Forty Years of Public Records Litigation Involving the University of Wisconsin: An Empirical Study

05.14.2018  |  Comments Off on Forty Years of Public Records Litigation Involving the University of Wisconsin: An Empirical Study

Developing Enhanced Due Process Protections

05.14.2018  |  Comments Off on Developing Enhanced Due Process Protections

Campus Speech and The Functions of the University

06.02.2017  |  Comments Off on Campus Speech and The Functions of the University

Summary:  The roles and limits of free speech on university campuses have lately been of increasing interest. This Article suggests that as long as our understandings of the basic functions of the university itself are conflicting and contested, our understandings of the proper scope of free speech on campus will be similarly irreconcilable, even if we think of the university in terms of community. The Article explores this thesis through considering, in particular, problems of hostile speech, of professorial academic freedom, and of speech by students transitioning into professional service roles.

Full Article:  Volume 43:1 Campus Speech and The Functions of the University

Evidentiary Privilege For Researchers

06.21.2017  |  Comments Off on Evidentiary Privilege For Researchers

The Risks and Liability of Governing Board Members To Address Cyber Security Risks In Higher Education

06.21.2017  |  Comments Off on The Risks and Liability of Governing Board Members To Address Cyber Security Risks In Higher Education

Summary:  Cloud computing can be a highly effective means of avoiding information technology costs and are an attractive option to higher education institutions. Cloud computing also creates an incremental potential risk for data breaches and the accompanying privacy concerns that arise when personally identifiable information is stored on third party servers accessible over the internet. Officers and board members of an institution considering a move to the cloud are well- advised to engage in robust diligence and be adequately informed of the benefits and risks of migrating substantial amounts of sensitive data to the cloud. This article provides timely information to higher education institutions to assist the understanding of the nature of cybersecurity risks and preparedness, and how those risks may be mitigated so that the fiduciary duties owed by institutional officers and board members are properly discharged.

Full Article:  Volume 43:3 The Risks and Liability of Governing Board Members To Address Cyber Security Risks In Higher Education

 

Unresolved Conflicts of Interest in University Human Subject Research

06.23.2017  |  Comments Off on Unresolved Conflicts of Interest in University Human Subject Research

STUDENT NOTE : Unresolved Conflicts of Interest in University Human Subject Research

Reconsidering Brown University More Than a Decade Later

06.21.2017  |  Comments Off on Reconsidering Brown University More Than a Decade Later

STUDENT NOTE : Reconsidering Brown University More Than a Decade Later

Campus Speech and The Functions of the University – OLD

11.23.2016  |  Comments Off on Campus Speech and The Functions of the University – OLD

 Volume 43:1 Campus Speech and The Functions of the University

Summary

I. Introduction

This Article addresses the status of free speech on contemporary public and private university campuses.[1] There has been historically, and is now, no consensus on the proper scope of free speech in general on campus. Doubtless a number of considerations partially account for this lack of consensus. This Article, however, focuses on one fundamental such consideration.  In particular, the Article adopts what might be called a loosely functionalist[2] approach.

The functionalism employed herein attends not so much to the functions of freedom of speech, as to the functions of the contemporary university. As employed here, the idea of a ‘function’ encompasses broad, sustained, significant effects of the university on any aspect of its environment or on its own membership, whether such effects are consciously intended or not.[3] The idea of a university function may include university aims, purposes, and missions, whether actual or proposed, traditional or emerging, tangible or intangible, conservative or insurgent, sustaining or disruptive, concrete or abstract, mundane or aspirational, explicit or implicit, unreflective or critical.[4]

Functions of a university can thus vary in the extent to which they are immediately contained within the university context, or else affect persons, institutions, cultures, and other entities beyond the university setting,[5] though drawing any such lines will often be difficult, if not hopeless.

The key assumption below is a blend of descriptive, predictive, and normative considerations. The crucial assumption is this: there are various sorts of university free speech cases, but whatever the case, sensible university free speech rules and policies will tend to, and perhaps should, largely reflect what the various decision makers and others take to be important relevant functions of the university.[6]

The crucial step is then to recognize that in our era, the speech-relevant functions of the university will be not only plural and various,[7] but divergent, and for practical purposes, irreconcilably conflicting. The irreconcilability of partially conflicting university functions — in the clearest cases, partial conflicts in explicitly articulated visions of the university — is fundamental to understanding the nature of campus free speech issues today.

Thus university campus speech policies become contestable, and often irresolvably so, when they implicate some aspect of the unresolved conflicts among partially competing understandings of university function, purpose, and mission. Any given person, group, or institution, on or off campus, may well reject one or more of the commonly asserted university functions. But this does not fundamentally change — indeed, it helps to constitute — the underlying dynamic of conflicting visions of university function and thus of speech on campus.

If this functionalist approach is on the right track, we should expect genuine consensus on the range of potential campus speech cases only if and when universities are widely thought to have some single identified and coherent basic function, or at least some hierarchical, weighted, harmonized, or otherwise non-conflicting plural set of such functions. Absent such unlikely developments, we should expect speech policies on campus to be typically subject to irreconcilable contest.[8]

And if we reasonably assume persistent incompatibilities among conceptions of university functions,[9] then a certain futility must attach to advocacy in endorsing or rejecting any normative theory of campus speech in practice. We should, however, continue to look for and reflect upon genuine overlaps and commonalities of commitment.

To illustrate these themes, this Article considers some of the most prominent discussions, descriptive and normative, of basic university functions.[10] Among such discussions, thorough and comprehensive inventories of the diverse such basic university functions are uncommon.[11] The more typical approach is to focus on some preferred or conspicuous limited set of or single such functions,[12] even if the single function is itself then differentiated into related components. Such treatments then commonly defer to or endorse some favored view,[13] while perhaps alluding to some alternative view in adversary fashion. In pursuit, ultimately futile, of common ground, the discussion below takes up in particular the popular theme of the university as manifesting or somehow committed to overall community and particular communities,[14] to practices of civility,[15] and to genuine conversation.[16] The idea of community, however, inescapably poses as many unresolved questions as answers.

In the context of these varied conceptions of university function, the Article then more concretely addresses apparently intractable debates over, specifically, hostile and hate speech on the contemporary university campus;[17] limits on speech by university faculty on matters of public interest;[18] and cases of controversial speech by university students transitioning to entry into a profession with certification or other relevant requirements.[19] Based on these considerations, a brief Conclusion then follows.[20]

 

II. Diverse and Conflicting Understandings of

Basic University Functions

There is no single canonical formulation of the various basic functions of the contemporary university. If we look, merely to begin with, to the historically prestigious English universities, we find a quite understandable emphasis on an assumed coherence, if not unity, as opposed to unresolved conflict, among university functions and purposes. Thus the University of Cambridge announces that its mission “is to contribute to society through the pursuit of education, learning, and research at the highest international levels of excellence.”[21] The potential for conflict of functions on even this understanding may depend partly upon whether we focus here on the arguably unitary idea of contributing to society, or on the unfortunately complex relations between student learning[22] and faculty research.[23]

Cambridge University then declares itself to hold two core values.[24] These are “freedom of thought and expression,”[25] and “freedom from discrimination.”[26] Together with the above Cambridge Mission Statement, these core values could be unpacked to implicate a number of possible university functions. But there is certainly no effort here by Cambridge to endorse or reject some broadly inclusive explicit typology of basic university functions. And yet, even the most casual reflection raises the possibility of conflict between, for example, Cambridge’s commitments to freedom of expression and to freedom from discrimination in any robust sense.[27]

As an example of a perhaps more consciously plural formulation of university functions, we might consider that of President Amy Gutmann of the University of Pennsylvania.[28] President Gutmann indicates that the “tripartite mission”[29] of the university in general[30] embraces “increasing educational opportunity, optimizing creative understanding, and contributing the fruit of that understanding to society.”[31] This formulation, whether intended to be broadly encompassing or not, does not explicitly identify any possible conflicts among the cited university purposes. It would nonetheless be sensible to recognize that even the reference to “optimizing”[32] creative understanding implicitly grants the reality of at least some sort of resource tradeoff, if not some deeper conflict, between creative understandings and other university functions and purposes.

