Legal Obligations to Disclose or Protect University Records Carolyn W. Skolnik, Assistant Attorney General Office of the Attorney General 200 St. Paul

Legal Obligations to Disclose or Protect University Records

Carolyn W. Skolnik, Assistant Attorney General

Office of the Attorney General200 St. Paul Place

Baltimore, Maryland [email protected]

I. Statutory Requirements for Disclosure of Electronic Data

Numerous federal and state laws impose obligations on the University to disclose electronic data and records, including: Amendments to the Federal Rules of Civil

Procedures regarding electronic discovery; CALEA; USA Patriot Act; Digital Millennium Copyright Act.

E-Discovery under the Federal Rules

On December 1, 2006, Congress approved amendments to the Federal Rules of Civil Procedure regarding electronic Discovery.

These amendments apply to all cases filed after December 1, 2006.

Federal Rules of Civil Procedures regarding electronic discovery

Under the New Amendments: All Electronically Stored Information is

Discoverable. Once a party requests its production, the

information is discoverable. If a party is subpoenaed, the person to whom

the subpoena is directed shall provide all electronically stored information in his/her possession.

Changes Under the New Amendments:

Production of Electronically Stored Information:

Requesting party may specify how the electronically stored information must be produced.

If there is an objection to the form, or if the requesting party does not specify how the responding party should produce the electronically stored information, the responding party should produce the electronically stored information in a format that is reasonably usable or ordinarily maintained.


Usable form does not mean that the responding party can produce the electronically stored information in a format that makes it difficult for the responding party to use the information in the litigation.


Electronic Discovery is Mandated. Even without a discovery request, all parties must

provide opposing counsel with a copy of, or description by category and location of, all electronically stored information that the disclosing party may use to support its claims or defense.

Parties must meet to discuss any issue relating to electronic discovery and develop a discovery plan that indicates the parties’ concerns relating to electronically stored information, as well as issues relating to privilege and protection of work product.


Under the new amendments, District Court judges shall enter scheduling orders that include a section regarding the discovery of electronically stored information and agreements the parties reach with respect to claims of privilege and protection of work product.


Limits on Electronic Discovery: A party is not required to provide

electronically stored information if it is not reasonably accessible to provide the information because it is an undue burden or has high costs associated with providing the information.

You are still required to save the information, even if it is not reasonably accessible.


Privilege Provisions: If information produced is subject to a claim of

privilege or is work protected, the party making the privilege claim must inform the requesting party of this.

If privileged information has already been distributed to the opposing party, then the receiving party must promptly return, sequester, or destroy the specified information and any copies it has.


Safe Harbor Provisions: A court may not impose sanctions on a party for

failing to provide electronically stored information lost as a result of routine, good faith operation of an electronic information system.

Routine operation has been interpreted to mean how a system is generally designed, programmed, and implemented to meet a parties technical and business needs.

How this effects the University

These rules apply to all electronic information: Stored at University work stations; Stored on University laptops; Stored on voice mail systems; or Stored at a University employee’s home.

The Amendments Require

That a party suspend: routine or intentional purging; overwriting; re-using; deleting; or destruction; of any electronic information relevant

to a dispute.

Electronic Information Electronic information includes, but is not limited to:

Emails; Digital images; Voicemail messages; Word processing; Calendars; Videos; Phonographs; Information on PDA’s; Backup of tapes; Offsite storage media; And any other related materials.

The E-Discovery Process The duty to preserve electronic information

begins through notice called a “litigation hold” or a “preservation hold.”

Once a hold is issued you will be asked to identify and preserve ALL potential sources of electronically stored information in your possession or under your control.

The “Litigation Hold” Doctrine

Applies wherever litigation is “reasonably foreseeable”

Requires that a “hold” be placed on all relevant information

Risk an adverse inference at trial for any missing information

When is litigation “reasonably foreseeable”?

