College Employee Issues - Information Security Violation

Cisco defines information security (infosec) as “the processes and tools designed and deployed to protect sensitive business information from modification, disruption, destruction, and inspection.”

But you're just a college employee; how could this term possibly apply to you?

If you explore the fine print, you'll realize that many colleges and universities have specific policies regarding information security. They spell out what employees can and cannot access, handle, and disseminate information. As a college employee, you likely have contractual obligations related to all forms of information.

These policies are completely necessary. Universities preside over large amounts of sensitive data, from students' identifying details to proprietary, federally-funded research. Even the most minor breach can be disastrous for a university.

If you are or become the focus of an alleged information security violation, know what potential sanctions you face. Universities' earnestness about info security may be reflected in merciless punishments directed towards you.

Hiring an attorney-advisor like Joseph D. Lento to defend you against a university's formidable resources can help level the playing field.

Why Do Universities Protect Information So Stringently?

America's most prominent research universities are not the only schools with a stake in data security—they may have the greatest stake, though.

The information security risks associated with research universities illustrate why colleges across the country have clear infosec policies. The FBI’s Higher Education and National Security report explains that American universities' culture of openness and freedom may:

  • Make colleges vulnerable to data theft
  • Allow foreign adversaries to illicitly capitalize on American universities' research and development
  • Lead to espionage through the corruption of university networks (digital or otherwise)
  • Compromise students through informational means

The leaking of a single student's social security number could be disastrous. That being said, the fact that universities are often the sites of sensitive, proprietary research makes the issue of info security even more pressing.

The American Association of Medical Colleges (AAMC) expresses concern that, in recent years, “...federal science agencies, and the media have highlighted concerns about the impact of undue foreign influence on federally funded research in the US”. It is alluding to research completed on college campuses, as so much research is.

Though many college employees do not participate directly in such high-stakes research, they are bound by the same infosec guidelines as those employees that do handle the sensitive information.

When you consider the complete picture of what goes on within a university's physical and digital limits, it becomes clear why schools take information security so seriously.

What Are Some High-Profile Cases of Infosec Violations at the College Level?

Even the most well-regarded American universities fall victim to infosec shortcomings. The US Department of Justice announced on January 28, 2020 that Harvard professor Dr. Charles Lieber had allegedly:

  • Been paid $50,000 per month (and other significant expenses) by the Chinese government while serving as Harvard's Chair of the Department of Chemistry and Chemical Biology
  • Lied about this affiliation despite being legally required to report such affiliations (being in a position of such influence)

These charges have provoked questions about whether sensitive research from Harvard became compromised under Lieber's watch. The same Justice Department report details the arrest of two Chinese nationals accused of stealing biological research from American universities.

These cases put real faces to the threats that the FBI speaks about in its Higher Education and National Security report. They are far from the first cases of University-owned information being compromised.

University of Tennessee professor Reece J. Roth is another notorious case of collegiate information security malevolence. While Roth was working on military-grade drone research, he “knowingly provided export-controlled defense information to a Chinese graduate student on his research team,” per the US Air Force Office of Special Investigations.

Are these cases indicative of the information security violation that you face? Perhaps not. You may have simply failed to follow procedures or made a genuinely innocent mistake.

However, these cases again reinforce why you need representation for your case. Universities have experienced embarrassing, national security-compromising cases of information insecurity. To avoid the perception of leniency, they could handle your case with a heavy hand.

What Are Federal Laws Governing Information Security?

Though universities generally have independent infosec policies, certain federal laws may apply to you as a college employee. This is not to say you are facing any criminal charges, only that universities generally follow practices that reflect these laws.

Relevant laws include:

FERPA (20 USC § 1232g; 34 CFR Part 99) students aged 18 and older the right to:

  • See their academic records
  • Determine who can (and cannot) view their educational record
  • Request amendments to their educational record

For information security purposes, FERPA's privacy-related sections may be most relevant.

  • Federal laws related to individual privacy

The National Center for Education Statistics (NCES) states that “Most private and public colleges and universities are also subject to federal privacy laws because they receive federal funds from the US Department of Education.”