With a similarly plural focus, Michigan State University President Lou Anna K. Simon asserts that for her institution, “[t]he basic purposes of the University are the advancement, dissemination, and application of knowledge,”[33] with “[t]he most basic condition for the achievement of these purposes [being] freedom of expression and communication.”[34] This commitment is importantly prefaced, though, by defining her university as a “community,”[35] in particular, as a “community of scholars,”[36] explicitly encompassing the university’s students.[37] The complex relationships between preserving various forms of community and freedom of expression are noted separately below.[38]

Another prominent university president, Drew Gilpin Faust of Harvard, refers to a number of possible university functions with obvious potential for mutual conflict. President Faust refers to “economic justifications for universities,”[39] including the university as “a source of economic growth,”[40] as well as to “a market model of university purpose,”[41] as contrasted with “narratives of liberal learning, disinterested scholarship, and social citizenship,”[42] and then further to the university’s role as “society’s critic and conscience.”[43] Whether we take these enumerated university functions to be exhaustive or not, the potential for serious conflict, if not overt antagonism, among these distinct functions seems evident.[44]

Taken in the aggregate, along with complementary discussions below,[45] these various accounts provide some sense of the range of possible basic university functions, with at least a minimal sense of potential conflicts among such functions. Let us elaborate a bit further on the range and disparate nature of typically cited basic university functions, whether endorsed and desired, or merely acknowledged or critiqued, by any given observer.

Classically, Plato drew a distinction between paideia, or culture, and the mere training of a particular capacity, or between perfection of character and the enhancement of power.[46] The cultivation of mind has thus long been seen as a fundamental duty.[47] In founding the University of Virginia, Thomas Jefferson sought “[t]o develop the reasoning faculties of our youth, enlarge their minds, cultivate their morals, and instill in them the precepts of virtue and order.”[48] If such purposes are re-formulated, in contrast, with no explicit moral or character element, the basic educational aim, pursued through acquainting oneself “with the best that has been thought and said in the world”[49] is then judged by Matthew Arnold to be “to get to know [oneself] and the world.”[50]

This general emphasis on the cultivation of the self, in one respect or another, can plainly both support and conflict with a variety of broad social goals. Consider, in this respect, the popular view that a university education should prepare the student to play a role in strengthening the broad democratic political system, through capable and responsible democratic citizenship.

Thus according to President Derek Bok, for example, today’s universities provide not only various sorts of discoveries,[51] and trained, knowledgeable professionals,[52] but the developed capacity to “strengthen our democracy by educating its future leaders; preparing students to be active, knowledgeable citizens; and offering informed critiques of government programs and policies.”[53] A university’s emphasis on social justice could be encompassed hereunder. More concisely, President Robert M. Hutchins argued that “[t]he college . . . meets the needs of society indirectly by making some contribution toward the formation of good citizens.”[54]

Democratic citizenship is thus typically assumed to be not simply a matter of directly supporting the current operations of the established political system. The university may also be thought to serve the purpose of providing critique.[55] Again, this could encompass a university’s social justice mission. On such a view, the university may “serve the public culture by asking questions the public doesn’t want to ask, investigating subjects it cannot or will not investigate, and accommodating voices it fails or refuses to accommodate.”[56]

The university thus need not be seen as invariably endorsing or reinforcing all important aspects of the broader society, even if that society invests in, financially sustains, attempts to guide, and crucially depends upon various aspects of university functioning. The university’s manifold relationships with the broader society’s politics, economy, social justice practices, and culture will inevitably be contested, both on campus, and between the campus and elements of the broader society.

A bit more concretely, writers such as Dean Anthony Kronman have more specifically suggested that among the “non-economic contributions”[57] made by contemporary universities is “the cultivation of habits of respectfulness and tolerance on which responsible citizenship in a democracy depends.”[58] The quality of tolerance is then linked with the potentially distinct virtue of open-mindedness.[59]

Finally, but arguably of greatest importance, one might look for basic university functions, and for elemental conflicts therein, as well in the realm of social and economic production and stratification. The university may to one degree or another reflect a pre-existing status hierarchy,[60] or may help to determine and perhaps legitimize, reproduce, and solidify a status hierarchy.[61] As to any of these university functions, one might again be supportive, indifferent, or critical.[62]

In any event, the contemporary university clearly operates as a linkage, of whatever sort, between future employees, civil servants, and entrepreneurs, and their actual post-university social and economic opportunities, niches, and outcomes.[63] American universities of a century ago accommodated perhaps a mere five percent of the college age population.[64] Today, the figure is closer to 60 percent.[65] These figures suggest the possibility, if not the fulfilment, of a university’s catalyzing the social and economic mobility of groups historically underrepresented within the various professions.[66]

It is certainly possible, though, to support nearly any program of mobility, opportunity, and equality[67] without broadly endorsing contemporary university practices in that regard, let alone judging such practices to be central to the fundamental purposes of the university. Consider in this regard the uncompromising language of philosopher Alasdair MacIntyre:

The aim of a university education is not to fit students for this or that particular profession or career, to equip them with theory that will later on find useful application to this or that form of practice. It is to transform their minds, so that the student becomes a different kind of individual, one able to engage fruitfully in conversation and debate, one who has the capacity for exercising judgment, for bringing insights and arguments from a variety of disciplines to bear on particular complex issues.[68]

Thus there is, as Robert M. Hutchins noted, “a conflict between one aim of the university, the pursuit of truth for its own sake, and another which it professes too, the preparation of men and women for their life work.”[69] Hutchins also contrasts his favored conception of the university as “a center of independent thought”[70] with, respectively, conceptions of the university as “service-station,”[71] “public-entertainment,”[72] and “housing-project.”[73] Each of these latter conceptions exercises some contemporary influence, and thereby exacerbates the functional contradictions of the university.

However we choose to classify the various basic functions and purposes of the university, we are left with potential conflicts and practical contradictions. Consider together the incomplete and overlapping census of basic university functions above: learning and research;[74] anti-discrimination;[75] providing educational opportunities and making societal contributions;[76] advancement of knowledge;[77] freedom of expression and communication;[78] promoting economic growth;[79] disinterested scholarship;[80] serving as societal critic;[81] moral cultivation of the students;[82] professional training;[83] preparation for competent democratic citizenship;[84] reflecting or determining status and opportunity hierarchies or promoting social mobility; [85] and fundamental personal transformation.[86]

The potential for conflict within, as well as among, any such set of university functions is clear enough in general, and almost equally clearly in the more particular area of campus speech. If there were to be any hope of wringing harmony out of conflict, the likeliest possibility would seem to be through emphasizing the concept, briefly alluded to above,[87] of community. But as we shall now see, the idea of community actually contributes more to the intractability of the problems of campus speech than it does to their consensual resolution.

 

III. Community, University Function, and Campus Speech

The linkages between various forms and senses of community and the university are multiple, and in some respects contested. The most basic such linkages may be at the level not precisely of the functions of a university, but of the very definition of a university. Thus it has been variously argued that the university is a community;[88] that it is an aggregate of multiple or diverse communities;[89] that the university aspirationally should be a community, whether that ideal is realized in practice or not;[90] that the experience of university community should be optional;[91] and that the university should promote some form of community in the broader society beyond the campus boundaries.[92] The very idea of community and disputes over the nature of the university thus open the possibility of multi-front conflict, as much as to harmony.

At the level of language itself, the word ‘college’ refers to an association, if not to a genuine community.[93] From the beginning, the university amounted to “an association of masters and scholars leading the common life of learning.”[94]   It is thus natural to think of the traditional, geographically localized,[95] non-cyber university as a community,[96] and perhaps in particular as a community of scholars,[97] however broadly or narrowly defined.[98] Ironically, it is also natural, but distinctly different, to think of community as an aspirational ideal toward which the university ought to strive,[99] or even of the university residential or scholarly community as a model community for emulation on much larger scales.[100]

The potential for conflicting impulses in free speech cases begins to emerge, however, if we believe that the university, whether itself a community or not, encompasses a plurality of communities,[101] perhaps for quite distinct purposes. Even if the various campus communities are somehow “nested,”[102] or perhaps otherwise related, there can be no guarantee of harmony[103] of purposes among the various constituent campus communities.

