Protecting the Security of Student Data: Krebs v Rutgers, a case study

In 1992 seven students at Rutgers University sought federal court action to compel University administrators to protect their Social Security Numbers (SSN) from dissemination. The case became known as Krebs v Rutgers. It is often cited as guidance for what must be done to protect privacy from promiscuous use of SSN. The court record tells their story.

On April 20, 1992 Keith Krebs and six other students filed a federal case, later amended to include FERPA in their complaint. They sought the courts to prevent, by injunction, the University’s collection of Social Security number, except where required by statute, and dissemination of Social Security Numbers. Three months later the court granted the requested injunction. Subsequently the students and the University reached a confidential agreement for student privacy.

Several years later an unidentified author on the website of the Computer Professionals for Social Responsibility wrote:

Keith Krebs sent me email in early 2000 saying that the case may need to be re-opened, since the University seems to be “unilaterally abrogating the settlement decree by initiating a change in policy prohibiting students from obtaining dummy SSNs [rather than have their real SSN used by the University]. I haven’t heard from him recently.

In his opinion Judge H. Lee Sarokin summarized the issues:

Plaintiffs, students at Rugters University … challenge the collection and use of social security numbers by the university. Although the court determines herein that the university has the right to request and to utilize the social security numbers of its students, there is evidence that the confidentially promised and required has been and will continue to be breached. Such future breaches must be enjoined.

[The law] does prohibit their [SSN] unauthorized dissemination, because of the vast source of personal information for which they provide access.

Krebs and his colleagues filed their case under the Privacy Act of 1974. Later they amended their Complaint citing the Federal Family Rights and Privacy Act (FERPA).

According to the plaintiffs, the student’s Social Security Numbers were used on student identification cards, in class rosters that included the student’s name, and in posted grades. Thus “Any student in the class can obtain the social security number of any other student in the class, thereby, obtaining the means to discover confidential information such as grades, credit history, etc.” The University conceded “such a practice would violate FERPA if this were a policy or custom of the University, an assertion which [the University and President] dispute.”

During the litigation the University only agreed to advise faculty members to cut off or delete student identification numbers [Social Security Numbers] from any class rosters circulated in the classroom. University officials also indicated “any student can request a ‘dummy’ nine-digit social security number to be used as his or her identification.”

The court concluded the Privacy Act does not apply to Rutgers University “because Rutgers is not an [governmental] ‘agency’ as defined by the Act.” The State of New Jersey did not have “direct, let alone day-to-day control” to define Rutgers University as a state agency.

Referring to FERPA Sarokin writes:

[The seven students] recognize and accept that every court which as addressed the issue has concluded that FERPA does not provide a private cause of action.

That is a person may not enforce FERPA through the courts. A person may initiate action only by a compliant to U.S. Department of Education, which has only limited remedies.

There are no records that suggest the Department has ever initiated an enforcement action. Violators are provided “a reasonable period of time, given all of the circumstances of the case, during which the educational agency or institution or other recipient [receiving a notice of non-compliance] may comply voluntarily.” If an education agency or institution or other recipient of Department funds does not comply, the Secretary may withhold further payments, issue a cease and desist order, or terminate eligibility to terminate eligibility or receive funding. Unenforced FERPA is hardly threatening.

The students claimed “irreparable harm.” Judge Saorkin pointed out:

“… any violations of those protected rights presents serious, ‘irreparable’ injury. Privacy Act case law and legislative history support this assertion.”

He commented:

Notwithstanding plaintiff’s broad assertions of harm and indignity, plaintiffs’ point is very well taken, especially in light of the antagonistic and dismissive attitude which the university has taken during the parties’ initial negotiations.

Rodney Hartnett, Associate University Vice president for Academic Affairs had certified “that a simple notice to all faculty might cure the problem,’ yet the University had taken no action. Judge Soarkin concluded an injunction would be appropriate. The students had, via the courts, forced a change of the University’s collection and use of Social Security Numbers. SSNs became protected data at Rutgers University.