A government claim, tort claim, special investigation, or regulatory audit

A major accident or injury Incident that results in a police report Whenever an employee is terminated Whistleblower and whistleblower

retaliation claims Third party requests indemnification A party says that s/he is going to sue

Other Situations

Multiple complaints about the same practice

Experience with similar situations Investigations that corroborate

complaints Where the party holding information

is contemplating its own lawsuit

Other Considerations There must be actual notice of a specific

and definite claim The value of the claim is irrelevant The scope or nature of the claim is

irrelevant personal injury cases - 24% intellectual property cases - 20% contract cases - 18% employment cases - 15% other - 23%

What to do when circumstances call for a “Litigation Hold”

(This includes all forms of electronic communication in all locations and forms)

You must preserve evidence; You should interrupt regular document

retention/destruction schedules; You must protect against overwriting; Address what to do about “deleted” data?

Restore back-up tapes?; You must instruct all who hold evidence; Repeat instructions to all affected employees

and staff; You must hold all evidence until litigation is

resolved.

What are some Issues that You Have to Consider?

Laptops and home computers; People forget – Need to repeat instructions; Failure to do a complete enough inventory at the

start – voice information; Failure to appreciate technical issues – metadata;

Explain to others the types of electronic information contained on campus

Redacting privileged information; Do you have a system in place to do this?

Costs associated with properly storing electronic information, and retrieving information in compliance with the new rules.

Develop a Preservation Plan Map out steps to identify and properly

preserve electronically stored information

Examples: Determine how to deal with emails, which drafts

will be saved and which will not Establish routine destruction/overwriting process

of electronically stored files Backup of materials- what will be saved and for

how long

Information Retrieval Plan It is also vital to create a plan for information

retrieval. This is something you and other University employees

must address. This means that you, as IT personnel, should speak

with employees and educate them as to how electronic information is generated, stored, archived, and destroyed.

You should advise other employees of your process for maintaining electronic information and the time frame it will take for you to obtain certain types of information if information is requested pursuant to litigation.

Confidential/Privileged Information

Although the electronic communication will be preserved, it is extremely important to note that no electronic information will be disclosed to opposing counsel without being reviewed by the Court to determine whether the information is relevant or privileged.

Importance of Preservation of Information

You must preserve all electronic information after receiving a preservation notice, even if you believe it is confidential or privileged.

Failure to Preserve Information

May result in many bad things: Monetary Sanctions; Attorneys’ fees and costs; Preclusion of evidence at trial; Instructions to jury to draw adverse

inference; Dismissal or default judgment.

Examples of Non-Compliance Coleman Holdings Inc. v. Morgan Stanley - 2005

Failure to coordinate search for backup tapes led to late discovery of more than 2,500 tapes, and partial default judgment, which contributed to a jury verdict of $1.5 billion.

United States v. Philip Morris USA, Inc. - 2004 Eleven senior executives failed to follow internal procedures

for preservation of evidence; court barred witnesses from testifying at trial and imposed total sanctions of $2,750,000.

Zubulake v. UBS Warburg -- 2004 Failure to communicate within organization and with counsel

led to late production and loss of data, warranted adverse inference instructions; jury returned $29,000,000 verdict).

Successful Compliance with the Federal Rules

Requires that all electronic information be preserved in its original electronic form.

This means that you are required to provide the information in its electronic form, not in hard copy form.

You are further required to retain the preserved data until either the Statute of Limitations has expired with respect to the claim or until litigation has concluded (meaning the case and all appeals have been concluded).

Lessons Learned Importance of having regular document

retention/destruction policies

Importance of putting together a team to establish a plan for each unique case

Importance of good communication throughout process with the right individuals

The Future

Prediction: The End of the Adversary Discovery Process?

II. Federal Statutes and Electronic Data and Records

Several federal statutes impose obligations to protect the privacy and security of electronic data and records.

Three of the most significant statutes are: The Family Educational Rights and Privacy

Act; The Health Insurance Portability and

Accountability Act; and The Financial Services Modernization Act of

1999 (GLB).

Family Educational Rights and Privacy Act (FERPA)

FERPA deals with “student education records.” “Student education records” means any

records that contain information directly related to a student maintained by a school.

FERPA prohibits universities from disclosing education records or personal information within those records other than certain basic “directory” information.


Schools can be subject to statutory remedies when a school has a policy or practice that violates FERPA.

Inadequate computer security or known systems vulnerabilities that continue uncorrected, may constitute a violation of FERPA.


A student’s education records can be disclosed: To the student or his/her parent if the student is

“dependent;” To anyone with the student’s written consent; Or if an exception applies; for example, the

student’s records are lawfully subpoenaed. (This requires prior notification to student of subpoena so student has opportunity to contest it.)


