NCC /NCC Foundation security incident Q & A
According to the Family Education and Record Protection Act (FERPA), access to student records by third parties is only allowed under specific circumstances and may not be given to third parties unless there is an appropriate legal, data privacy and security framework in place.
Since the Foundation employees are not Norwalk Community College employees, written consent was not obtained in all circumstances from the affected students, and considerable data about students was accessed including information related to financial aid, Norwalk Community College was obligated to inform the U.S. Department of Education about this situation. We were also obligated to inform all students who may have been affected so that each student may take protective action that the student feels is appropriate and necessary.
What is the risk to me?
Currently, there is no evidence that information accessed by the Foundation’s employees or Scholarship Committee members was misused or accessed for inappropriate purposes or by individuals other than the Foundation’s employees or Scholarship Committee members; however, the College is obligated to inform you of these circumstances because the College cannot be certain that the data in the Foundation’s possession had the appropriate security controls in place. Some of the data was subsequently copied to and accessed from personal computing devices that were beyond the security controls of Norwalk Community College and the Connecticut State Colleges and University system. To date, there has been no evidence of compromise or any misuse of the data; however, since the data were accessed and stored outside of Norwalk Community College and the Connecticut State Colleges and Universities system data security controls, there is a limited risk that the data were or may be unknowingly compromised.
Was my social security number or financial account information compromised?
The College has controls in place to limit access to Social Security numbers and financial account data to individuals who have a legitimate need to know this information. If the College had information about the compromise of your Social Security number or financial account information, you would have been notified about that specifically. However, in this case, as far as the College is aware, no student Social Security numbers or financial account information was accessed.
What the College and the Foundation are doing to remedy the situation?
Norwalk Community College and the Foundation are committed to protecting student privacy and the confidentiality of student education records. We are working diligently to implement a data sharing agreement between the Foundation and Norwalk Community College to ensure that the Foundation only receives limited student scholarship applicant education records for which there is a legitimate need to verify scholarship information. Further, the Foundation is working to ensure appropriate written student consent forms are collected and data security controls are in place for the student scholarship applicant education records that the Foundation receives from Norwalk Community College for scholarship administration purposes.
What information about me may have been accessed by Foundation employees?
The letter you received listed each of the data elements and categories of student data that were accessed by the Foundation’s employees. Unfortunately, we cannot determine exactly which data elements of those listed were gathered for which students. Since Norwalk Community College cannot determine exactly which student records were affected we are obligated to inform all students of these circumstances.
Why did the Foundation have access to my data? (e.g., I never had a scholarship, I haven't attended the school in years, my children are minors, etc.)
The Foundation accessed student education records to verify student scholarship applications, to market new scholarship opportunities, and to administer various College programs. In connection with these activities, the Foundation’s employees were provided direct access to the Norwalk Community College Banner student data system which contains information about all current, former and some prospective students.
What do I need to do?
Given that there is no evidence that your data were misused, each student can take steps to protect their own personal information. We recommend that you read the guidance in the letter you received for protecting yourself and take the proactive measures that make sense to you.
Why is the return address in California (or some other non-CT location)?
The College uses a contract with a vendor called IDX which has several offices around the United States. IDX provides data security notification services and other data security incident services. They require that their own address be used as the return address so that they can track returned communications.
Can I have my data deleted so this isn't an issue?
State record retention laws require that the College retain student education records; however, the Foundation is obligated to delete the student education records when they are no longer needed for processing scholarships.
I want to talk with someone else. Who can I talk to?
If you have additional questions that are not served by the letter you received or this documentation, you may reach out to the Connecticut State Colleges & Universities Data Privacy Officer, Jan Kiehne, at email@example.com for additional assistance.