At the level of the university itself, and of its various constituent communities, meaningful community typically requires “people of like purpose.”[104] The members must share, in the words of John Dewey, “aims, beliefs, aspirations, knowledge — a common understanding.”[105] Thus ‘community’ refers to both a distinct kind of group, and to one or more qualities shared by the group members.[106] In the educational context, there may thus be “a common zeal”[107] for “a common pursuit.”[108]

Absolute and exceptionless commitment to the broader university community, however, may not be desirable,[109] and is in any event not widely in evidence. One element of campus multiculturalism could be described as promoting “safe harbor”[110] communities of various sorts, within, but quite distinct from, a broader campus community. The meaning of ‘safety’ itself may vary as among campus groups. On occasion, the university may seek undue homogeneity in values and in priorities, in the name of furthering the overall campus community. But insufficiently informed universalism can inadvertently depreciate some nested campus cultures.[111] The broader campus community may or may not actually be strengthened, over time, in such cases.

What is clear, in such cases, is the potential conflict between visions of the overarching university community and the self-perceived interests of one or more perhaps mutually quite distinct constituent campus communities. The university community may thus be called upon to acknowledge the differences between a constituent community’s defensive, protective, partial withdrawal from the broader campus community, and the inadvertently or insensitively imposed isolation, burdening, or exclusion of that constituent community.[112]

Crucially, there are inherent contradictions between the broadly encompassing campus community’s functioning as a space for robust and uninhibited expression and debate generally,[113] even on sensitive social issues, and as a space in which responsible consideration and accommodation are broadly exercised on behalf of all members of the campus community,[114] including those distinctly representing diverse societally subordinated communities.

These contradictions among presumably basic university functions help to account for the unresolvability of a substantial number of campus speech problems. Actually, these contradictions, when manifested in campus speech contexts, exemplify an even broader and more fundamental contradiction among basic university functions: the inescapable conflict between the uninhibited pursuit of knowledge and truth, as variously as those notions may currently be envisioned,[115] and the university’s obvious need to somehow act, authoritatively, officially, and uniformly, on the basis of such knowledge and truth, or approximations thereto, as the university currently believes itself to possess.[116]

The university, in a phrase, cannot always defer action in the hope of obtaining a better perspective through yet further pursuit of the truth. And in campus speech contexts, the free pursuit of truth — at least from the perspective of willing speakers and listeners — must inevitably remain distinct[117] from the responsible exercise of that freedom, from the perspective of various other campus community groups and members.[118]

 

IV. Plurality of Basic University Function 

and the Problem of Hostile Speech 

On Campus

Crucially because the university[119] has some more or less familiar if contested set of basic functions, campus speech in general, and hostile, offensive, or injurious speech on campus[120] in particular, pose distinctive issues. In the latter kinds of cases, irreconcilable conflicts among arguably basic university functions largely drive the conflicts in any observer’s preferred case analyses and outcomes.

Consider in particular the problem of on-campus resort to invidious group identity epithets. Even in the broader society, there is at least some impulse to conclude that “such utterances are no essential part of any exposition of ideas, and are of such slight social value as a step to truth that any benefit that may be derived from them is clearly outweighed by the social interest in order and morality.”[121] This impulse would suggest that such epithet speech should not be considered constitutionally protected speech, or perhaps even as speech at all in the sense relevant to constitutional purposes. One might thus conclude that “[r]esort to epithets or personal abuse is not in any sense communication of information or opinion safeguarded by the Constitution. . . .”[122]

Such an approach might have a certain appeal in many contexts. With regard to hostile speech on university campuses in particular, it would not be difficult to link the Chaplinsky logic quoted above to one or more of the commonly cited basic university functions and purposes. It has thus been argued that the university prepares its students for tolerant, responsible democratic citizenship, and on some theories, even seeks to build character in certain respects, while embodying or at least striving for meaningful and mutually respectful community.[123] On such views, hostile epithet speech on campus seems contrary to basic university function and purpose.

Undeniably, though, there are other conceptions of basic university function that may fail to meaningfully address, or may reluctantly tolerate at the level of formal legal sanction, some instances of distinctly and overtly hostile speech on campus. Thus the university as bastion of free thought, free expression, the exploration of ideas, and of free communication, at least for some speakers and listeners;[124] the university as poser and prober of socially uncomfortable questions;[125] and the university as generator, reflector, reinforcer, and replicator of status hierarchies[126] could all be brought to bear on the side of the legal toleration of hostile speech on campus.

These stark oppositions among arguably basic university purposes of course require some refinement. No single basic university function is monolithic and utterly unequivocal on all reasonable interpretations. Some basic university functions can be internally contradictory in their implications for campus speech. Thus one might well argue that some instances of hostile campus speech can suppress, rather than encourage, speech, including any possible “counter-speech,” by the targets of such speech.[127]

Thus there are conflicts within each purported basic university function, as well as among those basic functions. Crucially, though, it is unlikely that in all instances of potential conflict among basic university functions, the conflicts internal to each such function will be aligned, like the cylinders of a combination lock, so as to generate some unique and largely uncontroversial outcome at the level of basic university purpose. Realistically, the prominent basic university purposes, however granulated or refined, individually and collectively will typically point in opposing directions on questions of hostile speech, and on questions of campus speech more broadly.

Nor is the interaction between jurisprudential free speech doctrine and basic university functions likely to point toward an unequivocal solution. Consider the language ultimately adopted in the classic hostile speech case of Chaplinsky v. New Hampshire.[128] Chaplinsky declares to be constitutionally unprotected what it calls “insulting or ‘fighting’ words — those which by their very utterance inflict injury or tend to incite an immediate breach of the peace.”[129] The crucial problem with Chaplinsky is not one of systematic underprotectiveness of speech, but of undue and unfortunate indeterminacy of judicial outcome, in light of the basic university functions.

Many members of the university community sense that not all verbal insults should be legally or administratively treated in similar ways. Some insults may reflect not so much any social or political point, as some displaced autobiographical personal resentment.[130] More importantly, the most reasonable legal, administrative, and moral responses to insults often depend upon prior interactions, if any, between the relevant parties; their relationships; and any relevant differences in statuses and power relationships. Asymmetries of power often translate into asymmetries in the harms of insulting or abusive language, including epithets.[131] And the most significant harms of some insulting speech may be either collective; as distinct from individualized,[132] or cumulative and aggregative, rather than being confined to the particular incident in question.[133]

Thus while it is important to recognize that seriously intended insults may well not be intended as contributions to a dialogue, or to any ongoing conversation or exchange of ideas,[134] not all genuinely insulting language has the same sorts of effects. Consider, for example, a few of the calculated insults directed at Richard, Duke of Gloucester by women nobility in Shakespeare’s play: “Blush, blush, thou lump of foul deformity;”[135] “Never hung poison on a fouler toad;”[136] “Villain, thou know’st nor law of God nor man.”[137] Should even such unsparing insults, directed at a remarkably unscrupulous would-be king, be judged the cultural equivalent of invidious and directly targeted epithet speech, aimed at any of various identity groups, on a contemporary campus?[138]

The Chaplinsky case itself does not much reflect upon any relevant differences among the class of insulting words that by their very utterance inflict one sort of injury, or another.[139] Nor is the more frequently litigated Chaplinsky second prong or “fighting words” itself of determinate scope. The idea of words likely, under the circumstances, to immediately provoke an average — as distinct from a ‘reasonable’ — addressee to physically fight is locally historically conditioned, culture-bound, and certainly far from neutral among cultures.[140]

The Chaplinsky Court’s own attempt to provide guidance regarding this second prong holds that “[t]he test is what men[141] of common intelligence would understand would be words likely to cause an average addressee to fight.”[142] What amounts to an unprotected fighting word is thus not left entirely to the person making the decision, in the moment, to fight or not to fight.[143] The courts are instead to focus on the likely reaction of an “average addressee.”[144]

In university campus cases, the Chaplinsky question thus requires attention to any relevant attributes of what is somehow thought to be an average student. The victim of fighting words in a given case may in reality have been targeted precisely as a member of, say, a particular ethnic, racial, religious, or sexual minority. Is it clear, though, that an average member of the campus community is a member of, or sufficiently understands and identifies with, the relevant ethnic, racial, religious, or sexual minority?

A typical student who does not genuinely identify with any of the characteristics or beliefs at issue in a given instance of possible fighting words will be unlikely to react by physically fighting. The category of fighting words would then reflect the characteristics, values, and beliefs of the dominant groups on campus, as distinct from those of less represented groups. Redressing such a judicial injustice[145] would, however, presumably take us back some distance from Chaplinsky toward a focus on instead taking the victim of fighting words as we find her,[146] with her relevant characteristics.

