September 17, 2019

Secretary Betsy DeVos

U.S. Department of Education

400 Maryland Avenue, SW

Washington, D.C. 20202

RE:  Student Disciplinary Databases Like Maxient[1], in Promising Title IX Efficiency, Fail to Protect the Privacy of Participants of Title IX Processes Including Complainants, Respondents, and Witnesses.

Dear Secretary DeVos:

Consider these very realistic and dangerous student privacy loss hypotheticals:

The forgotten record:

Assistant Title IX Coordinator 1 at College 1 logs onto her Maxient account and starts a “new case” as she has received a complaint from female student (“Complainant”) that a male student (“Respondent”) sexually assaulted her in violation of Title IX.[2]  The new case includes names, addresses, dates of birth, and lurid details gleaned from the Complainant, her witnesses, and the respondent. Coordinator 1, as so many do, resigns soon thereafter.[3]  Fortunately, the Complainant and Respondent later agree that there was no assault and resolve the matter amicably and informally.  College 1 keeps no record on Respondent’s disciplinary file because of the informal resolution, but because Coordinator 1 is no longer there, nobody updates the “new case” with Maxient. 

Years later Respondent applies to law school, but does not disclose the amicable resolution or the fact that there was a complaint.  All law schools reject his application based on their review of the undisclosed “new case” and its lurid information as kept in Maxient’s database.  College 2 argues it has no responsibility, for under FERPA, it is allowed to share this information with Maxient, given FERPA’s 2008 regulations allowing disclosure of education records to a “contractor, consultant, volunteer, or other party” performing “an institutional service or function for which the agency or institution would otherwise use employees.”[4]

The hacked record:

Coordinator 2 at College 2 is personally hacked while using the free wi-fi at Starbucks.  The hacker has access to Coordinator 2’s Maxient password and thus to the “new case” in Maxient that Coordinator 1 at College 1 entered against Respondent, as well as access to all the Personally Identifiable Information (PII) of Respondent, Complainant, and their witnesses. [5]

Soon after, Google searches for Respondent show he has a criminal record, his date of birth and his address.  College 1 argues it is not responsible for this breach, because it has absolutely no control over Coordinator 2 who is the employee of College 2.

Third Party Databases Must Provide Privacy for Title IX Complainants, Respondents, and for their Witnesses Including Encryption, Notice, and Expungement Provisions.

This is a petition under the Administrative Procedure Act, 5 U.S.C. § 553(e) to protect the privacy of participants in Title IX processes on campus from disclosure once this information is uploaded into a Third Party Database Sharing Vendors (TPDSV). 

Currently, Maxient in particular, as well as other TPDSVs, sell their database service claiming it ensures that all member colleges and universities know the full disciplinary records of all respondents seeking to transfer schools.  Yet these very same TPDSVs fail to protect the very sensitive data they receive which consists of fundamental and often times devastating PII concerning all students participating in Title IX processes.  The TPDSV’s maintain and disseminate stories that belong to the complainant, the respondent, and to their witnesses.  Rushing to repackage this information for sale to other schools, these TPDSVs elide any measure to prevent its unauthorized disclosure, which threatens student privacy.[6]  This risk stands in direct contradiction to the privacy thrust of FERPA, as data security is an “essential part of complying with FERPA as violations of the law can occur due to weak or nonexistent data security protocols.”[7] 

Thus, to protect the privacy of Title IX participants for the rest of their lives, the department should narrow the scope of the regulations on disclosure of PII to contractors like the TPDSV’s, requiring that privacy protections be in place, before and after sharing with TPDSVs, any PII on Title IX or sexual misconduct disciplinary records.  This is not onerous. FERPA, in fact, already has a mechanism for sharing PII that protects privacy and could serve as a model to require from all TPDSVs:  34 C.F.R. § 99.31 (b) permits third parties to release de-identified student data for education research by attaching “a code to each record that may allow the recipient to match information received from the same source,” provided that the third party does not release information “that would allow a recipient to identify a student based on a record code [.]”[8]

Further, the department should specifically require that all TPDSVs incorporate into their platforms fundamental electronic data privacy protections and good practices including encryption and Privacy Enhancing Techniques (“PETs”) that minimize or eliminate the collection of PII.  My review of the available on-line information from TPDSVs suggests they have no PETs in place and that thus untold gigabytes of devastating PII lies there, unprotected.  Similarly, fundamental due process holds that the department require notice to all student Title IX participants in the event of a data breach at the TPSDV level.  It is noteworthy that this data breach can take place years after the participant (be it the complainant, the respondent or their witnesses) has graduated and under the current system the TPDSV would not notify the former student of the breach.

