[unisog] RE: Outside Penetration Testing and FERPA

Keith T. Morgan keith.morgan at terradon.com
Wed Dec 1 23:02:30 GMT 2004

IANAL, YMMV, and any other applicable caveat under any applicable
jurisdiction to the extent permitted by law....

If *you* have recovered it, that's one thing. If you've uncovered
evidence that unauthorized parties have accessed the information, that's
another.  The organization should treat you as a contractor.  When we do
penetration testing on HIPAA covered entities, we word our contracts
such that any PHI we uncover, we immediately notify the customer, and
present corrective actions, destroy any copies we have, don't disclose,
etc...  We also have to jump through their authorization hoops prior to
the engagement, as we always assume that eventually, we'll dig up some

They should have required language like this from you in your contract.
If they didn't, the courts would likely treat you as a contractor or
employee.  Uncovering it's one thing.  Posting it on /. is another.  As
long as you immediately notify them of the situation, and EXACTLY what
was disclosed and to whom, you should be ok.  Also, take reasonable
precautions to protect whatever FERPA covered information you have in
your possession from further unauthorized disclosure.

I wouldn't be surprised if your attorneys are baffled by the whole
situation.  Case law on FERPA, HIPAA, SOX et al is all but non-existent
right now.

I guess my point is, that by nature of your contract with the customer,
you may be authorized to see the information (albeit possibly not
by-the-book/letter-of-the-law).  You do have a contract, right?  This is
an authorized pen-test, isn't it? 

> These discoveries would appear to be a violation of FERPA and place
> the institution in jeopardy of loosing federal funds.
> I have discussed this matter with our attorneys and they have not
> found an exemption or loophole in FERPA that would allow for
> third-party security testing, that may result in the disclosure of
> student information.
The contents of this email and any attachments are confidential.
It is intended for the named recipient(s) only.
If you have received this email in error please notify the system manager or  the 
sender immediately and do not disclose the contents to anyone or make copies.

** this message has been scanned for viruses, vandals and malicious content **

More information about the unisog mailing list