A major exception under FERPA is that school officials may access student records if there is a “legitimate educational interest.” “Legitimate education interest” has

been defined to mean performance of legitimate institutional functions.


The limitation of access to records means that faculty and staff must limit their use of data to that which is permitted by FERPA.

This means that school officials should access only those student education records needed to perform their authorized functions and only for that purpose.


The Department of Education's Office of Family Compliance Policy (OFCP) has urged that there is a need for each educational agency or institution to establish and enforce proper policies and procedures, including appropriate training to ensure that school officials do not misuse education records for their own purposes.


OFCP has provided the following guidance on the use of student identifiers in an electronic setting:

May not post grades using full or partial Social Security Numbers or any general university-issued student ID number.

However, an ID number specifically issues for posting grades, and no other purpose, may be used.

A unique, university ID number may be designated and disclosed as directory information, if it cannot be used to access non-directory personal information.


An institution that allows a student or a third party to access education records by providing only publicly available information without additional authentication of identity, may be in violation of FERPA, because it could lead to unauthorized disclosures of education records.

Health Insurance Portability and Accountability Act (HIPPA)

Enacted by Congress in 1996 to create a national standard for the protection if personally identifiable information relating to health care in order to facilitate the development of an electronic health infrastructure.

Applies to “covered entities.” Covered entities include health care providers who

transmit individually identifiable health information in electronic form in connection with standard transactions, such as billing.


Two major standards have been adopted: The Privacy Rule; and The Security Rule. These rules establish duties and prescribe measures

to safeguard “protected health information” (PHI). “PHI” is individually identifiable health information that is

created or received by a covered entity that relates to past, present, or future medical conditions, health care treatment, or coverage of the individual.

Student education records covered by FERPA, and medial treatment records otherwise defined within FERPA, are exempt from the scope of the Privacy Rule.


The Privacy Rule: In effect for all covered entities. Provides that covered entities may not use or

disclose PHI unless the use or disclosure is: Authorized in writing by the patient; For the purpose of treatment or payment regarding that

patient, or general health operations (such as quality control)

For one of a number of public interest and benefit activities (such as reporting domestic abuse, complying with law enforcement demands, providing data for research purposes

Incidental to a permitted used or disclosure


The Privacy Rule also requires that covered entities give patients written notice of their privacy practices and the ways in which they may use and disclose PHI in accordance with the content of the notices.

Notice must be made available electronically on any web site the entity maintains.

Several provisions of the Privacy Rule bear on a covered entity’s obligation to maintain the integrity and security of electronic systems containing PHI.


A covered entity must: Have appropriate administrative, technical and physical

safeguards in place to protect the privacy of PHI; Reasonably safeguard PHI from any intentional or unintentional

use or disclosure that is in violation of the Privacy Rule; Designate a privacy official who is responsible for developing

and implementing its privacy policies and procedures; Train all members of its workforce on its privacy policies and

procedures; Have, apply, and document appropriate sanctions against

members of its workforce who violate the Privacy Rule or its polices/procedures;

When using third parties to provide services or perform functions on its behalf that involve the use or disclosure of PHI, enter into a “Business Associate Agreement” that obligates Business Associate to use appropriate safeguards to prevent use or disclosure of the data and to report any violation of which it learns.


The Privacy Rules also requires that covered entities maintain documentation, in written or electronic form, of their policies and procedures, any communications required to be in writing and anything else required to be documented under the Rule.

Documents must be maintained for 6 years from creation or the last date they were in effect.

Covered entities need to ensure that electronic systems can accommodate records retention, patient requests for access and alterations, and notations with respect to patient requests for restrictions and alternative procedures.

Health Insurance Portability and Accountability Act (HIPPA

The Security Rule: Focuses on ensuring that only those who

are authorized actually have access. Is closely aligned with the Privacy Rule

and proceeds from the Privacy Rule’s requirement of “appropriate administrative, technical, and physical safeguards” for PHI, through a series of standards, which in turn include a series of mandatory or addressable implementation specifications.


Example of a standard and corresponding Implementation Specification: Standard: institutions must implement policies

and procedures to prevent, detect, contain and correct security violations.

Implementation specification (Required): conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information held by the covered entity.

