Teach Act

The Family Educational Right to Privacy Act (FERPA) prohibits educational agencies and programs, at risk of losing federal funds, from having a policy or practice of “permitting the release of ” specified educational records. FERPA does not state whether or not the prohibition places affirmative requirements on educational institutions to protect against unauthorized access to these records through the use of information security measures. It is certainly possible that a court could conclude in the future that an educational institution which fails to take reasonable information security measures to prevent unauthorized access to protected information is liable under FERPA for “permitting the release” of such information.

The recent case of a Vermont college system employee having such data on a laptop that was later stolen (see Chapter 1 sidebar “The Real Cost of Remediation”) might test this very statute.The 2002 Technology, Education, and Copyright Harmonization Act (the “TEACH Act”) explicitly requires educational institutions to take “technologically feasible” measures to prevent unauthorized sharing of copyrighted information beyond the students specifically requiring the information for their studies, and, thus, may create newly