The U.S. Department of Education recognizes the limitations on enforcement of FERPA. In the December 2, 2011 discussion of the amendments to FERPA, the Department noted:

Four commenters requested that the Department adopt more significant penalties, including incarceration and substantial fines, for FERPA violations.

The Department responded aggressively:

In FERPA, Congress expressly directed the Secretary to “take appropriate actions” to “enforce” FERPA and “to deal with violations” of its terms “in accordance with [the General Education Provisions Act]. … GEPA’s enforcement methods expressly permit the Secretary to issue a complaint to compel compliance through a cease and desist order, to recover funds improperly spent, to withhold further payments, to enter into a compliance agreement, or to “take any other action authorized by law,” including suing for enforcement of FERPA’s requirements.

The Department also now requires “written agreements” with servicers and others comply with FERPA as a contractual requirement. This is a similar approach that Tracy Mitrano recommended in her November 11, 2011 Inside Higher Education blog. But the Department’s agreements have all of the weakness of FERPA.

Judge Soarkin’s comment and university inaction did not reflect well on either University leadership or general counsel, and should be a lesson for college and university attorneys.

He also commented: Plaintiffs, students at Rutgers University, represented “themselves in a highly competent and thoughtful manner.” This is a high and deserved compliment to the University’s faculty and their seven students who did so well in a complex case.

Notes

cause of action

1 : the grounds (as violation of a right) that entitle a plaintiff to bring a suit [an amended pleading reiterating a cause of action for lost profits "J. H. Friedenthal et al."]

;also

: the part of a suit brought on those grounds [removed the cause of action to the district court]

2 : right of action [the court, led by Justice Brennan, said Congress intended to provide a private cause of action "National Law Journal"]

Exhaustion of Remedies

:a doctrine of civil and criminal procedure: a remedy cannot be sought in another forum (as a federal district court) until the remedies or claims have been exhausted in the forum having original jurisdiction (as a state court, tribal court, or administrative agency) compare primary jurisdiction at jurisdiction NOTE: The doctrine of exhaustion of remedies was first developed by judges in case law based on comity. It is used primarily in administrative law cases and federal habeas corpus cases, and it is now incorporated in the federal habeas corpus statute (section 2254 of title 28 of the U.S. Code). It may also be applied when an administrative agency has original jurisdiction over a claim. It is used in proceedings in tribal courts.

private

1 a : intended for or restricted to the use of a particular person or group or class of persons

: not available to the public [a park]

b : not related to, controlled by, or deriving from the state [a school]

2 a : owned by or concerning an individual person or entity [ land]

b : not having shares that can be freely traded on the open market [a company]

3 : affecting the interests of a particular person, class or group of persons, or locality [ legislation] [ rights]

4 a : not invested with or engaged in public office or employment [a citizen]

b : not related to or dependent on an official position [ correspondence]

5 : not known publicly or carried on in public

;esp

: intended only for the persons involved

6 : made under private signature [a instrument]

right of action

1 : a right to begin and prosecute an action in the courts (as for the purpose of enforcing a right or redressing a wrong)

2 : chose in action at chose

section 1983

: the section of title 42 of the U.S. Code that makes a person liable for depriving another of any rights, privileges, or immunities secured by the U.S. Constitution and laws while acting under color of any statute, ordinance, regulation, custom, or usage of a state

FindLaw Legal Dictionary, Source: Merriam-Webster’s Dictionary of Law ©1996. Merriam-Webster, Incorporated. Published under license with Merriam-Webster, Incorporated.

Share Button

Google+ Comments

About

Jim Farmer is an engineering economist at instructional media + magic inc. His interests include educational technology, academic research, and information standards. He also writes for Intellectual Property Magazine. For more information, see his profile page.
This entry was posted in Higher Education, Openness and tagged , . Bookmark the permalink.