June 6, 2014
The University of Virginia Law School places a substantial number of its graduates in judicial clerkships. Of the 364 graduates in the class of 2013, 70 of them, or nearly one-fifth, were in judicial clerkships within nine months after graduation. Students interested in clerkships participate in a listserv discussing judicial clerkships. In early June, students who are on the list received a message with an attachment that was a revelation in the truest sense of the word. The law school’s director of judicial clerkships sent out a message that was supposed to include an attachment with hiring details for the U.S. District Court for the District of Maryland. Unfortunately, the wrong document was attached. The attachment was a spreadsheet that set out the confidential information of 155 Virginia law students who were applying for clerkships. The confidential information included students’ grade point averages and class ranks, and also their work experience and the names of those who were providing recommendations.
The Virginia incident is not the only one of its kind. In March of 2014, Loyola University Law School in Los Angeles inadvertently e-mailed a document to all students that contained personal information about every member of the graduating class. The information included each student’s “name, internal system ID number (not student ID number), Social Security number, graduation year, academic status (not grades) and program (JD, LLM), as well as loan type and amount.” In 2012, an e-mail to prospective students at Baylor University Law School contained an attachment listing all of the students’ names, addresses, phone numbers, LSAT scores, and ethnicity. The spreadsheet also included the total amount of scholarship money each student would receive, and each student’s admissions index (a formula that combines an applicant’s LSAT scores and undergraduate grade point average into a single number). Higher education data breaches seem to be commonplace in all types of colleges and universities.
Two interesting points are raised by these news stories. The first is that the accidental disclosures were via e-mail attachments. The public awareness of data breaches has been raised by incidents such as the data breaches at Target or E-Bay. Those highly-publicized breaches were the result of hackers deliberately breaching the security of a system. Internet security experts argue that the breaches at both Target and E-Bay could have been avoided, or their effects mitigated, by better attention to security. The law school “data dumps” all involved accidental e-mail attachments by someone who probably had the permission to view (but not release) the documents. Even the best security system is vulnerable to the accidental attachment. Humans are the weakest link in any security plan.
The second point relates to the nature of the information disclosed. Disclosure of financial information and Social Security numbers, as in the Loyola incident, or the security breaches at Target and E-Bay, is certainly improper. What about academic information, such as grades and class ranks? While this information may be humbling, if not embarrassing, for many students, was it unlawful?
The Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. § 1232g, places limits on the data that an educational institution—including a law school—may release. A school may release directory information, such as a student’s name, address, telephone number, enrollment status, dates of attendance, and degrees, honors, and awards received, without prior permission from the student to whom the information relates. Directory information is regarded as information “that would not generally be considered harmful or an invasion of privacy if disclosed.” Personally identifiable information, on the other hand, is not to be released without a student’s consent, except to
- School officials with legitimate educational interest;
- Other schools to which a student is transferring;
- Specified officials for audit or evaluation purposes;
- Appropriate parties in connection with financial aid to a student;
- Organizations conducting certain studies for or on behalf of the school;
- Accrediting organizations;
- To comply with a judicial order or lawfully issued subpoena; or
- Appropriate officials in cases of health and safety emergencies.
- “Personally identifiable information” is defined by example. The term includes, but is not limited to, the following:
- The name of the student, or the student’s parents or other family members;
- The address of the student or the student’s family;
- A personal identifier, such as a Social Security number, student number, or biometric record;
- Indirect identifiers, such as a student’s date or place of birth, or mother’s maiden name;
- “Other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty;” and
- Information requested by a person who the school reasonably believes knows the identity of the student to whom the information relates.
See, 34 C.F.R. § 99.3 (note that there is overlap: a student’s name is considered both “directory information” and “personally identifiable information”). Information may be released if all personally identifying information is removed. 34 C.F.R. § 99.31.
Student grades are records, and once they are made official, cannot be released without the student’s permission. See, Owasso Independent School District v. Falvo, 534 U.S. 426 (2002). A law school may release some information without a student’s request (“Jane Doe attended the school from 2006 to 2009, and was awarded her J.D. degree cum laude. She was a member of Order of the Coif, and was an editor of the law review.”). Information that is more detailed (“She graduated sixth in her class, and got an A- in commercial paper”) must remain confidential, even from fellow students, unless the student consents to the release.
Enforcement of FERPA is accomplished by administrative action in the U.S. Department of Education. Courts have consistently held that FERPA does not create a private right of action for violations. Gonzaga University v. Doe, 536 U.S. 273 (2002). Law students whose grades were released without their permission will have to find another way to sharpen their legal skills.