Discuss your action plan for handling this situation.
As the CIO of a small college, you are confronted with a potential violation of the privacy guidelines set in place by the Family Educational Rights Privacy Act (FERPA). The Director of Financial Aid unknowingly hits “reply all” on an email that an employee unwittingly copied a list of nearly 150 students on. The email contains a list of over 100 names, social security numbers, and enrollment statuses. The employee realizes his mistake but, judging it to be unimportant, doesn’t let anyone know about the error until the following day. Students open the email; one replies all with defamatory remarks about the college, while others email the administration to let them know about the problem. The story appears in the news, and five days later a student accuses the college of violating FERPA and Department of Education policies. Students are now suing.
The situation cited here is a clear violation of Family Educational Rights Privacy Act (FERPA), as
1) The information was shared without the prior consent of the parents and eligible students.
2) The information was released, without consent, to parties who were ineligible for such disclosure.
Now the situation demands two-fold action: containing and handling the current situation, and ensuring similar incidences are not repeated in the future. So both short-term and long-term measures are needed.
As the CIO, I would recommend the following actions for short-term corrective strategies:
1) Since the employee attached the student listing and even after realizing the mistake did not inform the superiors, prima facie it is the employee's fault, so corrective action needs to be taken against him.
2) Students and parents need to be assured that the breach of personal information was unintentional and that repeats will not take place.
3) Also note that violation of FERPA does not constitute grounds for a lawsuit.
4) The student body will need to be contacted by the Provost and CIO through email, assuaging their feelings and convincing them that repeats will be avoided.
In the long-term planning, access to all the student data will be limited to certain individuals and their access to "reply all" functions and "email listings" will be revoked to ensure that a repeat does not take place.