It cites the Protection of Pupil Rights Amendment (PPRA), which provides certain protections to parents whose college student is a minor.

NCES explains that while the Freedom of Information Act (FOIA) of 1966, the Privacy Act of 1974, and the Computer Matching and Privacy Protection Act of 1988 do not apply to educational records, many states have rules that replicate the spirit of these laws.

What Do Colleges Say About Information Security Violations by Employees?

Every college or university with an infosec policy may have unique phrasing, rules, and sanctions. We'll present some examples of individual policies. Collectively, they give an idea of how universities define and categorize information security.

Massachusetts Institute of Technology (MIT)

One of the leading technological institutes in the world, MIT applies a “reasonable” standard to information security:

“Individuals who manage or use IT resources required by the Institute to carry out its mission must take reasonable steps to protect them from unauthorized modification, disclosure, and destruction. Data and software are to be protected, regardless of the form, medium, or storage location of the information. The level of protection shall be commensurate with the risk of exposure and with the value of the information and of the IT resources.”

University of California - Berkeley

UC-Berkeley’s information security policies include the following rules:

  • Employees must secure information in a way that is commensurate with the data's sensitivity
  • Owners of a network device must adhere to UC-Berkeley's security protocols and standards
  • Employees must immediately report security incidents and suspicious activity

The university also requires employees to clearly define personal and work information when confusion could arise.

Ohio University

Not every employee faced with an alleged information security violation will work for an elite university. Ohio University's infosec policies provide a window into how state schools handle infosec concerns.

Ohio U. outlines specific standards for:

  • Encrypting information in university computers
  • Reporting data breaches
  • Securing mobile devices on the university network

You must know the information security standards specific to your university. This is crucial to defending yourself from a charge of insufficient or improper information security.

What Are Your Information Security Mandates as a University Employee?

As a university employee, the rules you are subject to may depend on:

  • Your specific job title
  • Your professional responsibilities
  • The types of information you come into contact with
  • The specific policies of the university where you work or worked

Generally, you may need to handle all information in accordance with federal laws, university rules, and the standards of reasonable care.

What Qualifies as an Information Security Violation?

The answer to this question can vary from one college to another. Some actions and failures may qualify as an information security violation in most cases. This includes:

  • Sharing a student's information in a way that is not permitted
  • Handling sensitive information on an unsecured device or network
  • Maliciously sharing sensitive information with a third party
  • Failing to report a data breach in a timely manner
  • Trying to conceal a violation of the college's information security policies
  • Accessing information that you are not authorized to access
  • Archiving school-owned records on your own device

These are just some of the actions and shortcomings that could lead to sanctions against you.

What Sanctions May You Face for an Infosec Violation?

Sanctions for an information security violation will likely depend on:

  • The nature of the allegation against you
  • Whether you have been accused of any violation in the past
  • The school's specific policies on handling alleged information security violations

Potential consequences include:

  • Official reprimand
  • Disciplinary probation
  • Mandatory completion of a course related to your alleged violation
  • Suspension without pay
  • Firing

Your employer may maintain a permanent record of an information security violation in your human resources file. Depending on the nature of the allegation against you, the college could initiate criminal procedures.

Professional sanctions may contribute to or directly cause:

  • Loss of income
  • Loss of future earning power
  • Loss of healthcare benefits
  • Emotional distress
  • Relationship problems
  • Health problems
  • Lost quality of life
  • Loss of freedom

An information security violation is a serious allegation. Do not underestimate the potential consequences that you face.

What Process Can You Anticipate for Your Case?

Every university may have a unique policy for handling alleged information security violations. The large-picture view of what should occur in your case is:

  1. The university should investigate the incident
  2. The university should notify you of an investigation into your conduct
  3. The university should notify you of its conclusion and any sanctions against you

For allegations of wrongdoing against students, there is generally a clear policy on how the student can defend themselves and appeal an adverse decision. As you can see from The University of Alabama - Birmingham’s policies, employees may not generally have the same protections.