Finally, nothing in the TPDSV industry—which makes a profit from repackaging and selling access to disciplinary records of complainants, respondents, and witnesses of Title IX processes--seems fair until all those participants receive a guarantee, from the TPDSV, that so long as their record exists they can seal or expunge it on demand.  As the hypotheticals make clear:  Whether through school inaction or through hack on another party, the respondent in this matter, who was not responsible, has a permanent mark on his electronic history because the TPDSV uploaded PII, failed to protect it with PETs, and shared it.  As a result the student participant in a Title IX process is forever labeled a sexual predator, and has no way to clear that up.[9]  A student’s good name matters and FERPA recognizes this.  So should the TPDSVs who profit from the student’s PII.

                                                            Respectfully submitted,

                                                            /s/_______________________

                                                            Raul Jauregui

                                                            Jauregui Law Office

                                                            720 Arch Street

                                                            PO Box 861

                                                            Philadelphia, PA 19107

                                                            https://www.studentmisconduct.com/

                                                            (215) 559-9285

[1] Maxient can be found at:  https://www.maxient.com/.  Of course others provide similar services, including Simplicity Corporation’s Advocate program, which can be found at: https://www.symplicity.com/higher-ed/solutions/advocate, and I-sight whose privacy policy specifically states that the PII can and will be distributed with the school’s (not the individual student’s) consent. See, https://i-sight.com/about/privacy-statement/.

[2] This account is modeled on the publicly available documents about Maxient use that the San Jose Evergreen Community College District has made accessible on line, see, http://www.sjeccd.edu/HumanResources/Documents/Maxient%20Training%20Guide.pdf

last visited September 18, 2019.  This account does not relate to the SJECCD.

[3] See, e.g.,

https://www.chronicle.com › interactives › 20190905-titleix-pressure-cooker

[4] See, 34 C.F.R. § 99.31(a) (1)(i)(B)(1).

[5] In real life there is at least one reported and litigated case of hacking Maxient, a fact well known to and yet ignored by the Title IX staff who use its services:  “Friedler now admits he and employees came up with a scheme to use colleges’ passwords and data to see how Maxient and Pave run their systems. Friedler led employees on a conspiracy to decrypt encrypted passwords used by colleges, taking screenshots and copying information gleaned in competitors’ systems.”  See, https://www.insidehighered.com/news/2014/05/27/look-hacking-scandal-higher-ed-tech-company

[6] There is little room for doubting that student data privacy is at risk every day.  See, Intrusion into UCF Network Involves Personal Data, DATA SECURITY (Mar. 8, 2016), http://www.ucf.edu/datasecurity/; Steve Ragan, SNHU Still Investigating Database Leak Exposing Over 140,000 Records, CSO ONLINE (Jan. 5, 2016, 10:00 AM PT), http://www.csoonline.com/article/3019278/security/snhu-still-investigating-database-leakexposing-over-140-000-records.html; Megan O’Neil, Data Breaches Put a Dent in Colleges’ Finances as Well as Reputations, THE CHRONICLE OF HIGHER EDUC. (Mar. 17, 2014), http://chronicle.com/article/Data-Breaches-Put-a-Dent-in/145341/.

[7] Family Educational Rights and Privacy Final Regulations, 76 Fed. Reg. 75,622, 75,616 (Dec. 2, 2011).

[8] There are also many models for enhancing protection of privacy for student records in bills that have been introduced into the Congress of the United States, including Student Privacy Protection Act, H.R. 3157, 114th Cong § 4 (2015); Student Digital Privacy and Parental Rights Act of 2015, H.R. 2092, 114th Cong. § 3 (2015); Protecting Student Privacy Act of 2015, S.1322, 114th Cong. § 2 (2015).

[9] Expungement greatly enhances the fairness of the Title IX scheme.  See, e.g., https://www.studentmisconduct.com/news/2016/6/27/blog-post-04-harris