US Dept. Of Education Questions OU About Data Lapse

The U.S. Department of Education has officially made contact with the University of Oklahoma about a lapse in cyber security within the university’s internal system.

The contact could be the precursor to a federal investigation into whether OU broke a set of federal laws.

The contact was confirmed Tuesday afternoon by a U.S. DOE spokesperson.

“The U.S. Department of Education takes allegations of privacy and data security violations very seriously,” Liz Hill, press secretary at the U.S. Department of Education said.

“The office of Federal Student Aid has contacted the university to further assess the institution’s compliance with its data security safeguard requirements according to the Gramm-Leach-Bliley Act (GLBA). FSA also is reviewing the institution's obligation to immediately self-report any suspected or actual breach of the confidentiality, integrity, or availability of data.”

The allegations stem from a problem in privacy settings in OU’s internal file sharing system, the Microsoft Office 360 program “Delve.” The issue was first reported by the student newspaper The OU Daily, which discovered the personal information, including financial aid and visa statuses, grades and social security numbers of nearly 30,000 students dating back to 2002 could be searched by anyone with an OU.edu account. News 9 was unable to independently confirm those same figures.

The type of personal information is protected under the federal Family Educational Rights and Privacy Act (FERPA) as well as the GLBA. According to education policy experts, a discovered breach in those laws could result in loss of certain kinds federal funding for OU.

When asked about the issue, OU’s Vice President for Enrollment and Student Financial Services, Matt Hamilton said “Delve” was shut down immediately as soon as officials learned of the breach from the paper’s report.

“Some sensitive files were inadvertently made accessible to OU account holders due to a misunderstanding of privacy settings,” Hamilton said. “No unauthorized party accessed any of the files…”

Hamilton added the school acknowledges concerns about privacy and reassured students their FERPA-protect information was secure. However, an OU public affairs official said the school would not be contacting students directly in an email. Rather, the university would be relying on the public statement made by Hamilton that was given to both The OU Daily and News9.

“We have not sent out an email. Rather, we issued a public statement explaining that the situation had been resolved,” OU Senior Associate Vice President for Public Affairs, Rowdy Gilbert said in an email.

When asked if the statement would also be posted online for students to view, Gilbert said the public statement made to the media was meant to be the only way the school would reach the “OU community.” So far, the school has not notified students via an internal message. The incident also went unreported in President David L. Boren’s recent letter to students.

FERPA has been federal law since 1974. It doesn’t carry any civil penalties, but infractions could result in a loss of certain kinds of federal funding for colleges. In the law’s 43-year history, no school has been penalized in that way. Most often schools are told to monitor and upgrade security.