How the specification is met is up to the institution.


HIPPA Enforcement There is no private right of action by individuals

to enforce HIPPA’s data privacy protections. A person may file a complaint with the

appropriate agency alleging a violation of the Privacy or Security Rule.

The agency will investigate the complaint and work with the covered entity to achieve voluntary compliance and corrective action.

The agency may also conduct compliance reviews and the covered entity is required to cooperate and provide access to records.


Penalties for non-compliance:

Civil Monetary Penalties: if a violation is found and not corrected through voluntary compliance, civil monetary penalties of up to $100.00 per violation may be imposed.

The penalties will be capped at $25,000 during any calendar year for all violations of an identical requirement or prohibition.

Criminal Penalties: of up to $250,000 in fines and 10 years imprisonment may be imposed on anyone who knowingly and in violation of HIPAA, uses or causes to be used a unique health identifier or obtains or discloses individually identifiably health information.

Financial Services Modernization Act of 1999, or Gramm Leach Bliley Act (GLB)

GLB was enacted in 1999 to enable banks to engage in a diverse assortment of commercial activities while protecting customers’ private information.

Financial institutions must: safeguard nonpublic customer data, limit disclosures of such data, and notify customers of their information-sharing practices and privacy polices.

Gramm Leach Bliley Act (GLB)

Higher education institutions generally participate in a substantial amount of lending activity (and other covered activities as well), therefore the Federal Trade Commission (FTC) considers them covered financial institutions subject to GLB.

The FTC says institutions complying with FERPA are exempt from having to comply with the privacy rules issued under GLB; but such institutions remain subject to the GLB customer information safeguarding rules.

Gramm Leach Bliley Act (GLB)

The Safeguarding Rules under GLB: Came into effect on May 23, 2004; Cover paper as well as electronic data; Extend to all nonpublic personal

information, defined as personally identifiable financial information, which in turn was defined to cover a broad range of data.

Gramm Leach Bliley Act (GLB) Requirements of the Safeguarding Rule:

Institution must develop, implement and maintain a written comprehensive information security program that contains administrative, technical, and physical safeguards appropriate to its size and complexity, the nature and scope of its activities and the sensitivity of the relevant customer data.

The plan must be reasonably designed to achieve the security and confidentiality of customer data, to protect against anticipated threats or hazards, and to protect against unauthorized access or use that could result in substantial harm.

Gramm Leach Bliley Act (GLB) Requirements of the Safeguarding Rule:

Institutions must also designate an information security program coordinator and identify reasonably foreseeable risks in areas such as employee training, IT operations, and detecting, preventing, and responding to intrusions and system failures;

Institutions must evaluate and adjust their security programs in light of the results of their own testing, any material changes to their operations, or any other circumstances that you know or have reason to know may have a material impact on your information security program

Gramm Leach Bliley Act (GLB) Suggestions for Minimizing Risk of Liability:

Minimizes the use of SSNs and other sensitive personal data; Limit the storage of SSNs, credit card data, and other highly

sensitive personal data to secure servers; Consider using encryption in the storage and transmission of

sensitive data; Consider appropriate background checks for persons accessing

sensitive personal data; Promptly investigate all breaches; Address computer security breaches in crisis response plans; Provide ongoing education on how to avoid major privacy and

security risks (phishing, worms, spyware) via websistes, electronic newsletters, etc.

Amend institutional IT policies to include disclaimer re security, and do not overstate the level of privacy or security afforded personal or other data maintained in or transmitted through institutional systems.

Communication Assistance for Law Enforcement Act (CALEA)

Congress passed the Communications Assistance for Law Enforcement Act (CALEA) in 1994 to make it easier for law enforcement to wiretap digital telephone networks. The FCC, in August 2005, concluded that CALEA applies to facilities-based broadband Internet access providers and providers of interconnected voice-over-Internet-Protocol (VoIP) services.

In May 2006, the American Council on Education (ACE) brought suit against the FCC, arguing that the FCC had unlawfully extended CALEA to private computer networks operated by colleges and universities.

CALEA

In deciding American Council on Education v. FCC, (June 9, 2006), the court rejected this argument and upheld the FCC’s interpretation applying CALEA to private computer networks operated by colleges and universities.

