLemee, 2004)
This is one of the main arguments behind the ethical issue of plagiarism. Unlike copyright infringement, plagiarism includes more than directly copying a passage. The use of another person’s idea without citation is also a form of plagiarism. Copyright law enforces economic interest, the violation of which can result in judicial punishment. Plagiarism enforces personal and ethical interest and will rarely go beyond the dean’s office. One may not go to court for plagiarism, but can be punished severely at the higher education level. (McLemee, 2004)

March 15, 2008 | Permalink