By itself, then, Chaplinsky offers no stable solution to what should count as fighting words, or as unprotected language, in campus incidents. On both the inflicted injury prong and on the likely-to-fight prong, Chaplinsky invites, but does not meaningfully specify, a choice as to how to conceive of the speech target or victim. At the extremes, we might think of the victim as nearly an abstract, bodiless, cultureless universal, and thus as unlikely to physically fight, whatever sense of justice we ascribe to such an entity. Or we might instead take the victim much more as we find her, including her sensitivities, but perhaps without what the rest of us somehow take to be any inappropriate hypersensitivities on her part.[147] As to where, in between such extremes,[148] campus authorities and others should focus their attention, the Chaplinsky test is silent.

The problem of hostile speech on campus is further complicated by doubts as to the relevance, in some such cases, of the university function of free and uninhibited discussion of issues and “learning through open debate and study.”[149] In cases of campus hate speech, some persons may judge the best response to be one of “more speech,”[150] or counter-speech, as though such incidents were an implicit invitation to discussion, dialogue, and debate. But if at least some instances of campus hate speech are, and are intended to be, largely assaultive speech, or akin to the tort of battery committed through the medium of words,[151] the idea of counterspeech may be not only unresponsive, but itself undignified.[152]

Some campus authorities may believe more broadly that the most effective overall response to hate speech involves generally exposing prejudice and fallacy through open debate,[153] and even that an official disciplinary response may be “infantilizing and disempowering”[154] to the targeted victims. This is partly an empirical, but as well partly a normative, debate. Such debates cannot be resolved until the relevant university functions have been settled upon and interpreted at a sufficiently specific level. As we have seen, universities in general seem far from any such settlement.

 

V. Plurality of Basic University Function 

and the Problem of Professorial Speech 

On Matters of Public Concern

For public employees in general, the scope of free speech protection from adverse action by one’s public employer is largely derived from the Supreme Court case of Garcetti v. Ceballos.[155] In such cases, Garcetti requires that for free speech protection to attach, the public employee speech must have been on a subject of public interest and concern; the employee’s interest as a citizen in thus speaking must outweigh the government employer’s relevant interests in workplace order, efficiency, discipline, confidentiality, and morale; and crucially that the speech in question not have occurred within and pursuant to the scope of the public employee’s actual job responsibilities.[156]

The possibility of the disciplinary sanctioning of public university professorial speech, whatever the motive or political context, assuming merely that the speech took place in the course of professional job responsibilities, perhaps reflecting the speaker’s distinct academic expertise, prompted an expression of concern on the part of Justice Souter.[157]

The majority in Garcetti, however, merely set aside such academic freedom concerns without prejudice. The majority thus acknowledged that [t]here is some argument that expression related to academic scholarship or classroom instruction implicates additional constitutional interests that are not fully accounted for by this Court’s customary employee-speech jurisprudence. We need not, and for that reason do not, decide whether the analysis we conduct today would apply in the same manner to a case involving speech related to scholarship or teaching.[158]

In the absence of Supreme Court guidance in this area, the courts and commentators have been divided on whether to extend professorial speech rights beyond those of non-academic public employees.[159] In particular, the Seventh Circuit[160] may currently be less open to thus extending professorial speech rights based on academic freedom considerations than are the Fourth[161] and Ninth Circuits.[162]

The most crucial reason for disagreements over the proper scope of any distinctive protection for academic speech draws upon inevitable conflicts among purported basic purposes or functions of the university. Of course, one’s general assessment of the functions of an institution does not by itself decide concrete cases.[163] But diverging conceptions of the basic functions of the university will inevitably be crucial to our contested notions of individual, as well as institutional, academic freedom.[164]

There may well be occasions on which even some single, agreed upon basic university function itself points in opposing directions.[165] But the broader and more typical conflicts will involve contradictions between and among the several purported basic university functions. In particular, whether we think that the above Garcetti test, without further constitutional level modification,[166] should be applied broadly to public university professorial speech in the realms of teaching and scholarship will ultimately reflect what we think about university functions, and their prioritizing.

Thus we will tend to resist extending a constitutionally unmodified Garcetti rule into public university academic speech if we choose to think of university function in terms of individual, if not institutional, free thought and expression;[167] the advancement and dissemination, internally or externally, of knowledge;[168] disinterested scholarship;[169] or of the university as a center for independent thought, by individuals if not at the institutional level,[170] at least if the speech at issue is not otherwise inconsistent with other acknowledged university missions.

But these considerations clearly do not exhaust the widely recognized and endorsed basic functions of a university, public or private. We will tend to favor something like a Garcetti rule, all else equal, in academic speech cases if we instead choose to think of university functions in institutional or hierarchy-governed terms, whether the governing hierarchy is internal, in the form of a university administration, or external, as in the form of corporate stakeholders, a board of trustees, a legislature, or other elected officials. For those who choose to prioritize the university’s economic production or market sorting and signaling functions;[171] or training professionals to accommodate and enter into markets;[172] or generally re-inscribing existing social hierarchies, the individual speech-restrictive Garcetti rule may be unobjectionable, or a matter of indifference.[173] Visions of the university as an ultimately hierarchical community, or set of such communities,[174] also seem better attuned to something like an unmodified Garcetti rule, even at some cost in purely individual academic expression.

We should thus expect a consensus on the proper role of relatively restrictive Garcetti-like rules for professorial speech only when we reach a corresponding consensus, not presently envisionable, on the putative basic functions of the university.

 

VI. Plurality of Basic University Function and 

The Speech of Students Transitioning to Professions

To what extent should universities censure speech and beliefs of students formally aspiring to a particular profession, where such speech or beliefs if held by a practitioner would be formally deemed unprofessional by the major official oversight body of that profession? This broad and increasingly important[175] question has arisen in several recent cases, including the exemplary Tatro v. University of Minnesota.[176]

Tatro involved the imposition of university discipline on a professional program student for her personal Facebook posts, allegedly in violation of university curricular program rules requiring discretion and confidentiality, and reflecting both official professional ethical standards formally binding on practitioners, and program accreditation standards binding on the university.[177]   On the record, the court in Tatro held the university program rules to be sufficiently well-established, non-pretextual, and sufficiently narrowly tailored to the appropriately weighty interests at stake.[178]

In this general run of cases, the judicial results have been mixed.[179] A distinction between straightforwardly applying a legitimate university professional program rule, and penalizing officially disfavored student speech,[180] may or may not always be dispositive, or even readily drawn. Any free speech analysis of such cases must also recognize the irony that in this context, university students, and graduate or professional school students in particular, may be subject to speech restrictions not imposed upon elementary or high school students.[181]

A functionalist approach would suggest that campus speech restrictions imposed upon mature graduate students but not on sixteen year old high school students may well be accommodating differences in the basic functions of high schools[182] and of universities. But as we would by now expect, conflicting judgments as to university student speech in tension with professional program standards most deeply reflect conflicting visions and priorities among basic university functions. Consider, by way of illustration, language from the recent Ninth Circuit Oyama case:

The importance of academic freedom at a public university does not disappear when one walks down the hall from a political philosophy seminar to a professional certification program. . . . Indeed, the progress of our professions . . . may depend upon the “discord and dissent” of students training to enter them: it is by challenging the inherited wisdom of their respective fields that the next generation of professionals may develop solutions to the problems that vexed their predecessors.[183]

On the other hand, we would also strongly sympathize with a school that refused to professionally certify a medical student who consistently and carefully denied, in curricular or non-curricular speech, any causal relation between any prescription drugs, or surgery, and patient health.[184]

Whatever the outcome in any case not based sheerly on arbitrary dislike of the student’s viewpoint, conflicting understandings of basic university functions will underlie any debate on the merits of that case. Cases involving the speech of students transitioning into professions will often involve a conflict, classically noted by Robert M. Hutchins, “between . . . the pursuit of truth for its own sake, and . . . the preparation of men and women for their life work.”[185] And in any case in which the transitioning professional would arguably deny equal treatment to prospective clients, there is also a conflict between, for example, the University of Cambridge’s two most fundamental values: “freedom of thought and expression,”[186] on the one hand, and “freedom from discrimination,”[187] as practiced by or received from certified graduates, on the other.

More broadly, the transitioning professional cases evoke the university functions of free expression and communication;[188] the university as the locus of individual-level critique of society and culture;[189] and the asking, again at an individualized level, of questions with which the broader culture may be uncomfortable.[190] These considerations will generally tend to favor the dissenting student speaker’s case.

