[unisog] Outside Penetration Testing and FERPA

William Yang wyang at gcfn.net
Thu Dec 2 01:53:33 GMT 2004

Ann Ymous wrote:

> I apologize for cross posting, but I would like to get feedback from 
> each of the addressed lists.
> My group performs penetration tests for government agencies, 
> universities and school districts. We feel that having an outside 
> entity perform these tests improves the overall security posture of 
> the institution and results in stronger protection. However, in the 
> course of our engagements with universities and school districts, we 
> have recovered student records and other identifiable information.
> These discoveries would appear to be a violation of FERPA and place 
> the institution in jeopardy of loosing federal funds.
> I have discussed this matter with our attorneys and they have not 
> found an exemption or loophole in FERPA that would allow for 
> third-party security testing, that may result in the disclosure of 
> student information.
> Has anyone addressed this matter directly? If so, how have you dealt 
> with the issue?

As a professional security contractor, I'm appalled that you're running 
into this question after starting an engagement.

Assuming you actually have, have spoken with, and have understood the
communications of an attorney regarding this matter (and that
conjunction isn't evident here), it sounds like you've gotten pathetic
legal advice.

I am not an attorney.  I am not going to provide you with legal advice.
I'm not aware of any explicit prohibition on security auditing and pen 
testing, and rather think that--based on the FERPA information sheet at 
the Department of Education's FERPA web 
site--http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html, which is 
one of the first 'google' hits on 'family educational rights privacy 
act' (what FERPA stands for).

Were I you, I would ask my attorney whether "official" means "employee" 
-- after all, contractors and outsourcing can be good decisions, even in 
the educational market.

1.  Who are you trying to protect?  The school?  Yourself?  Your
organization?  The students?  The government?  You need to define the
constituency you're trying to protect, as the interests may be in conflict.

2.  Were you authorized to engage in activity for some legitimate 
purpose by appropriately authorized individuals at the school in question?

3.  You need to evaluate your contract, scope, and statement of work.
You need to perform due dilligence on the contracting organization and 
meet an appropriate standard of care when entering into agreements.  And 
don't take this as legal advice--this is all business advice.

4.  Were I you, I would identify and engage a real lawyer; whomever
you're using is pretty pathetic if they've left you looking for legal
advice from a mailing list that's populated largely by security
engineers and system administrators.

William Yang
wyang at gcfn.net

More information about the unisog mailing list