However, a college or university remains exempt from CALEA so long as its computer network:

(1) Is "private," i.e., is only used by a particular class of users, such as faculty, students, administrators, and alumni, and

(2) Does not "support" the connection of the private network to the Internet.

This means that the institution does not itself construct, purchase, lease or otherwise operate fiber optic or other transmission facilities and associated switching equipment that link the campus network to an Internet Service Provider.

If your University is not exempt:

the CALEA compliance deadline is May 14, 2007, to have in place equipment that will provide the necessary CALEA assistance capabilities specified in the law.

Public Notice released by the FCC in December 2006 establishes filing deadlines for CALEA-mandated System Security and Integrity (SSI) and Monitoring Reports. Monitoring reports must be filed by February 12, and the SSI report by March 12.

USA Patriot Act

Formal name: “Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act.”

Purpose is “to deter and punish terrorist acts in the United States and around the world, to enhance law enforcement investigatory tools, and for other purposes.”

The Act grants law enforcement increased access to electronic communications.

USA Patriot Act

Amends certain other laws to make it easier for law enforcement personal to gain access to confidential information: The Family Education Records Privacy Act

of 1974 (FERPA); The Foreign Intelligence Surveillance Act of

1978 (FISA) The Electronic Communications Privacy Act

of 1986 (ECPA)

USA Patriot Act FERPA and The Patriot Act:

The Patriot Act amends FERPA by creating a new exception to the privacy protections, “emergency disclosure.”

If a U.S. assistant attorney general, or similarly ranked federal official, obtains a court order relevant to a terrorist investigation, the law now requires that an educational institution must turn over the requested records without the student’s consent.

Moreover, the institution need not even maintain a record of the transaction.

USA Patriot Act FISA and The Patriot Act:

FISA stands for the proposition that if law enforcement believes a “hostile foreign power” is behind the criminal activity under investigation, the investigation does not have to follow the traditional Fourth Amendment protection.

USA Patriot Act FISA and The Patriot Act:

Section 501 of the Patriot Act’s “business records” amendment to FISA allows a federal agency armed with a court order to obtain certain business records pursuant to an investigation of “internal terrorism or other clandestine intelligence activities,” so long as the investigation is “not conducted of a United States person solely upon the basis of activities protected by the first amendment.”

The record keeper is prohibited from disclosing the request to anyone “other than those persons necessary to produce the tangible things under this section.”

(ECPA is the “wiretapping act” for the Internet.)Patriot Act Amendments of ECPA:

Required Disclosure Prior to the Patriot Act, law enforcement required a

traditional subpoena in order to acquire “routing” information; the Patriot Act permits “rubber stamp” subpoenas to replace traditional authorization standard.

The purpose of the “rubber stamping” of subpoenas under ECPA is to make it easier for law enforcement to obtain information.

ECPA and the Patriot Act


Patriot Act Amendments of ECPA: Voluntary Disclosure

“Emergency disclosure” provision of Patriot Act amendment to ECPA allows an owner or operator of a network system who reasonably believes he has accessed information endangering life or limb, to disclose that information to virtually anyone, without fear of subsequent liability.

ECPA and the Patriot ActPatriot Act Amendments of ECPA:

Computer Trespass

Permits a network owner/operator to request law enforcement agents to investigate a computer abuse so long as the owner/operator reasonably believes such is the case, and the investigation remains limited to the trespass.

There is nothing in the legislation that ensures the owner/operator’s specific control of the investigation: “limited to the investigation of trespass” may be interpreted broadly by law enforcement agents.


Patriot Act Amendments of ECPA: Computer Trespass

What is the best course of action for a college or a university contemplating an invitation to federal law enforcement to investigate computer trespass?

No individual member of the college or university community should be allowed to make the request of federal law enforcement without administrative and legal consultation.

USA Patriot Act

Two of the most immediate questions about the Act as it relates to information technology are:

Does it require proactive architectural or structural alterations to networks? And

Does it require networks to retain data logs?

USA Patriot Act The answer to both of the proceeding questions is no. No network re-architecting is proactively required, but

in the presence of a subpoena, redesigns may be necessary.

It is important to note that Section 222 of the Patriot Act states that “reasonable compensation” may be obtained for the “reasonable expenses” incurred in accommodating authorizations that require the application of surveillance devices.

