Officials at the University of Kansas have stepped up their eMail and data security training for employees after more than 100 students who failed their classes last semester found out who shared their misfortune.
The school’s Office of Student Financial Aid sent an eMail message to 119 students in June notifying them that they were in jeopardy of having their aid revoked. But the names of the students were included on the eMail address list–meaning everyone who got the message could see the names of all the other recipients.
"It was a completely inadvertent, unintentional mistake," university spokesman Todd Cohen said. "It was our error, our mistake, and we deeply regret it."
The university immediately began training procedures with its staff to make sure the mistake does not happen again, Cohen told an eSchool News reporter.
He said the university refreshed its staff’s knowledge of the Family Educational Rights and Privacy Act (FERPA) and all other privacy procedures by which the university must abide.
"We increased their awareness of eMail security, cautioning them not to rely on big batches or the BCC [blind carbon copy] function. Many procedures that appear to be a shortcut are not totally secure," Cohen said. "Only training, awareness, and good procedures are going to protect student security."
Nancy George, a student on the list, said the mistake was tantamount to releasing the grades of students without their permission, which the FERPA prohibits.
"Nobody should have known that I failed a class or that I even had a student loan," said George, who says she failed because her daughter had developed pneumonia.
Cohen said the university has contacted all the students on the list and apologized. He also said the incident had been reported to the U.S. Department of Education (ED) so it could determine if there was a violation of the federal law. As of press time, ED had not responded to the school.