Virginia schools in a privacy pickle: a well-intentioned state law raises significant data privacy risks for institutions and their students.EFFECTIVE JULY 1, VIRGINIA higher education higher education Study beyond the level of secondary education. Institutions of higher education include not only colleges and universities but also professional schools in such fields as law, theology, medicine, business, music, and art. institutions have been required to electronically transmit to Virginia state police the following on each accepted applicant: name; Social Security "or other identifying number"; date of birth; and gender. The reasoning behind the requirement is unquestionably un·ques·tion·a·ble adj. Beyond question or doubt. See Synonyms at authentic. un·ques  tion·a·bil good. It's just one statutory change to help protect Virginia citizens from sex offenders sex offender n. generic term for all persons convicted of crimes involving sex, including rape, molestation, sexual harassment and pornography production or distribution. . The statute directs the police to compare the information with sex offender registries. Law enforcement officials indicate that they'll notify the institutions of any matches and keep tabs on the individuals. Few students would not want to know that a convicted sex offender lives in the dorm room next door. However, the law puts IHEs in the middle of a situation that creates increased risk of loss or theft of personal information and, ultimately, potential mass identify theft of all applicants. It at least raises the question of whether the same objectives could be achieved with less risk to individuals and institutions. Does an institution really have to release Social Security numbers? In a clever piece of statutory drafting, the general assembly requires the information to be transmitted before the accepted applicants become "students in attendance," subject to the federal Family Educational Rights and Privacy Act The Family Educational Rights and Privacy Act of 1974 (FERPA or the Buckley Amendment) is a United States federal law codified at 20 U.S.C. 1232g, with implementing regulations in title 34, part 99 of the Code of Federal Regulations. (FERPA FERPA Family Educational Rights and Privacy Act (aka the Buckley Amendment) FERPA Fédération Européenne des Retraités et des Personnes Agées (French) ) information transmission restrictions. Since the law also does not define "other identifying number," it seems the law requires that IHEs cull cull the act of culling. Called also cast. Social Security numbers from applications and transmit them to the police. Law enforcement officials say they'll take appropriate steps to protect the data, and there's no reason to doubt that they'll try. After the data has been crosschecked, we are told it will be duly destroyed. VIGILANCE VIGILANCE. Proper attention in proper time. 2. The law requires a man who has a claim to enforce it in proper time, while the adverse party has it in his power to defend himself; and if by his neglect to do so, he cannot afterwards establish such claim, the NOT ENOUGH The question is not the motives of legislators or law enforcement officials. The hard fact is that situations where thousands and sometimes millions of individuals' personal data has been stolen, lost, or exposed appear in the media constantly. Sometimes identities are stolen and as the Citibank television ads demonstrate when they are, lives are made miserable. Where identities are not stolen, the potential victims are left to live in fear, repeatedly checking their account activity and credit scores in hopes that they will not become a character in those advertisements. Few incidents are the result of ill intentions on the part of data keepers. The more data is created, replicated, and transmitted, the more likely it is to be exposed due to employee negligence or hackers aided by inadequate safeguards. Thus, institutions should create and store personal data only where they must and transmit it on a strict need-to-know basis--first obtaining contractual safeguards from the receiving party about their handling of the information and putting in place internal processes to help protect it. The Virginia legislature has created a multiple-step process for personal data. The Social Security numbers will travel each step of the way, likely housed on yet another computer during each step, increasing the likelihood that the data will become the subject of tomorrow's newspaper story on personal data theft or loss. The worst-case scenario worst-case scenario n → Schlimmstfallszenario nt for educational institutions: In the additional steps on their end, they will misstep and subject themselves to a class-action lawsuit for negligent negligent adj., adv. careless in not fulfilling responsibility. (See: negligence) handling of the data on its way to police. Given the attention to identity theft, we are likely to see extensive federal and state legislative activity in the months and years ahead, as we struggle to harness the great electronic powers we have created against this unintended side effect. We will also see increasingly sophisticated internal tools to protect data, as entities become more vigilant in their data-protection efforts in order to avoid liability. In that environment, the law that creates rather than diminishes chances for data theft will be very unusual. It seems appropriate to ask all state legislators to strive for solutions that address these serious threats to citizens. William Nolan is a partner in the Columbus, Ohio Columbus is the capital and the largest city of the American state of Ohio. Named for explorer Christopher Columbus, the city was founded in 1812 at the confluence of the Scioto and Olentangy rivers, and assumed the functions of state capital in 1816. , office of the law firm Squire, Sanders San´ders n. 1. An old name of sandalwood, now applied only to the red sandalwood. See under Sandalwood. & Dempsey, www.ssd.com. |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion