Delivered-To: [EMAIL PROTECTED] Date: Sun, 11 Jan 2004 15:07:39 -0500 From: Chris Hoofnagle <[EMAIL PROTECTED]> Subject: Re: [IP] NYU student data leak X-Sender: [EMAIL PROTECTED] To: [EMAIL PROTECTED]
At 07:09 PM 1/10/2004, you wrote:
>>Delivered-To: [EMAIL PROTECTED] >>Date: Sat, 10 Jan 2004 12:05:47 -0500 >>From: >>To: Dave Farber <[EMAIL PROTECTED]> >> >>Dave: Not mentioned in this article is that at the start of 2003, >>NYU laid off its senior system and network security manager, who >>had been with the university for nearly 18 years, in a budget-cutting >>round. At the time of the layoff, the manager was working on privacy >>issues, including HIPAA compliance. >> >>http://www.nytimes.com/2004/01/10/nyregion/10identity.html >> >>January 10, 2004 >>Students' Data on Web, and N.Y.U. on Defensive >>By KAREN W. ARENSON >> >>Three years ago, when Brian Frank entered New York University, he >>signed up for intramural basketball, providing his name and his >>university identification number, which was also his Social Security >>number. >> >>Yesterday morning, Mr. Frank, who is now a senior, learned from N.Y.U. >>that these details had been posted on the Internet. He was among about >>1,800 N.Y.U. students who received the same e-mail notification from >>the university. In some cases, students' phone numbers were posted, >>too.
Hi Dave,
Also not mentioned is New York's Educational Code, which places limits on public and private schools' use of the SSN. It's meant to avoid this type of release.
Generally, it's considered best practice not to use the SSN routinely as an identifier. Many schools do have to collect it for financial aid/employment reasons, however, that doesn't mean that it needs to be used for other purposes. I wrote a paper on this and other higher education student privacy issues that's online at http://www.epic.org/epic/staff/hoofnagle/studentprivacy.html
The New York Code is below.
Regards, C
http://caselaw.lp.findlaw.com/nycodes/c30/a3.html
Article 1
2-b. Use of student social security numbers restricted.
S 2-b. Use of student social security numbers restricted. No public or private elementary or secondary school or college as defined in section two of this article shall display any student`s social security number to identify such student for posting or public listing of grades, on class rosters or other lists provided to teachers, on student identification cards, in student directories or similar listings, or, unless specifically authorized or required by law, for any public identification purpose.
-------------------------------------------------------------------- Chris Hoofnagle, Assoc. Director +1.202.483.1140 (tel) Electronic Privacy Information Center +1.202.483.1248 (fax) 1718 Connecticut Ave., NW Suite 200 [EMAIL PROTECTED] Washington, DC 20009 USA http://www.epic.org/ http://www.privacy.org/ PGP Key: http://epic.org/epic/staff/hoofnagle/pgp.txt --------------------------------------------------------------------
------------------------------------- You are subscribed as [EMAIL PROTECTED] To manage your subscription, go to http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-people/
