E-mail error generates changes

By
Thursday, March 19, 2009

Brown’s Office of Financial Aid most likely did not violate federal or state laws when it inadvertently revealed the names of nearly 1,800 students who have initiated an application for University financial assistance, according to Steven McDonald, general counsel at the Rhode Island School of Design.

On Monday afternoon, the office sent e-mail messages reminding students about which documents they needed to submit and the application’s deadline. Each of the three messages showed the Brown e-mail addresses – including first and last names – of approximately 500 first-years, sophomores and juniors who have submitted financial aid documentation, and the fourth contained nearly 300. In all, The Herald counted 1,773 names mistakenly divulged Monday.

Normally, students are sent information by blind carbon copy, or “BCC,” which does not reveal an e-mail’s other recipients, said Director of Financial Aid James Tilton.

Though the release was regrettable, it was not a breach of state or federal law, said McDonald, who has edited a book about the Family Educational Rights and Privacy Act.

“It was a mistake and we now have to put procedures in place so that kind of thing won’t happen again,” Tilton said, noting that the office routinely sends students similar reminders but had never made such a mistake.

E-mails will now be internally tested prior to sending. Messages will be distributed to smaller contact groups, and each will also be addressed to a staff member so that any mistakes will be caught more quickly, Tilton said.

Students whose names were released received an e-mail yesterday, apologizing for the mistake and reiterating the office’s commitment to protecting student confidentiality. The office received six e-mails from students notifying them of the mistake but has not received any specific complaints, Tilton said.

Since no personally identifiable information – such as transcripts and social security numbers – was revealed, the office does not believe any violations of student confidentiality occurred, Tilton said.

“It’s not really a violation of FERPA to make an honest mistake,” McDonald said Wednesday. “They are doing the right thing” by admitting the mistake and taking steps to prevent it from happening again, he added.

Under FERPA, the U.S. Department of Education may review a university’s policies if confidential information is improperly released, but students do not have the right to sue colleges if their privacy is breached, McDonald said.

“This does not sound like a particularly big deal,” McDonald said. “It shouldn’t happen but sounds like an honest mistake.”