This year has been a busy year for education law in the area of data privacy. Educational institutions continue to be a rich target for hackers. Additionally, there were some important developments in the interpretation of Family Educational Rights and Privacy Act (FERPA) and the Telephone Consumer Protection Act (TCPA) as it applies to educational institutions.

  • In December, DeVry University Settled with the FTC for $100 million over allegations that it misled prospective students with ads that promised higher employment success and income upon graduation.
  • Also in December, UMass Amherst settled with the Office for Civil Rights (OCR) for $650,000 for HIPAA violations related to a malware infection that led to the release of names, addresses, Social Security numbers, dates of birth, health insurance information, diagnoses, and procedure codes.
  • In November, a hacker gained access to 1,213 records of applicants to the University of Wisconsin Law School.
  • On September 14, 2016, the Department of Education (DOE) issued a “Dear Colleague Letter” providing guidance on the application of FERPA to the disclosure of student medical records in the context of litigation.
  • On August 4, 2016, the Federal Communications Commission (FCC) issued a Declaratory Ruling concerning when school callers could lawfully make robocalls and send automated text messages to student family cell phones pursuant to the “emergency purpose” exception or with prior express consent without violating the TCPA.
  • In July, University of Mississippi Medical Center settled with the OCR for $2.75 million following a self-reported data breach concerning a missing laptop from the Intensive Care Unit. The laptop contained the unsecured protected health information of approximately 10,000 patients.
  • On May 13, 2016, the Department of Justice and DOE issued a “Dear Colleague Letter” providing guidance regarding the privacy rights of transgender students.
  • In April, Tidewater Community College was hit with a phishing scam that exposed the personal information of 3,193 employees.
  • In February, the University of Central Florida announced a data breach that affected 63,000 current/former students and employees. Among the data that was released was Social Security numbers, first and last names, and student/employee ID numbers.
  • Also in February, the University of California-Berkeley announced that the financial data of approximately 80,000 students, alumni, employees and school officials was compromised.

Under Barack Obama’s presidency, the DOE and FCC broadened their enforcement powers, including on privacy and data security issues.  Now, under a Trump administration, it is unclear whether this guidance will be rescinded or whether FERPA will be overhauled by the Republican controlled Congress.

What is clear is that educational institutions will continue to be a target of hackers and phishing schemes. They are attractive sources of a large volume of Social Security numbers, bank accounts, driver’s license numbers, health information, employee records, and valuable research. Many states are responding to these threats with bills or resolutions requiring educational institutions to notify parents, students or government entities if a breach occurs.