The now corrected cybersecurity error enabled anyone with an @ou.edu email to search for records on a document sharing service called Microsoft Delve. Some of the records that were viewable by unauthorized personnel were protected under the Family Educational Rights and Privacy Act (FERPA).
FERPA is administered by the Department of Education, which has since contacted the university regarding its security protocols.
“The office of Federal Student Aid has contacted the university to further assess the institution’s compliance with its data security safeguard requirements according to the Gramm-Leach-Bliley Act,” said Liz Hill, press secretary for the U.S. Department of Education. “[The office of Federal Student Aid] also is reviewing the institution’s obligation to immediately self-report any suspected or actual breach of the confidentiality, integrity or availability of data.”
Initially reported last week by OU’s campus newspaper, The Oklahoma Daily, an error in OU’s security settings for file sharing enabled documents on the program SharePoint to be searched and viewed through Delve. These included records showing student GPAs, financial aid information, Social Security numbers, and student athletes’ eligibility and drug test information.
Upon discovering the error, OU shut down Delve and reset the security settings for SharePoint. In multiple statements, university personnel said at no point was data ever breached by an outside source.
The U.S. Department of Education is in charge of ensuring federal student record laws are followed, and it can take action even if a complaint is not filed.
“They have, technically, the authority to investigate without a complaint being filed,” said LeRoy Rooker, senior fellow at the American Association of Collegiate Registrars and Admissions Officers and FERPA expert.
Rooker said the focus now will be on how OU responded once the security lapse was discovered.
“What the department could do is, if a complaint was filed against the university, then the department ends up investigating it, they would look at what the university did to correct the situation and how they moved to do that,” he said. “That’s what the department’s going to be about if it’s a systemic problem of any kind, that the problem has been corrected.”
By that logic, it is unlikely OU will face any further federal scrutiny. Rowdy Gilbert, OU vice president for public affairs, said last week that the error in security settings that made student records available happened about a month ago.
It was at that point when OU moved SharePoint files over to the cloud. Matt Hamilton, registrar and vice president for enrollment and student financial services, said FERPA-protected files were made available “due to a misunderstanding of privacy settings.”
“Obviously, it’s something inadvertent, and the university is now aware of it and took immediate action to correct it,” Rooker said.
In any event in which the Department of Education finds a FERPA violation has occurred, the action against the institution often involves ensuring the problem is fixed, Rooker said. This can be mandatory training for employees, the discontinuance of certain practices or even reworking the way an entire department operates.
“If OU was unable to correct the situation ... they’d have to find a solution, whatever that would be,” Rooker said.
To the knowledge of university administration, no records were breached or accessed by any source outside of OU, Gilbert said last week.
©2017 The Norman Transcript (Norman, Okla.) Distributed by Tribune Content Agency, LLC.
