[unisog] RE: Outside Penetration Testing and FERPA

GREGORY SEIBERT gregs at kent.edu
Thu Dec 2 14:14:27 GMT 2004

I would think that if any HIPAA protected data might be involved, the
institution should have a business associate agreement signed with you to
protect any of that data that you might encounter. GLBA would seem to want
a privacy addendum with your contract to specifically cover GLBA protected
data (such as credit card info). FERPA just wants to make sure that the
data is not disclosed while the other two acts seem to mandate specific
agreements with all third parties that spell out the required protection of
affected data. These are all items that the institutions should require of
your organization when you enter into a contractual relationship with them.

For our situation, we would have no problem with third party security
testing by reputable firm as long as the appropriate agreements were in


Gregory A. Seibert, CISM
Director of Security and Compliance
Suite 384 Library
Kent State University
330-672-0383 (Voice)
330-672-9374 (FAX)

                      "Keith T. Morgan"                                                                                                 
                      <keith.morgan at terr        To:       Ann Ymous <ann.ymous at gmail.com>, Pen Test List <pen-test at securityfocus.com>,  
                      adon.com>                  Security Mgmt List <security-management at securityfocus.com>, Unisog                     
                      Sent by:                   <unisog at lists.sans.org>                                                                
                      unisog-bounces at lis        cc:                                                                                     
                      ts.sans.org               Subject:  [unisog] RE: Outside Penetration Testing and FERPA                            
                      12/01/2004 06:02                                                                                                  
                      Please respond to                                                                                                 
                      Operations Group                                                                                                  

IANAL, YMMV, and any other applicable caveat under any applicable
jurisdiction to the extent permitted by law....

If *you* have recovered it, that's one thing. If you've uncovered
evidence that unauthorized parties have accessed the information, that's
another.  The organization should treat you as a contractor.  When we do
penetration testing on HIPAA covered entities, we word our contracts
such that any PHI we uncover, we immediately notify the customer, and
present corrective actions, destroy any copies we have, don't disclose,
etc...  We also have to jump through their authorization hoops prior to
the engagement, as we always assume that eventually, we'll dig up some

They should have required language like this from you in your contract.
If they didn't, the courts would likely treat you as a contractor or
employee.  Uncovering it's one thing.  Posting it on /. is another.  As
long as you immediately notify them of the situation, and EXACTLY what
was disclosed and to whom, you should be ok.  Also, take reasonable
precautions to protect whatever FERPA covered information you have in
your possession from further unauthorized disclosure.

I wouldn't be surprised if your attorneys are baffled by the whole
situation.  Case law on FERPA, HIPAA, SOX et al is all but non-existent
right now.

I guess my point is, that by nature of your contract with the customer,
you may be authorized to see the information (albeit possibly not
by-the-book/letter-of-the-law).  You do have a contract, right?  This is
an authorized pen-test, isn't it?

> These discoveries would appear to be a violation of FERPA and place
> the institution in jeopardy of loosing federal funds.
> I have discussed this matter with our attorneys and they have not
> found an exemption or loophole in FERPA that would allow for
> third-party security testing, that may result in the disclosure of
> student information.


The contents of this email and any attachments are confidential.
It is intended for the named recipient(s) only.
If you have received this email in error please notify the system manager
or  the
sender immediately and do not disclose the contents to anyone or make

** this message has been scanned for viruses, vandals and malicious content

unisog mailing list
unisog at lists.sans.org

More information about the unisog mailing list