But no less, the transitioning professional speech cases will also inevitably evoke a sense of the university’s responsibilities to its various external constituencies, including taxpayers and consumers of vital, licensed services provided by its graduates.[191] The university as provider of trained, knowledgeable, responsible professionals[192] arguably fails in that respect to the extent that it knowingly certifies licensed professionals who would betray basic norms binding on vital service providers and reasonably anticipated by consumers.[193] Basic function-level conflicts are again inevitable.

 

VII. Conclusion

This survey of the major presumed functions of the university, generally and as reflected in several particular campus speech contexts, explains at a fundamental level the irresolvability of typical campus speech issues. Such issues will be irresolvable to the extent that they reflect persisting conflicts of vision as to the basic functions of the university.

It is certainly possible to think of the university, and speech therein, in terms that make no direct and explicit reference to any university function. One could, for example, adopt a sophisticated utilitarian approach to the scope and limits of speech on campus. Or one could think in terms of human flourishing, and of relevant virtues and vices, in the context of campus speech. Inevitably, though, such approaches must at some level address, incorporate, and crucially depend upon some account of the basic university functions inventoried above. No sensible approach to campus speech can bypass the relevant ongoing practical contradictions among such functions.   Thus as long as visions of the basic university functions remain locked in crucial practical contradiction, the broad problem of the proper scope and limits of campus speech must remain unresolved.

---

 

* Lawrence A. Jegen Professor of Law, Indiana University Robert H. McKinney School of Law.

[1] Thus the presence or absence of state action and the applicability of the first and fourteenth amendments of the federal Constitution are not of central concern herein. We also do not especially emphasize below the obvious differences among universities in size, geography, prestige, endowment, religious orientation, selectivity, co-educational status, and identity as an historically black college or university.

[2] The loosely functional approach adopted herein encompasses what are called manifest and latent functions, and is intended to be compatible with institutional critique of the university, of any depth and direction. For general inspiration, see the classic formulation in Robert K. Merton, Social Theory and Social Structure ch. III (rev. ed. 1968) (elaborating in particular on

the distinction between manifest and latent institutional functions). See also Melvin Tumin, The Functionalist Approach to Social Problems, 12 Social Probs. 379 (1965); Whitney Pope, Durkheim as a Functionalist, 16 Sociological Q. 361 (1975). For a critique, see Paul Helm, Manifest and Latent Functions, 21 Phil. Q. 51 (1971). We make no assumptions as to any broader merits or limits of sociological functionalism in general.

[3] See the authorities cited supra note 2. Most of the major potential functions of the university will have conscious defenders, but we should hold open the possibility that a particular function of a university could play a role in university speech policy even in the absence of much conscious reflection on that function.

[4] See id.

[5] Thus university functions can be mostly internal or even intrinsic, or else mostly external in their reference.

[6] It may be possible to sensibly decide some university speech cases on grounds entirely independent of any putative major function or purpose of a university, and such function-independent grounds may well supplement a functionalist approach to some university speech cases. But we should not expect considerations foreign to any purported function of the university to usefully guide the apt resolution of typical university speech cases. Concisely put, considerations extrinsic to university functions will rarely be of primary importance in adjudicating university speech cases. For the role of functionalism or purposivism in free speech law, see the references cited infra note 25.

[7] See infra Sections II–IIII.

[8] A university whose operation is genuinely dominated by the pursuit of some single coherent basic function or goal could still experience some degree of dissensus on basic free speech issues. But in such hypothetical circumstances, we should expect the scope and frequency, if not the emotional intensity, of free speech conflicts to be meaningfully reduced.

[9] Competing visions of university functions may be irreconcilable, for reasons of sustained conflicts in economic and other material group interest, cultural conflicts, conflicting visions of the good or just society, and conflicts among values. Such value conflicts could involve not only freedom of speech in general, but dignity, equality, opportunity, well-being, material and cultural progress, civility, community, knowledge, and harmony, as well as conflicts internal to the value of free speech itself. Such conflicts may well contribute to the actual shape of conflicting views of the proper functions of a university. It is also possible that a sense of the proper functions of a university might affect our views on how to adjudicate among these various conflicts of interests and values.

[10] See infra Sections II-III.

[11] See infra Sections II. Loosely relatedly, Professor Steven Brint has referred to multiple purposes or dimensions of college student development: “social, personal, academic, civic, and economic.” Steven Brint, The Multiple Purposes of an Undergraduate Education, available at www.cshe.berkeley.edu/publications/research-university (October, 2015) (visited February 21, 2016).

[12] See infra Sections II-III.

[13] See id.

[14] See infra Section III.

[15] See id.

[16] See id.

[17] See infra Section IV.

[18] See infra Section V.

[19] See infra Section VI.

[20] See infra Section VII.

[21] The University’s Mission and Core Values, available at www.cam.ac.uk/about-the-university/how-the-university-and-colleges-work (visited January 3, 2016).

[22] One would hope that the compatibility of, at a minimum, education and learning could be taken for granted.

[23] At the very least, even this formula implicates the traditionally debated relationship – perhaps mutually supportive, or conflicting — between classroom teaching and professorial research. For a start, note the unabashed emphasis on research, as distinct from teaching, in Robert Maynard Hutchins, The Spirit of the University of Chicago, 1 J. Higher Educ. 5, 5 (1930), and the emphasis on teaching in John Henry Newman, The Idea of a University 1 (Aeterna Press ed., 2015) (1852).

[24] See The University’s Mission and Core Values, supra note 21.

[25] Id. For recent descriptions of the basic functions and purposes of freedom of expression in general, see Alexander Tsesis, Free Speech Constitutionalism, 2015 U. Ill. L. Rev. 1015 (2015); Brian C. Murchison, Speech and the Truth-Seeking Value, 39 Colum. J.L. & Arts 55 (2015). Classically, see John Stuart Mill, On Liberty and Other Essays ch. II (John Gray ed., 1991) (1859) (“On the Liberty of Thought and Discussion”). For a brief popular exposition, see Steven Pinker, Why Free Speech Is Fundamental, available at www.bostonglobe.com/opinion/2015/01/26 (visited January 25, 2016).

In general, functionalist approaches to freedom of speech often refer to values such as the pursuit of truth, democratic self-governance, and the promotion of autonomy. As a practical matter, though, the appropriate role of each of these and other functionalist approaches to freedom of speech is persistently contested. For a sampling of mutually incompatible perspectives on the pursuit of truth as a function of free speech, see C. Edwin Baker, Scope of the First Amendment Freedom of Speech, 27 UCLA L. Rev. 964, 964-66 (1978); Stanley Ingber, The Markeplace of Ideas: A Legitimizing Myth, 1984 Duke L.J. 1; Steven D. Smith, Skepticism, Tolerance, and Truth in The Theory of Free Expression, 60 S. Cal. L. Rev. 696 (1987); Eugene Volokh, In Defense of the Marketplace of Ideas/Search for Truth as a Theory of Free Speech Protection, 97 Va. L. Rev. 595 (2011). For conflicting contemporary views on the relationship between free speech and promoting democracy, see Ashutosh Bhagwat, Free Speech Without Democracy, 49 U. Cal. Davis L. Rev. 59 (2015); James Weinstein, Participatory Democracy as the Central Value of American Free Speech Doctrine, 97 Va. L. Rev. 491 (2011). For hate speech on campus as arguably tending to impair the autonomy, in the relevant sense, of its targets, at least as much as it may genuinely promote the autonomy of its speakers, see R. George Wright, Traces of Violence: Gadamer, Habermas, and the Hate Speech Problem, 76 Chi.-Kent L. Rev. 991 (2000).

[26] The University’s Mission and Core Values, supra note 21.

[27] See infra Sections III, IV, and VI. By way of comparison, the University of Oxford Strategic Plan 2013-18 comprises numerous elements, with no apparent attempt to distinguish those elements that might amount to basic university functions or purposes. See www.ox.ac.uk/about/organisation/strategic-plan (visited January 3, 3016).

[28] Amy Gutmann, The Fundamental Worth of Higher Education, 158 Proceedings Am. Phil. Society 136 (2014), available at www.upenn.edu/president/images/president/pdfs (2012) (visited January 3, 2016).

[29] Id. at 137.

[30] See id.

[31] Id.

