FERPA: Friend or Foe? by Steve Cunningham

  • Educational institutions are encrypting all mobile storage devices—including yours.

This month I have another brief story of computer trouble, but this time it is not about a hard drive. I ran into a colleague this week who told me that the screen on his university-supplied laptop computer began to go black for no apparent reason. Just before it blanked out for the last time, he'd purchased a new laptop, with his own money, and transferred all his data to the new unit. I asked him why he didn't simply submit the old one for repair or replacement.

He replied that it was too old to be a worthwhile repair, and figured that IT would give him a new one...one whose hard drive was completely and totally encrypted. "Pro Tools won't run on an encrypted hard drive, will it?" he asked me. I admitted that it would not, nor would several other programs. "That's why I bought this one myself. I'll still be able to use all my software and won't have to use data-encryption."

I was aware that university policy was moving toward full data encryption on all university laptops. The problem for both of us is that we teach classes based on the use of high-end audio and video editing software, none of these will actually run on an encrypted hard drive. But since my current laptop was old, I thought I was immune. Not so.

FERPA vs. mobility

This particular issue of data encryption on mobile devices came about as a result of a collision between FERPA, the Family Educational Rights and Privacy Act of 1974, and network mobility. Originally designed to allow parents and students to see, correct, and control the outside distribution of the contents of a student's records, FERPA has been amended multiple times over the years. Today it represents a detailed guide to what an educational institution may and may not do with regards to the privacy of a student's records. Moreover, compliance with the FERPA regulations is handled by an entity known as the Family Policy Compliance Office, which is part of the U.S. Department of Education. This Office can conduct investigations of an educational institution when a violation of privacy is suspected, be it willful or otherwise. Direct remedies available to this Office include the withdrawal of all federal funds to that institution. Indirect results of such an investigation include the general upheaval created by the investigation, along with a potential blast of negative publicity. Clearly it is something to be avoided.

As faculty, staff, and administrators began adding laptop computers to their academic toolboxes, a certain amount of FERPA-class information has found its way on to the hard drives of these laptops. We have all heard multiple accounts in the media of university laptops that have disappeared, exposing in some cases thousands of individuals to possible identity theft. As the incidents of loss and outright theft of laptop computers have increased, so has the concern about protecting this sensitive data, and thereby perhaps avoiding the nasty business of an investigation.

The university decided to handle this issue by establishing a policy of data encryption on any laptop computer or mobile storage device used for university business. It requires that computers purchased after April 2009 come equipped with either built-in encryption or a software-based encryption solution for subsequent installation. Where the device was purchased or who paid for it are immaterial; an employee who purchases a device at Fry's or Best Buy or Costco must provide written proof that the device is equipped with an acceptable encryption solution. Furthermore, the university requires a software snapshot (essentially a full backup) of each hard drive's contents at the beginning of a new semester. This ensures that should a device be lost or stolen, the snapshot will show whether or not FERPA-class information was on the hard drive when the snapshot was taken. Enforcement of this policy is handled by the individual school's IT department.

I haven't yet told my colleague that his newly purchased laptop will also have to be encrypted. Moreover, I'm due for a new university laptop which will definitely be subject to the policy. I'm certainly not buying myself a new laptop, but I am considering removing all FERPA-class data from this one and just bringing encrypted hard drives to work. I'll keep you posted on what I find.

Steve Cunnigham is an assistant professor of practice at USC's Thorton School of Music, and an AV Tech Advisor. Send your feedback to AVTIntern@nbmedia.com.

The AVNetwork staff are storytellers focused on the professional audiovisual and technology industry. Their mission is to keep readers up-to-date on the latest AV/IT industry and product news, emerging trends, and inspiring installations.