Here are some of the examples of data breaches given in the petition:
* A University of Maryland database containing 287,580 student, faculty, staff and personnel records was breached in 2014; the “breached records included name, Social Security number, date of birth, and University identification number.” The breached records included records going as far back as 1992.* In 2015, unauthorized individuals gained access to the University of Berkeley’s Financial System and gained access to Social Security numbers and bank account information for approximately 80,000 students, vendors, staff, and current and former faculty. By some estimates, the breach impacted “approximately 50 percent of current students and 65 percent of active employees.”* Indiana University also reported that it had stored names, addresses and Social Security numbers for “approximately 146,000 students and recent graduates” in an “insecure location” for almost a year, thus potentially exposing students to identity theft and other forms of fraud.
The petition asks that the Education Department establish new rules within FERPA for encryption, privacy-enhancing techniques and breach notification. Among the signatories are the members of the advisory board of the Electronic Privacy Information Center, a Washington, D.C.-based nonprofit public interest research group that focuses on civil liberties issues and the First Amendment, as well as groups including the American Association of School Librarians and the Consumer Federation of America.
The Education Department has come under stern criticism from Congress and its own Inspector General’s Office for its handling of student data. In a 2014 report, the department’s Inspector General’s Office said:
“While the Department made progress in strengthening its information security program, many longstanding weaknesses remain and the Department’s information systems continue to be vulnerable to serious security threats.
In November, lawmakers at a hearing held by the full House Oversight and Government Reform Committee, took Danny Harris, the chief information officer of the Education Department, to task for the way data is handled for more than 40 million federal student loan borrowers, as well as other aid programs that serve millions more students. At that hearing, Inspector General Kathleen Tighe testified that serious deficiencies remain, saying that her office had been able to penetrate some department systems without being detected. “We could have really done anything in there,” she said, saying that “outsiders” could find their way in, too. She also said, “I am still concerned about the potential for breaches in the department.”