[32] Id. President Gutmann explicitly notes the possibility of conflicts, in educating for democratic citizenship, between the values of individuality or autonomy and social diversity. See Amy Gutmann, Civic Education and Social Diversity, 105 Ethics 557 (1995). More broadly, see Amy Gutmann, Democratic Education chs. 6-7 (rev. ed., 1999); Nel Noddings, Education and Democracy in the 21^st Century ch. 10 (2013).

[33] Lou Anna K. Simon, President’s Statement on Free Speech Rights and Responsibilities 1, available at http://president.msu.edu/communications/statements/free-speech.html (visited January 3, 2016). See also Stanley Fish, Versions of Academic Freedom: From Professionalism to Revolution 132 (2014) (“[t]he values of advancing knowledge and discovering truth are not extrinsic to academic activity; they constitute it”).

[34] See Simon, supra note 33.

[35] Id.

[36] Id.

[37] See id. See also the attempt by John W. Boyer of the University of Chicago to respectively or jointly prioritize “critical thinking, writing, and argumentation;” a “capacity for bold, self-confident questions,” and “civility and respect for intellectual divergence.” At a minimum, there can be no guarantee of compatibility between what one person or group takes to be bold, critical argumentation, and another person or group takes to be incivility. See John W. Boyer, An Introduction to the Annual Lecture on the Aims of Education (2016), available at http://aims.uchicago.edu/page/history (visited February 21, 2016). For a recent discussion of possible conflicts between the university as a bazaar of perhaps heterodox competing ideas and associated offensiveness, distress, rudeness, and any resulting cacophony, see Doe v. Rector and Visitors of George Mason Univ., ____ F. Supp. 3d _____ (E.D. Va. 2016), slip op. at 34 (quoting Kim v. Coppin State Coll., 662 F.2d 1055, 1064 (4^th Cir. 1981)).

[38] See infra Section III.

[39] Drew Gilpin Faust, The University’s Crisis of Purpose, available at www.nytimes.com/2009/09/06/books/review/Faust (visited January 3, 2016).

[40] Id. at 3.

[41] Id.

[42] Id.

[43] Id. President Faust is at this point drawing upon the work of former Dean George Fallis of York University in Toronto.

[44] President Faust also recognizes the essential conflict between the university’s disinterested pursuit of knowledge for its own sake, however this idea might be clarified, and providing various sorts of material, immediate benefits to the society. See id. at 1.

[45] See, e.g., the institutionally-focused suggestion by Professor Gordon Graham that universities should promote the university’s transcendence of pure vocationalism; of pure utilitarianism in research; and of financial and legal dependence upon the state, or more positively phrased, the value of university autonomy. See Gordon Graham, Universities: The Recovery of an Idea 5-6 (2d ed. 2008), and at the individual level, the typology offered by Professor Harry Brighouse of the aims to which the well-educated student should aspire: “personal autonomy; the ability to contribute to social and economic life broadly understood; personal flourishing; democratic competence; and the capacity for cooperation.” Harry Brighouse, Moral and Political Aims of Education, in The Oxford Handbook of Philosophy of Education 35, 37 (Harvey Siegel, ed.) (2009) (available online at www.oxfordhandbooks.com). At this point, note merely the classic potential for tragic conflict between the goals of personal autonomy and of genuine group or institutional flourishing.

Crucially, though, even if the basic functions of the university are to some degree inseparable and mutually interdependent, this hardly precludes their mutual conflict. For a strong claim of mutual interdependence among basic university functions, see the argument of Karl Jaspers, The Idea of the University (H.A.T. Reiche & H.F. Vanderschmidt, trans.) (Beacon Press ed., 1959) (1946) (citing, as the three basic functions of the university, “professional training, education of the whole man, research,” with the university thus serving as, indissolubly, “a professional school, a cultural center, and a research institute”).

[46] See 2 Werner Jaeger, Paideia: The Ideals of Greek Culture 133-34 (Gilbert Highet trans., 1986) (1943).

[47] See Immanuel Kant, Education § 12, at 11 (A. Churton trans., 1900) (1960 ed.) (1803) (“[m]an’s duty is to improve himself; to cultivate his mind”).

[48] Thomas Jefferson, Report of the Commissioners for the University of Virginia, in Writings 457, 460 (Merrill D. Peterson ed., 1984) (1818). See also John Locke, Some Thoughts Concerning Education § 134, at 104-05 (2000) (1698) (on education for “Virtue, Wisdom, Breeding, and Learning”).

[49] Matthew Arnold, Thoughts On Education 243 (Leonard Huxley ed., 1912). The broad knowledge acquisition function is of broader ideological interest. See V.I. Lenin, The Tasks of the Youth Leagues, in The Lenin Anthology 663 (Robert C. Tucker ed., 1975) (“assimilating the wealth of knowledge amassed by mankind” as essential to being a Communist).

[50] Arnold, supra note 49, at 243. Similarly, if naively, Goethe’s Faustian student reports to Mephistopheles that “I should like to be erudite; and from the earth to heaven’s height know every law and every action. . . .” Johann Wolfgang von Goethe, Faust (part I) 197 (Walter Kaufman trans.) (1990 ed.) (1808). More recently, Professor Daniel Bell echoes Matthew Arnold in declaring that the university can serve to “liberate young people by making them aware of the forces that impel them from within and constrict them from without.” Daniel Bell, Reforming General Education, available at www.college.columbia.edu/core/sites/core/files/Bell (February 28, 1966) (visited January 5, 2016). On such theories, the image of the “committed faculty member” interacting with “an engaged student,” as classically in “Mark Hopkins on one end of a log and a student on the other,” can arise. Michael S. McPherson & Morton Owen Schapiro, Mark Hopkins and the Log-On 10, 10, available at www.educause.edu/pub/er/erm.html (May/June 2002) (visited January 5, 2016).

[51] See Derek Bok, Higher Education in America 1 (rev. ed., 2015).

[52] See id.

[53] Id. See also Richard Arum & Josipa Roksa, Academically Adrift: Limited Learning on College Campuses 31 (2011) (“[r]egardless of economic competitiveness, the future of the democratic society depends upon educating a generation of young adults who can think critically, reason deeply, and communicate effectively”).

[54] Robert M. Hutchins, The College and the Needs of Society, 3 J. Gen. Educ. 175, 181 (1949). See also id. at 179 (on the university function of encouraging thoughtful citizenship).

[55] See Bok, supra note 51 at 1. There may, however, turn out to be a sort of long-term contradiction between promoting the value of democracy, even on pragmatic grounds, and academically popular skeptical approaches to metaethics, freedom and autonomy, the dignity of the person, and materialism.

[56] Louis Menand, The Marketplace of Ideas 158 (2010). More elaborately, but outside the formal academic setting, see Plato, Apology, in Five Dialogues 21, 34 (John M. Cooper, trans.) (2d ed., 2002) (~399 BCE) (“gadfly” metaphor). Within official academia, see Report of the Committee on Freedom of Expression at Yale (Woodward Report) (December 23, 1974), available at http://yalecollege.yale.edu/faculty-staff/faculty/policies-reports (visited January 15, 2016) (re the right to “challenge the unchallengeable”).

[57] Anthony T. Kronman, Education’s End: Why Our Colleges and Universities Have Given Up on the Meaning of Life 38 (2007). See also Stefan Collini, What Are Universities For? 87 (2012) (beyond today’s “semi-marketized, employment-oriented institutions, there remains a strong popular desire that they should, at their best, incarnate a set of ‘aspirations and ideals’ that go beyond any form of economic return”).

[58] Kronman, supra note 57, at 38.

[59] Id. See also Andrew Delbanco, College: What It Was, Is, and Should Be 3 (2011 ed.) (arguing that colleges should promote, among other personal qualities of mind, “[a] willingness to imagine experience from perspectives other than one’s own”) (to which one might add the underlying capacity to do so, with some degree of fidelity).

[60] See, e.g., Daniel Bell, About the Reforming of General Education, 37 Am. Scholar 401, 401 (1968). See also Antonio Gramsci, Selections From the Prison Notebooks 26 (Quintin Hoare & Geoffrey Nowell Smith, trans.) (1971 ed.) (~1930).

[61] See Bell, supra note 60, at 401. For brief discussion in a much broader educational context, see Antonio Gramsci, The Antonio Gramsci Reader chs. II, X (David Forgacs ed., 1988).

[62] See, e.g., Bell, supra note 60, at 401.