The Patriot Act also does not require that networks retain logs.

However, if law enforcement presents authorization requesting logging information, either the network must then begin to provide or they must preserve the logs they have on hand specific to the information requested in the authorization.

Maryland Public Information Act (PIA)

Provides that, “[a]ll persons are entitled to have access to information about the affairs of government and the official acts of public officials and employees.”

This means that “[e]xcept as otherwise provided by law, a custodian shall permit a person or governmental unit to inspect any public record at any reasonable time.”

There is no need for the person to show that he or she is “aggrieved” or a “person in interest.”

Nor is access restricted to citizens or residents of Maryland.


An agency has no obligation to create records to satisfy a PIA request.

Nor is an agency required to reprogram its computers or aggregate computerized data files so as to effectively create new records.

“Programming” involves the creation of new instructions to the database so that access to data linked in certain ways becomes possible.

Thus, programming requires the expenditure of significant time by an individual with specialized knowledge of computer or electronic databases to generate the particular report.

It would not be considered “programming” if a clerical employee with standard computer skills could generate the report by following pre-existing instructions.

Nor would redaction of material from an existing report generally constitute “programming.”


Scope of Search: The court asks whether the agency has

conducted a search reasonably calculated to uncover all relevant documents, not whether it has unearthed every single potentially responsive document.

Under this standard, agencies may be required to conduct relatively broad and time-consuming searches.

Onus is on the agency to demonstrate that a search would be unduly burdensome, and this obligation is met only in cases involving truly massive volumes of records.


Right to Copies: PIA grants any person who has the right to inspect

a public record the right to be furnished copies, printouts, or photographs for a reasonable fee.

One issue unresolved by Maryland courts is whether the right to copies affords to a requester the right to pick the format in which records are copied.

For example, does a requester have the right to obtain a disk containing computerized data when the agency offers to provide a printout?

The Attorney General’s Office currently takes the position that that the agency, not the requester, has the right to select the format of disclosure.


Reasonable Fees for Copies: An office custodian may charge a

reasonable fee for copies. Fees should not be set simply to deter

requests to inspect records or get copies


Search and Preparation Fees: An official custodian may charge reasonable fees for the

search and preparation of records for inspection and copying.

Search and preparation fees are to be reasonably related to the actual costs to the governmental unit in processing the request.

Search fees: the costs to an agency for locating requested records. Usually, this involves the cost of an employee’s time spent in locating the requested records.

Preparation fees: the costs to an agency to prepare a record for inspection or copying, including the time needed to assess whether any provision of law permits or requires material to be withheld.


Exceptions to Disclosure: The PIA’s exceptions to disclosure fall into

three basic categories: When a source of law outside the Public

Information Act prevents disclosure. Mandatory exceptions for specific classes of

records and information. Discretionary exceptions - allow the custodian to

exercise discretion over disclosure of certain specified records.


Exceptions Based on Other Sources of Law State Statute; Federal Statue or Regulation; A rule adopted by the Court of

Appeals or order of a court of record.


State Statute Examples: Protection of police records pertaining to

minors; Inmates’ case records; Tax information; Medical records.


Federal Statutes Examples: FERPA; Information concerning food stamp

applicants; Certain critical infrastructure information; Certain homeland security information that

the federal government shares with the State or local governments may not be disclosed under the PIA.


Court Rules and Orders Examples: disclosure of matters occurring before a

grand jury is prohibited by the Maryland Rules

A public official or employee who improperly discloses search warrant information prematurely may be prosecuted for contempt.

An order to seal records in a divorce or custody case.


Privileges: Traditional privileges like the attorney-

client privilege and the doctrine of grand jury secrecy.

Another example of a privilege is confidential executive communications of an advisory or deliberative nature.


An ordinance enacted by a local government cannot by itself supply a basis for withholding a public record otherwise available under the PIA.

Nor may an agency regulation provide an independent basis for withholding a public record.


