Over 9,000 students received the startling news earlier this month that their personal information, including their names and the last four digits of their social security numbers, had been sent to a Mask and Wig listserv by a Penn alumnus.
The University has said that an investigation is ongoing, but has not provided further details since March 12. In his email on March 12, University Privacy Officer Scott Schafer said an unauthorized user accessed spring 2018 advanced class registration lists and warned every student involved with the leak to take precautions such as calling the United States credit bureaus and placing fraud alerts on credit cards.
Experts contacted by The Daily Pennsylvanian say that by placing this responsibility in the hands of individuals, Penn may be legally vulnerable to Philadelphia’s data breach notification law. This law requires organizations with personal information breaches affecting more than 1,000 people to notify U.S credit bureaus.
However, despite the scope of the information accessed — class enrollment, student names, and the last four digits of their social security numbers — and the way the University informed the students, many privacy experts say legal repercussions will likely not be severe.
“My understanding is that Penn should take the initiative," Drexel University law professor Robert Field said. "As a matter of responsible conduct toward its students, [Penn] should take that responsibility onto itself."
In terms of legal repercussions, Field said that Penn will likely receive only “minor penalties and a slap on the wrist, as is common with occasional inadvertent disclosures."
Vice Provost of Penn Law School and privacy law expert Anita Allen did not respond to request for comment.
This is also not the first time Penn students' private information has been breached. Last September, an email from Student Disability Services accidentally revealed the email addresses of 299 students who received accommodations. In 2012, anonymous hackers leaked private information of over a thousand Penn students and administrators on the internet.
Field warned that these security flaws fall under the jurisdiction of the federal Family Educational Rights and Privacy Act which constitutes “strong penalties” for a pattern of repeated disclosures.
Philadelphia-based attorney William Brennan said that civil suits in this particular case are a possibility "if students can show that the integrity of their privacy has been breached and they can show the damages."
However, in this case, Field and Brennan highlighted that it would be difficult to prove any malicious intent as it seems “hackers were trying to prove a point, not steal information or do anything important with it.”
Mask and Wig Secretary Treasurer and College senior Ethan Fein reaffirmed this idea and hypothesized that the hacker wanted to mock the system by proving that he could hack the information. Fein said the email on the listserv was accompanied by a message that said "why not."
The nature of the information, such as the last four digits of social security numbers, is not sensitive enough to warrant a lawsuit based on harm since this information can be exposed in transactions, Field said.
Ultimately, he suggested that the University’s most severe repercussions will not be legal in nature, but will rather be a negative impact on student confidence and the student relationship with Penn.
“Schools have to have confidential information on students. That's part of the educational process," Field said. "If students are not confident the information can be kept confidential, then it could be a cause of tension.”