[63] Henry Giroux argues that “the university is gradually being transformed into a training ground for the corporate workforce.” Henry A. Giroux, On Critical Pedagogy 112 (2012 ed.). See also Peter J. Stokes, Higher Education and Employability: New Models For Integrating Study and Work (2015). Debates as to how universities perform this function, and their efficiency in doing so, are secondary to whether or the degree to which the universities should serve such a function. For a critique, see Joseph Arum & Josipa Roksa, Aspiring Adults Adrift (2014).

[64] See Faust, supra note 39, at 2.

[65] See id. Earlier, Clark Kerr had noted the “transition from elite to mass access to universal access higher education,” however incomplete or contested the transition. Clark Kerr, Higher Education: Paradise Lost?, 7 Higher Educ. 261, 266 (1978). See also Collini, supra note 57, at 41.

[66] See, e.g., Collini, supra note 57, at 92 (2012). On some scale, such a function has of course long been undertaken by historically black college and universities. For background, see the contributions to Historically Black College and Universities (Charles L. Betsy, ed.) (2008).

[67] For an inventory of fundamental approaches to the idea of distributional equality, see R. George Wright, Equal Protection and the Idea of Equality, 34 L. & Inequality ____ (2016).

[68] Alasdair MacIntyre, God, Philosophy, Universities 147 (2009) (at this point largely endorsing the perspective of John Henry Newman). One could certainly argue that these are among the qualities that promote long-term success in business and the professions. If the Newman-MacIntyre approach is pressed to an extreme, it becomes transformed into the claim that “the distinguishing mark of universities, as opposed to other institutions of further and higher education, is their concern with knowledge and the pursuit of learning for their own sake, not for the sake of some external practical end.” Graham, supra note 45, at 28 (discussing, rather than unequivocally endorsing, such a view).

[69] Robert Maynard Hutchins, The Higher Learning in America 33 (2009 ed.) (1936). Roughly this conflict was earlier articulated by Thorstein Veblen. See Thorstein Veblen, The Higher Learning in America 68 (Richard F. Teichgraber ed., 2015) (1918) (noting the conflict between “the needs of the higher learning and the demands of business enterprises”). See also Christopher Dawson, The Crisis of Western Education 149 (2010 ed.) (1961) (the modern technological order as requiring that university-level and general education be coordinated with the needs of business and industry).

[70] Robert M. Hutchins, The Freedom of the University, 61 Ethics 95, 104 (1951).

[71] Id.

[72] Id.

[73] Id. The expansion of these latter functions is ascribed by Hutchins to the need, or the temptation, “to get money.” Id.

[74] See supra note 21 and accompanying text.

[75] See supra note 26 and accompanying text.

[76] See supra note 31 and accompanying text.

[77] See supra note 33 and accompanying text.

[78] See supra note 34 and accompanying text.

[79] See supra note 40 and accompanying text.

[80] See supra note 42 and accompanying text.

[81] See supra note 43 and accompanying text.

[82] See supra note 48 and accompanying text.

[83] See supra note 52 and accompanying text.

[84] See supra note 53 and accompanying text.

[85] See supra notes 60-61 and accompanying text.

[86] See supra notes 66-68 and accompanying text.

[87] See supra text accompanying notes 35-37. For a sense of a possible conjunction of the general pursuit of knowledge with an individually or collectively experienced imaginative zest and excitement therein, see Alfred North Whitehead, Universities and Their Function (1927), available at http://la.utexas.edu/users/hcleaver/33OT (visited February 21, 2016).

[88] See infra notes 93-98 and accompanying text.

[89] See infra note 101 and accompanying text.

[90] See infra note 99 and accompanying text.

[91] See infra notes 109, 112 and accompanying text.

[92] See infra note 100 and accompanying text.

[93] See Robert S. Rait, Life in the Medieval University 5 (Forgotten Books ed., 2015) (Cambridge Univ. Press ed., 1918) (1912). The classic distinction between a mere association and a genuine community is elaborated in Ferdinand Tonnies, Community and Society [Gemeinschaft und Gesellschaft] 226-32 (Charles P. Loomis trans.) (Dover ed., 2002) (1887). Very roughly, this distinction gestures at differences between family and small village life on the one hand and city life on the other. See id. For some relevant contemporary developments, see Marc J. Dunkelman, The Vanishing Neighbor: The Transformation of American Community (2014); Robert D. Putnam, Bowling Alone: The Collapse and Revival of American Community (2000).

[94] Charles Homer Haskins, The Rise of Universities 24 (1965 ed.) (1923). See also Clark Kerr, The Uses of the University 1 (1964) (“[t]he university started as a single community — a community of masters and students”); Jacques Barzun, The American University 244 (2d ed. 1993) (1968).

[95] Thus one might decline to think of, say, the University of California system, or the California State University system, as a whole, as genuine communities. See Daniel Bell, About The Reforming of General Education, 37 Am. Scholar 401, 403 (1968).

[96] See, e.g., Ellen Condliffe Lagemann & Harry Lewis, Renewing the Civic Mission of American Higher Education, in What Is College For?: The Public Purpose of Higher Education 9, 11 (Ellen Condliffe Lagemann & Harry Lewis eds., 2012) (“[c]ollege are communities”). See also Healy v. James, 408 U.S. 169, 171 (1972) (referring to “the academic community” in the context of potential tradeoffs among free expression and campus orderliness and non-disruption).

[97] See, e.g., Michael Oakeshott, The Idea of a University, available at www.cse.cuhk.edu.hk/irwin.king 23, 24 (originally published 1950) (“a university . . . is a corporate body of scholars, each devoted to a particular branch of learning: what is characteristic is the pursuit of learning as a co-operative enterprise. . . . A university . . . is a home of learning”) (emphasis added); Simon, supra note 33, at 1 (“Michigan State University is a community of scholars whose members include its faculty, staff, students, and administrators”).

[98] See Simon, supra note 33, at 1.

[99] See Robert Paul Wolff, The Ideal of the University 127 (1969) (“[t]he ideal university . . . is a community of learning”) (emphasis in the original). Professor Wolff elaborates: “a university ought to be a community of persons united by collective understandings, by common and communal goals, by bonds of reciprocal obligation, and by a flow of sentiment which makes the preservation of the community an object of desire, not merely a matter of prudence or a command of duty”).

[100] Howard Gardner, Discussion, in William G. Bowen, Higher Education in the Digital Age 97, 100 (2014 ed.). For the importance of community in the broader societal context, see Robert A. Nisbet, The Quest For Community 30 (1973 ed.) (1953).

[101] See Kerr, supra note 94, at 1 (“[t]oday the large American university is . . . a whole series of communities and activities”). See also the distinct sense in which each classroom, or more literally each particular class, is or can be itself a genuine community, as outlined in bell hooks, Teaching to Transgress: Education as the Practice of Freedom 8 (1994).

[102] This term is adapted from John D. Inazu, Virtual Assembly, 98 Cornell L. Rev. 1093, 1096 (2013).

[103] Consider, by possible contrast, the community constituted by the well-functioning symphony orchestra, as briefly elaborated in Ronald Dworkin, Liberal Community, 77 Cal. L. Rev. 479, 493 (1989).

[104] Barzun, supra note 94, at 244.

[105] John Dewey, Democracy and Education 4 (Dover ed., 2004) (1916).

[106] See Robert Paul Wolff, The Poverty of Liberalism 163 (1968).

[107] R.S. Peters, Ethics and Education 58 (1966).

[108] Id.

[109] See Jaroslav Pelikan, The Idea of the University: A Re-Examination 65 (1992) (“[i]t is not an inconsistency to insist that the healthiest community . . . is one in which scholars are not obliged to be in the community incessantly, and therefore that one of the functions of the community of scholars is to protect the right and need of the scholars in the community to be by themselves”) (or, presumably, within some sub-community).

[110] See Jim Sidanius, et al., Ethnic Enclaves and the Dynamics of Social Identity on the College Campus: The Good, the Bad, and the Ugly, 87 J. Personality & Social Psych. 96, 96 (2004). The university has long been thought of as a safe or protective space in other respects. See Collini, supra note 57, at 56.

[111] See, e.g., Roderick A. Ferguson, The Re-Order of Things: The University and Its Pedagogy of Minority Differences 81 (2012).

