The University of Oklahoma unintentionally exposed thousands of students’ educational records — including social security numbers, financial aid information and grades in records dating to at least 2002 — through lax privacy settings in a campus file-sharing network, violating federal law.
The university scrambled to safeguard the files late Tuesday after learning The OU Daily had discovered the breach last week. The Daily spoke to vice president for admissions and records Matt Hamilton Tuesday afternoon, when he said OU IT was aware of the breach and was working to secure the files.
OU press secretary Matt Epting provided the following statement late Tuesday night: “The IT Security team has found no evidence to confirm that there has been a breach by an outside party, and is investigating the scenario that enabled an individual to access the files the individual has claimed to download.”
At no point did The Daily suggest there had been an outside breach, but rather that lax security measures allowed email users more access to educational records than should have been allowed.
In just 30 of the hundreds of documents made publicly discoverable on Microsoft Office Delve, there were more than 29,000 instances in which students’ private information was made public to users within OU’s email system. Each instance could constitute a violation of the Family Educational Rights and Privacy Act, which gives students control over who can access their educational records.
“This isn’t even gray. It’s very clear in FERPA — you’ve got to have signed consent to do this or meet one of the exceptions to signed consent,” said FERPA expert LeRoy Rooker when briefed on the scope of the OU breach. “This doesn’t fit either of these.”
Rooker headed the Family Policy Compliance Office in the U.S. Department of Education, the office that administers FERPA, for more than two decades. He said he was certain the files were disclosed unintentionally: No one sets out to violate FERPA. Schools violating the law can have their federal funding pulled, though they’re always given a chance to remedy the situation and avoid the penalty.
“I know the people there, from (OU President) David Boren on down — Matt Hamilton, all of them — they’re very FERPA-conscious,” Rooker said. “Something slipped through the cracks. Somewhere, somebody didn’t know what they were doing or a vendor didn’t educate them.”
Read the complete story at this link at oudaily.com.
Note: Dana Branham is a senior majoring in journalism at OU and was editor-in-chief of The OU Daily last school year. She will be working part-time as an intern at Oklahoma Watch in the fall.