Published:
Author: Lisa Ercolano
Illustration of an academic building with a thought cloud filled with binders and papers.
“Keeping policy up to date as technology changes remains a huge challenge. FERPA was last substantially updated two decades ago, yet how we interact with information has changed drastically in the interim,”—Joel Coffman, EP instructor

Federal laws governing student privacy, particularly the Family Educational Rights and Privacy Act (FERPA), are outdated and inadequate in the era of cloud-based storage of educational data, potentially leaving students’ sensitive personal information vulnerable, according to a Johns Hopkins Engineering study.

The researchers reveal that FERPA, enacted in 1974 and last amended in 2002, fails to protect many types of information that students and faculty assume are safeguarded, and current technology has outpaced the law’s ability to protect student data.

“This Is Going on Your Permanent Record: A Legal Analysis of Educational Data in the Cloud,” appears in the ACM Journal on Responsible Computing.

“The law simply has not kept pace with technological advances,” said senior author Joel Coffman, an instructor at Johns Hopkins’ Engineering for Professionals program in computer science and professor at the Air Force Academy. “This disconnect between what the law intended to do and what it now does has led to knotty legal issues, with modern courts struggling to apply outdated precedents to the situations modern technology presents.”

Information at risk includes emails between any combination of teachers, guidance counselors, and school staff, data stored in third-party educational apps, student records maintained in online learning management systems used in remote learning and for student assignments, and video recordings of students—all of which are vulnerable not only to breaches and unauthorized access but also to unintentional sharing with third parties.

“The key challenges we face now are not just about protecting the data itself, but about preventing situations where sensitive student data could be exposed,” said lead author Ben Cohen, ENGR ’23 (MS).

The authors analyzed several court cases involving FERPA, including a key Supreme Court case decided in 2002: Gonzaga University v. Doe. They also examined several lower court rulings that have applied FERPA to different types of student data. In addition, they reviewed the text of FERPA and the U.S. Department of Education’s relevant guidance and considered recent cyberattacks affecting educational institutions.

This approach allowed them to identify gaps between existing legal interpretations of FERPA and current technological realities in educational data storage and management.

“In Gonzaga, for instance, the Supreme Court ruled that students cannot sue educational institutions or staff for alleged violations of FERPA. In some cases, courts ruled that information ‘derived from a source independent of school records,’ such as emails or videos, is not protected. That means that if a school or its cloud provider suffers a data breach, the responsible party can be held liable for the breach but not for any further spread of information. So good luck seeking recourse if you’re a student whose educational information was breached,” Cohen said.

“There are just so many shocking loopholes, and they all come back to the same thing: Technology has changed a lot in the last 50 years, but the law hasn’t,” he added.

Based on their analysis, the authors offer recommendations to both policymakers and educational institutions.

“We recommend policymakers update the statutes to include digitally stored information in the definition of educational records. We also suggest adding language similar to that of the Privacy Act of 1974 to grant a private cause of action to students who feel their FERPA rights were violated,” Cohen said.

Recommendations for educational institutions include updating policies and practices to account for modern technology; ensuring cloud service providers encrypt all student data as it is stored and in transit; and regularly testing and updating firewall configurations and other security systems to make them more robust against inevitable cyberattacks. Institutions should also add language to their contracts with external IT providers, such as Google for Education, requiring them to restrict outside and third-party access to educational records, the authors say.

“Keeping policy up to date as technology changes remains a huge challenge. FERPA was last substantially updated two decades ago, yet how we interact with information has changed drastically in the interim,” Coffman said.