Virginia Schools in a Privacy Pickle
Effective July 1, Virginia higher education institutions have been required to electronically transmit to Virginia state police the following on each accepted applicant: name; Social Security "or other identifying number"; date of birth; and gender.
The reasoning behind the requirement is unquestionably good. It's just one statutory change to help protect Virginia citizens from sex offenders. The statute directs the police to compare the information with sex offender registries. Law enforcement officials indicate that they'll notify the institutions of any matches and keep tabs on the individuals.
Few students would not want to know that a convicted sex offender lives in the dorm room next door. However, the law puts IHEs in the middle of a situation that creates increased risk of loss or theft of personal information and, ultimately, potential mass identify theft of all applicants. It at least raises the question of whether the same objectives could be achieved with less risk to individuals and institutions.
Does an institution really have to release Social Security numbers? In a clever piece of statutory drafting, the general assembly requires the information to be transmitted before the accepted applicants become "students in attendance," subject to the federal Family Educational Rights and Privacy Act (FERPA) information transmission restrictions. Since the law also does not define "other identifying number," it seems the law requires that IHEs cull Social Security numbers from applications and transmit them to the police.
Law enforcement officials say they'll take appropriate steps to protect the data, and there's no reason to doubt that they'll try. After the data has been crosschecked, we are told it will be duly destroyed.
The question is not the motives of legislators or law enforcement officials. The hard fact is that situations where thousands and sometimes millions of individuals' personal data has been stolen, lost, or exposed appear in the media constantly. Sometimes identities are stolen and-as the Citibank television ads demonstrate-when they are, lives are made miserable. Where identities are not stolen, the potential victims are left to live in fear, repeatedly checking their account activity and credit scores in hopes that they will not become a character in those advertisements.
Few incidents are the result of ill intentions on the part of data keepers. The more data is created, replicated, and transmitted, the more likely it is to be exposed due to employee negligence or hackers aided by inadequate safeguards.
Thus, institutions should create and store personal data only where they must and transmit it on a strict need-to-know basis-first obtaining contractual safeguards from the receiving party about their handling of the information and putting in place internal processes to help protect it.
The Virginia legislature has created a multiple-step process for personal data. The Social Security numbers will travel each step of the way, likely housed on yet another computer during each step, increasing the likelihood that the data will become the subject of tomorrow's newspaper story on personal data theft or loss.
The worst-case scenario for educational institutions: In the additional steps on their end, they will misstep and subject themselves to a class-action lawsuit for negligent handling of the data on its way to police.
Given the attention to identity theft, we are likely to see extensive federal and state legislative activity in the months and years ahead, as we struggle to harness the great electronic powers we have created against this unintended side effect. We will also see increasingly sophisticated internal tools to protect data, as entities become more vigilant in their data-protection efforts in order to avoid liability. In that environment, the law that creates rather than diminishes chances for data theft will be very unusual. It seems appropriate to ask all state legislators to strive for solutions that address these serious threats to citizens.
William Nolan is a partner in the Columbus, Ohio, office of the law firm Squire, Sanders & Dempsey, www.ssd.com.