Adoption and Welfare records

Personnel Records Letters of Reference Retirement Records Student Records Library Records Motor Vehicle

Administration records

Risk Based Capital Records (RBC) Filed with Insurance Commissioner

Arrest Warrants Police Reports Sought

for Marketing Legal Services

Other Miscellaneous Records

Required Denials-Specific Records:A custodian must deny the inspection of certain specified records. However, any of these records may be available for inspection if “otherwise provided by law”:


Medical, Psychological and Sociological Data

Trade Data; Confidential Business and Financial Information

Home Addresses and Phone Numbers of Public Employees

Records of an Individual’s Personal Finances

Records of an Individual’s Personal Finances

Occupational and Professional Licensing Records

Records Containing Investigatory Procurement Information

Other Miscellaneous Information

Required Denials-Specific Information: A custodian must deny the inspection of the part of a public record that contains the following specific information:


Discretionary Exceptions: A custodian may deny the right of inspection to certain records or parts of records, but only if disclosure would be contrary to the “public interest.” These records are:

Interagency or intra-agency memoranda or letters that would be privileged in litigation;

Testing records for academic, employment, or licensing examinations;

Specific details of a research project that an institution of the State or of a political subdivision is conducting;

Contents of a real estate appraisal made for a public agency about a pending acquisition (except from the property owner);

Records of investigation, intelligence information, security procedures, or investigatory files;

Site-specific location of certain plants, animals, or property; Information relating to an invention owned by a State public

institution of higher education;


Discretionary Exceptions (continued):

Information relating to a trade secret, confidential commercial information, or confidential financial information owned by the Maryland Technology Development Corporation or by a public senior higher educational institution;

Plans and procedures relating to emergency procedures and records relating to buildings, facilities, and infrastructure, the disclosure of which would jeopardize security, facilitate planning of a terrorist attack, or endanger life or physical safety;

Records reflecting rates for certain services and facilities held by the Maryland Port Administration and research concerning the competitive position of the port;

Records of University of Maryland University College concerning the provision of competitive education services.

The Digital Millennium Copyright Act (DMCA)

File Sharing and Liability of ISPs: Internet service providers face potential liability for

contributory copyright infringement because they provide the pipe lines that make file sharing possible.

The DMCA generally provides universities with a “safe harbor” from liability for the illegal file-sharing of their students, so long as they satisfy two general requirements:

(1) they must adopt, “reasonably implement” and inform users of “a policy that provides for the termination in appropriate circumstance of…repeat infringers,”

(2) it must accommodate and not interfere with any standardized technical measure that copyright owners use to identify and protect their works.

DMCA “Safe Harbor” Provisions

To be eligible for this safe harbor, the University ISP must also meet the following specific requirements:

The ISP must not initiate the transmission or select either the material or the recipients.

The transmission must be carried out through an automatic technical process

The material must not be maintained in the ISP’s system either for longer than reasonably necessary for the transmission to take place or in a manner ordinarily accessible to anyone other than anticipate recipients;

The material must be transmitted without modification of its content.

Questions about the DMCA “safe harbor”

Although the safe harbors granted by the DMCA may protect the institution, the precise meaning of the many requirements to qualify for these safe harbors is still open to argument.

Are you sure that you have sufficiently informed your student of your termination policy and that you have “reasonably implemented” it?

Have you affirmatively determine whether your system architecture adequately “accommodates” standard copyright protection technology?

Do you know exactly how long infringing material rests on your system as it makes its ways from sender to recipient.?

If not, you may not be eligible for a safe harbor. Even if your institution clearly is protected by a safe harbor, your

students are not and your institution may be required to provide information relating to file sharing by its students.

DMCA Subpoenas The DMCA established a subpoena process through

which copyright owners could obtain “information sufficient to identify the alleged infringer of the [copyright owners’] material on an expedited basis, before even filing a lawsuit.”

However,the DMCA subpoena process is not available in “conduit” cases, which likely include 99%of all file sharing.

Litigation Subpoenas The RIAA’s more recent approach appears to

use “John Doe” lawsuits exclusively. Under the “John Doe” lawsuit strategy, the RIAA

can still obtain the information it needs by first filing individual “John Doe” lawsuits against alleged infringers and then serving normal litigation subpoenas on their ISPs or on anyone else likely to have relevant information.

The scope of what is considered relevant for purposes of a litigations subpoena is quite broad; if information sought pertains to a student, the institution will also be required to comply with FERPA by giving the student “reasonable” advance notice before turning the information over.

Questions and Answers

Additional questions can be directed to Carolyn W. Skolnik, via email:

[email protected]