Joe O’Sullivan reports:
When National American University moved from one Rapid City campus to a new location earlier this year, the school or a contractor appears to have improperly disposed of thousands of sensitive student financial records that included names, addresses, loan numbers and Social Security numbers, according to documents reviewed by the Rapid City Journal.
The private information, which was reportedly dumped into a trash bin, was brought to the newspaper by a person who lived across the street from NAU’s old campus at 321 Kansas City St.
Read more on Rapid City Journal.
National American University is a for-profit university owned by National American University Holdings, Inc., a publicly traded company. They are covered by FERPA and other laws:
We are subject to many laws and regulations related to the nature of our business, including but not limited to Title IV of the U.S. Higher Education Act of 1965, laws and regulations administered by the DOE and laws and regulations related to the establishment and relationship with preferred lenders for student financial aid. It is essential to our business that we are at all times in compliance with these and other applicable laws and regulations.
They also assure students in their privacy statement:
We use industry-standard security measures to protect any personal information that you may provide to us.
So… did they rush to secure the documents or start an investigation when notified of the exposed financial documents? O’Sullivan reports:
In an email to the Journal, Thomas Johnson, an attorney representing NAU, said the university’s position is that financial documents were properly handled during the move, or should have been destroyed by a firm hired by NAU.
“During the re-location of the university’s Rapid City campus, documents containing private student data were either moved to the new campus or were to be destroyed in a secure manner by a third-party vendor retained by the University,” Johnson wrote.
Nonetheless, in a call Friday afternoon, Johnson said NAU is taking the allegation seriously and the university will begin investigating next week.
“Our priority is to figure whether there was a breach here, and who was involved,” Johnson said. “NAU takes seriously those responsibilities, they have protocol in place, and believed they followed protocols in place.”
There was no mention of rushing to secure the files. Why didn’t NAU immediately dispatch staff to determine what else might be left in the trash that contained personal information? Could personal data have still been sitting in the bin all weekend for anyone’s taking? Or if they did rush to investigate, it wasn’t reported by O’Sullivan.
But wait, this gets worse, if you can believe it. South Dakota has no state data breach notification law. And although FERPA requires protection of private records, it does not mandate breach notification in the event of a breach. So where does that leave those affected by this breach? If I’m understanding federal laws properly, NAU is likely obligated under the Gramm-Leach-Bliley Act to notify individuals whose financial data were exposed and left unsecured. Whether NAU would agree with my understanding remains to be seen.
And if they do notify individuals, will they also offer them free credit monitoring or insist that their contractor does if it turns out the contractor violated some written agreement on secure disposal?
The FTC has the authority to enforce the Gramm-Leach-Bliley Act. And although they generally do not get involved in education-related data breaches, this might be a good one for them to investigate. Well, this one and the Maricopa Community Colleges breach also reported this week.
Dammit, someone’s got to get serious about breaches in the education sector. If USED won’t or can’t, and state attorneys general don’t or can’t, then paging FTC to Aisle 4….
state breach laws would affect them even if they lost the data in south Dakota – most breach laws are applicable to the state of residency for the individual – not where the data was lost – aka – if you live in NY and your data is at a South Dakota company, them NY laws apply — not just the laws for the State the data was lost in.
Yes, but many state breach laws only apply to computerized (electronic) database breaches. It’s not clear whether printouts from the database would also be covered. Then, too, unless NAU retrieves the documents, they have no idea whom to notify should they discover that they’re obligated to.
good point -GLBA has privacy requirements – as does FACT Act (as well as document disposal requirements) – if they were database printouts, if they started as “electronic” records, I wonder if they would still be considered a data breach – State constitutions provide another source of protection. Constitutions in ten states–Alaska, Arizona, California, Florida, Hawaii, Illinois, Louisiana, Montana, South Carolina, and Washington–expressly recognize a right to privacy – perhaps these would apply –