Protecting the Security of Student Data: CollegeNet v XAP, A Case Study

In her blog “Law, Policy and IT” Tracy Mitrano expressed a concern: protecting student privacy as colleges and universities outsource information processing with external servicers. To ensure education records are protected, she writes, outsourcing contracts must explicitly detail the protection to be provided student data. She suggested contract provisions should require an entity comply with federal law including the Federal Education Rights Privacy Act. FERPA is one of the United States’ earliest public privacy laws enacted more than thirty years ago. She said “the Department of Education has already made clear that outsourcing these records does not alleviate the institution of its obligations under this law.” Her recommendation would build a “chain of responsibility” for the privacy and security of student education records. She observes these records have become “an important and permanent marker of an individual in a competitive society currently plagued by high unemployment rates even among college and professional school graduates in an era where corporations and firms routinely amass information from a variety of sources in the course of hiring.”

Student data have been disclosed and sold without permission by external vendors. One example is described in the court records of CollegeNet Inc. v XAP Corporation, U.S. District Court for the District of Oregon.

Litigation began September 10, 2003 when CollegeNet Inc. asserted patent infringement. Subsequently CollegeNET was awarded “$4 million in damages for Xap’s1 patent infringement.” On June 9, 2009, the court authorized a Consent Judgment after the two firms reached a settlement agreement. The agreement is not included in the court records.

On June 10, 2004 CollegeNET also filed a “Complaint for False Advertising and Unfair Competition” against XAP Corporation which raised questions about the security of student data.

As background of the two firms from court records:

“Plaintiff [CollegeNET] provides online college admission application services to college-bound students and to the colleges and universities (hereinafter referred to collectively as colleges) to which the students intend to apply. The colleges pay Plaintiff for these services.

“Defendant [XAP Corporation] provides online college application and admission processing services to college-bound students through approximately 30 “Mentor” websites. Defendant’s paying customers for online services are state agencies, departments of education, and/or student-loan guarantee authorities; e.g., banks and other lending institutions (collectively referred to as commercial institutions). Defendant does not charge colleges directly for these online services.”

Georgetown University Law School professor Rebecca Tushnet explains:

CollegeNET brought state and federal unfair competition claims, on the theory that XAP makes false representations to its customers about privacy, putting CollegeNET at a competitive disadvantage in the online application and admissions processing services market. Colleges have to pay for CollegeNET, but they can get XAP services for free because the financial aid institutions pay for XAP. CollegeNET further alleges that XAP misleads colleges about its privacy policies, giving colleges the false impression that XAP won’t sell or provide student data to third parties without a student’s express consent.

She describes the issue:

If I make money by delivering eyeballs to my clients, is there a Lanham Act violation when I lie to get those eyeballs? My intuition is yes, at least for defendants like Google and XAP – but I’d have to draw the line at communicative products, like a newspaper with articles by Jayson Blair.

I tried to distinguish the actual content of the site, which has full First Amendment protection, from the representations used to entice people to the site, which can be false commercial speech subject to the Lanham Act.

The jury agreed with Ms. Tushnet finding “that Xap engaged in unfair competition by making false or misleading states in violation of the Lanham Act, § 15 U.S.C. 1125(a)” and awarded CollegeNET $4.5 million.

What about student privacy?

To assure privacy and informed consent, Judge Brown issued a permanent injunction:

“The Court finds that there is a threat of present and future irreparable harm to students using [the XAP websites] because the disclosure currently provided by Xap at the time that student applicants are given an opportunity to request additional information in connection with student loans or financial aid (the “Opt-In Question”) is inadequate to assure that the applicant knowingly and unequivocally consents to the disclosures and use of Personal Information.”

She required:

Student applicants shall be informed in plain, concise, and conspicuous language set forth at the time that the Opt-In Question is presented and before any Personal Information is transferred that by answering “yes’ to the Opt-In Question, the student applicants understands that he or she specifically is authorizing Xap to disclose the following Personal Information to the Site sponsors as appropriate: [a description of the Personal Information that will be disclosed] to the following: [a list of all entities that will receive any or all of the Personal Information] for purposes of [a description of all purposes for which the Personal Information is submitted] (brackets from the original).

Personal Information was defined as data “that uniquely identifies, or that can be used to uniquely identify, an individual person.” How valuable is the data? As an example, CollegeNET alleged:

“KHESLC agreed to pay, and on information and belief has paid XAP $10 in exchange for personal information of students who established an account with XAP and submitted online admissions applications through the Kentucky Mentor site.”

Can a student be required to provide data to the servicer? During this period the California State University required students apply for the universities through XAP. Whether their agreement with XAP included privacy provisions as Mitrano suggests could not be determined from the court records.

This case identified three issues:

• Would contract provisions, as suggested by Mitrano, be sufficient to prevent the disclosure of student data not authorized by the student?
• Should a college require a student to provide data that is “sold” to benefit the college?
• What is the role of college information technology staff in monitoring the protection of student data both from campus websites and by contractors?

On November 14, 2011, the George Tech College of Computing “took down all past course websites stored on College servers” to comply with FERPA. On November 29th Facebook agreed to improved protection of user data resulting from user concerns about privacy. Facebook is to provide the same informed consent for data sharing that Judge Brown required in her permanent injunction. On December 2nd the U.S. Department of Education issued revisions to FERPA regulations that require written agreements similar, but less specific, than Mitrano suggested. However FERPA has never been enforced. These recent examples show the need for collaboration among faculty, students, and information technology staff to balance students’ privacy, faculty improvements of teaching and learning, and IT capabilities.

Perhaps this case history illuminates the issues and can contribute to these discussions.