However, you do always have some type of recourse. There are real consequences to professional sanctions. Employment law helps defend you from unfair or unduly harsh action, and an attorney can explain what your options for justice are.

What Can You Do to Defend Yourself?

Hire attorney-advisor Joseph D. Lento, for starters. Attorney Lento and his team at the Lento Law Firm will:

  • Review the allegations against you
  • Pursue any evidence that supports your defense
  • Handle every possible aspect of your case
  • Seek the most positive outcome possible based on the facts of your case

Importantly, Attorney Lento will conceive and execute your defense against an allegation of impropriety. In the meantime, do not make any on-the-record statements, and definitely do not admit any wrongdoing.

What Are Possible Defenses Against an Information Security Allegation?

Research published by Binghamton University suggests that information security policies (ISPs) are often the problem. It found that these policies can:

  • Fail to account for the realities of your job
  • Lead employees to disobey information security rules because they are onerous
  • Ultimately expose the organization to data breaches
  • Result in unjustified sanctions on employees, as it is the policy that is the problem

Such findings may be the basis for your defense—that an outdated, unrealistic, or unclear policy is to blame for your violation.

Our team will review your case to determine if any additional or alternative defenses are necessary.

What Can an Attorney-Advisor Do for You?

A college is generally funded by students tuition, alumni donations, athletic programs, and other sources of income. They can do much with these resources, including wage a fight against your livelihood and reputation.

It is wise to retain a resource of your own—a skilled attorney-advisor who knows how to defend you from the allegations levied against you. You may be in uncharted waters, and an attorney can keep you from capsizing.

Attorney Joseph D. Lento is dedicated to defending school employees' rights. He will stand tall to those who have accused you of wrongdoing.

Call the Lento Law Firm Today

Attorney Joseph D. Lento and his team are ready to speak with you about your case. Contact the Lento Law Firm today at 888-535-3686 to schedule a consultation.

Contact Us Today!


If you, or your student, are facing any kind of disciplinary action, or other negative academic sanction, and are having feelings of uncertainty and anxiety for what the future may hold, contact the Lento Law Firm today, and let us help secure your academic career.

This website was created only for general information purposes. It is not intended to be construed as legal advice for any situation. Only a direct consultation with a licensed Pennsylvania, New Jersey, and New York attorney can provide you with formal legal counsel based on the unique details surrounding your situation. The pages on this website may contain links and contact information for third party organizations - the Lento Law Firm does not necessarily endorse these organizations nor the materials contained on their website. In Pennsylvania, Attorney Joseph D. Lento represents clients throughout Pennsylvania's 67 counties, including, but not limited to Philadelphia, Allegheny, Berks, Bucks, Carbon, Chester, Dauphin, Delaware, Lancaster, Lehigh, Monroe, Montgomery, Northampton, Schuylkill, and York County. In New Jersey, attorney Joseph D. Lento represents clients throughout New Jersey's 21 counties: Atlantic, Bergen, Burlington, Camden, Cape May, Cumberland, Essex, Gloucester, Hudson, Hunterdon, Mercer, Middlesex, Monmouth, Morris, Ocean, Passaic, Salem, Somerset, Sussex, Union, and Warren County, In New York, Attorney Joseph D. Lento represents clients throughout New York's 62 counties. Outside of Pennsylvania, New Jersey, and New York, unless attorney Joseph D. Lento is admitted pro hac vice if needed, his assistance may not constitute legal advice or the practice of law. The decision to hire an attorney in Philadelphia, the Pennsylvania counties, New Jersey, New York, or nationwide should not be made solely on the strength of an advertisement. We invite you to contact the Lento Law Firm directly to inquire about our specific qualifications and experience. Communicating with the Lento Law Firm by email, phone, or fax does not create an attorney-client relationship. The Lento Law Firm will serve as your official legal counsel upon a formal agreement from both parties. Any information sent to the Lento Law Firm before an attorney-client relationship is made is done on a non-confidential basis.