See How Colleges Should Best Prepare To Protect Student Information From Cyber-risk

Why Colleges Should Be Concerned About the Security of Student Information

College-aged students have many different types of information to protect. As adults, they have the right to privacy for their educational, medical and personal information. Laws to protect students have many exceptions and limitations, which makes them very confusing. Boards of directors need to know and understand the various laws that place students’ privacy at risk. As part of their duty to oversee the management of the institution, board directors need to make sure that they and all employees of the school know what information can and can’t be shared, and with whom they can share it.

Protected student information sometimes falls into the wrong hands because school personnel didn’t know or understand laws, or because the school didn’t protect itself well enough against cyber-attacks. Regardless of the reason, colleges and universities can easily get sued when student information falls into the wrong hands, leaving board directors on the hook.

Student Rights to Educational Privacy

As parents send their children off to college, students get to experience many of the same  rights and responsibilities as adults. However, to some degree, students still enjoy some of the benefits of being covered by their parents. They may be entitled to health insurance benefits and get some financial assistance for student loans when they are full-time students and keeping their primary residence with their parents. Parents are usually ready to send their young adults out into the world knowing that their children will still need some financial assistance and moral support along the way. Certain laws take into account that college students are entering the adult world, and yet, they need minor protections through their parents and the school due to their lack of life experience.

In a case titled Griswold v. Connecticut, the U.S. Supreme Court recognized that students have a constitutional right to privacy. The court recognized that becoming citizens and partaking in civic life is one of many steps that students need to take toward responsible independence, and should be one of the goals of higher education.

The major statute that governs student privacy is called the Family Educational Rights and Privacy Act, which is commonly referred to as FERPA. FERPA protects against the unlawful disclosure of student records.

Board directors need to be aware that FERPA provides some flexibility in relation to safety on campus. Certain situations where it’s necessary to protect the health and safety of students and others on campus are legitimate reasons for releasing student records to administrators, professors and parents. Board directors need to rely on their attorneys to interpret the types of situations where FERPA allows exceptions. For example, FERPA requires that the disclosure is appropriate for the situation and limits the disclosure to those who have a legitimate educational interest. The limitation in the law extends to campus security and law enforcement, but they have some additional limitations under the law. It’s important for board directors to know that FERPA allows verbal disclosures under certain circumstances while the same information in written form is protected under the same law.

Legal Relationships Between Schools and Students

Board directors must also be aware of state and local laws that pertain to students. Certain laws allow parents to have access to educational records when they claim their children as dependents for tax purposes. Laws in many states also allow schools to disclose incidents relating to alcohol without student consent, as they pertain to underage drinking.

Many millennials were raised by “helicopter parents” who attempt to manage every aspect of students’ education so their children are successful. Colleges and universities must successfully straddle the fence between helping students receive higher education successfully while protecting their privacy.

Protecting Students’ Medical Information

The Health Insurance Portability and Accountability Act (HIPAA) affords students some protection for their medical records, in addition to the standard patient-doctor confidentiality laws. State laws and nonresident students contribute to the confusion about students’ rights to their private medical information.

State medical laws have some crossover with FERPA when issues of health or safety are involved, which makes interpreting both laws complicated and confusing. State medical laws vary substantially, and most colleges have some percentage of the student population that attends from out of state.

The media has reported numerous stories about shootings on campus due to students with mental health challenges. When such students disclose thoughts of, or plans for, unsafe acts, school officials, staff members and the board need to know what information they can legally share, and with whom.

College Responsibility for Data Leaks and Breaches

Most college boards are painfully aware that they need to take steps to protect private student information against phishing, ransomware and malware. Board directors are having increased discussions with cybersecurity specialists about how to prevent data leaks and breaches to protect their students. Hackers know that if they can break through the colleges’ computer network systems, they can steal the personal and medical information of thousands of students and use it for criminal purposes. Cybersecurity presents several challenges for board directors.

For the sake of convenience, many students use the same usernames and passwords for everything. It often doesn’t take much for hackers to survey a student’s social media accounts and guess what their usernames and passwords may be. Hackers are also using students’ social media accounts to find the answers to security questions.

In addition, campus Wi-Fi systems are not always secure enough. Students often use their parents’ credit cards for retail, medical and other services, as well as paying for tuition—commonly using “card not present” transactions. These transactions place students at risk of having their private information stolen.

Many colleges require that students use or buy a computer from them. Some colleges allow students to bring their own laptops and tablets to use at school. Students who bring their own electronic devices to school may not have adequate digital privacy and security systems in place, which places the school’s network in jeopardy of being hacked.

Board directors of colleges and universities are moving toward using board portals to conduct their board business. Board portals allow board directors to connect across the miles between meetings when they need to discuss urgent matters like school shootings, other unlawful behavior on campus and cyber breaches. Board portals give board directors the capacity to store copies of laws like FERPA and HIPAA, as well as other important information about student privacy.