[112] See Sidanius, supra note 110, at 96; Pelikan, supra note 109, at 65. Concisely put, uninhibited debate may well not be fully compatible with an assumed pre-existing genuine campus community. The University of Chicago appears to endorse the former, even at some cost in the latter, but then registers a number of function-based exceptions to that endorsement. See Report of the Committee on Freedom of Expression, available at http://provost.uchicago.edu/FOECCommitteeReport.pdf (2015) (visited January 15, 2016). For a similar stance, see the Princeton University Faculty Statement, available at www.princeton.edu/main/news/archive (April 7, 2015) (visited January 15, 2016).

[113] See supra notes 25, 33, 34, 69, 70 and accompanying text.

[114] See supra notes 26, 58, 96, 99, 110 and accompanying text. Consider also the implications for this conflict of classifying the promotion of social justice and broad sustainability as genuinely basic university functions.

[115] For a sense of the disparate contemporary understandings of the very idea of truth, see, e.g., Timothy M. Mosteller, Theories of Truth: An Introduction (2014); Truth (Oxford Readings in Philosophy) (Simon Blackburn & Keith Simmons eds., 1999).

[116] It is certainly possible to argue that at least some theories of knowledge or truth are not themselves neutral with regard to the values, aims, interests, and priorities of minority communities on campus. If so, then to whatever degree a given campus reflects such theories, there is the possibility of either reduced or enhanced conflict between the uninhibited pursuit of truth, and the values and interests of minority campus communities. This Article will not, however, assume that concrete political, moral, or cultural implications are genuinely built into any popular theory of truth or knowledge. For broader discussion, see Simon Blackburn, Truth: A Guide (2007).

[117] The campus cultural contradiction between freedom of inquiry and responsibility in inquiry is not resolved merely by rhetorically pairing the ideas of freedom and responsibility conjunctively. See, e.g., Pelikan, supra note 109, at 58, 65. For an extended argument for supplementing and tempering a speaker’s freedom of expression with the values of civility, self-restraint, and respect, see Edward Shils, The Virtue of Civility: Selected Essays on Liberalism, Tradition, and Civil Society (Steven Grosby, ed.) (1997). See also Cheshire Calhoun, The Virtue of Civility, 29 Phil. & Pub. Aff. 251 (2000), and more broadly, the concept of a conversation, as developed in Sherry Turkle, Reclaiming Conversation: The Power of Talk in a Digital Age (2015). The idea of a genuine conversation might in turn be linkable to the idea of genuinely discursive public decision making, as in Jurgen Habermas, Moral Consciousness and Communicative Action (Christian Lenhardt & Shierry Weber Nicholsen trans., 1990) (1983).

[118] For present purposes, we set aside the otherwise increasingly important question of who is to count, in the first place, as a member of any relevant campus community. This question notably arises in the context of students whose connection with the physical or residential university campus is largely or entirely virtual, or online, and in the context of the increasing percentages of adjunct and temporary faculty, whose connection to any particular campus may in some respects be attenuated.

On the general question of virtual or remote college-level education, see, e.g., Nannerl O. Keohane, Higher Education in the Twenty-First Century: Innovation, Adaptation, Preservation, 46 PS: Political Science & Politics 102, 103 (2013); Frank B. McCluskey & Melanie L. Winter, Academic Freedom in the Digital Age, 22 On the Horizon 136, 127 (2014). See also Jonathan Haber, MOOCs (2014). On the role of adjunct or contingent faculty, see House Committee on Education and the Workforce Democratic Staff, The Just-in-Time Professor, available at www.mpsanet.org/portals (January, 2014) (visited January 15, 2016); Noam Chomsky, How America’s Great University System Is Being Destroyed (February 28, 2014), available at www.alternet.org/corporate-accountability-and-workplace/chomsky (visited January 15, 2016); Delbanco, supra note 59, at 4-6.

[119] Again, we do not herein emphasize the differences between public and private universities, or other differences within each of these categories. See supra note 1.

[120] We also set aside here questions of the increasingly murky, and as yet largely judicially unresolved, boundaries between on-campus and off-campus, but directly campus-related, speech. For a sense of some of the options at the pre-university level, see, e.g., Bell v. Itawamba Cnty. Sch. Bd., 799 F.3d 379 (5^th Cir. 2015) (en banc); Wynar v. Douglas Sch. Dist., 728 F.3d 1062 (9^th Cir. 2013); Kowalski v. Berkeley Cnty. Schs., 652 F.3d 565 (4^th Cir. 2011); J.S. ex rel. Snyder v. Blue Mt. Sch. Dist., 650 F.3d 915 (3d Cir. 2011) (en banc); Layshock v. Hermitage Sch. Dist., 650 F.3d 205 (3d Cir. 2011) (en banc); Doninger v. Niehoff, 527 F.3d 41 (2d Cir. 2008).

[121] Chaplinsky v. State, 315 U.S. 568, 572 (1942).

[122] Id. (quoting Cantwell v. Connecticut, 310 U.S. 296, 309 (1940)). More broadly, one might easily argue that some of the leading discussions of free and open discussion on campus are not at all logically committed to condoning the use of vulgar epithets. Consider, in this context, e.g., John Henry Newman, supra note 23, at 473.

[123] See supra notes 26, 35-37, 48, 53-54, 58, 88-90, 93-99 and accompanying text.

[124] See, e.g., supra notes 25, 34, 70 and accompanying text.

[125] See supra note 56 and accompanying text.

[126] See supra note 60 and accompanying text.

[127] See the authorities cited infra notes 131, 134.

[128] See supra note 121.

[129] Id. at 572.

[130] Consider the classic essay by W.H. Auden, Anger, in The Seven Deadly Sins 78, 83 (2002 ed.) (1962).

[131] See, e.g., Richard Delgado & Jean Stefancic, Understanding Words That Wound (2004); Jeremy Waldron, The Harm in Hate Speech ch. 1 (2012); Ronald Turner, On Free, Harmful, and Hateful Speech, 82 Tenn. L. Rev. 283 (2015).

[132] See Waldron, supra note 131, at 4-6.

[133] See Delgado & Stefancic, supra note 131, at 12, 117.

[134] For background, see Habermas, supra note 117; Michael Oakeshott, Rationalism in Politics and Other Essays 304, 312 (reprint ed., 1984) (1962) (education in general and the university in particular as crucially a matter of conversation); H.P. Grice, Logic and Conversation, available at http://edge.edx.org/asset-v1:Brown 45 (on “conversationally unsuitable” moves) (visited January 20, 2016); Michael Oakeshott, The Idea of a University 25-26, available at www.cse.cuhk.edu.hk/irwin/king (1989) (1950) (visited January 20, 2016) (“[t]he pursuit of learning is not . . . an argument or a symposium; it is a conversation”). See also R. George Wright, Traces of Violence: Gadamer, Habermas, and the Hate Speech Problem, 76 Chi.-Kent L. Rev. 991 (2001).

[135] William Shakespeare, Richard III, act 1, scene 2, line 59 at 25 (Folger ed., 2014) (~1623).

[136] Id. line 16 at 33.

[137] Id. line 75 at 25.

[138] Interestingly, the English medieval universities of very roughly Richard III’s time may have disciplined rather similarly what we might consider “scurrilous or offensive language” in general, and invidious comparisons among countries, races, and sciences in particular. See Robert S. Rait, Life in the Medieval University 65, 67 (Forgotten Books ed., 2015) (1912).

[139] See Chaplinsky, 315 U.S. at 572.

[140] Nor does the first, or verbal injury, prong invariably balance out the second prong’s lack of cultural neutrality.

[141] Note the assumption not so much that men will be doing the fighting, as that men, in whatever sense, will be doing the judging.

[142] Chaplinsky, 315 U.S. at 573.

[143] See id.

[144] Id.

[145] If not also an equal protection or civil rights violation.

[146] See, e.g., People v. Stamp, 2 Cal. App. 3d 203, 210, 82 Cal. Rptr. 598, 610 (1970); A.M. Honore, Review: Legal Cause in the Law of Torts, 77 Harv. L. Rev. 595, 600 (1964) (reviewing Professor Robert M. Keeton’s treatment).

[147] Note that courts have occasionally felt up to the task of distinguishing between appropriate sensitivity and legally unreasonable hypersensitivity in matters of religious response and belief. See, e.g., Books v. Elkhart Cnty, 401 F.3d 857, 867 (7^th Cir. 2005) (citing authority).

[148] Thinking of a victim in the most appropriate terms, somewhere between abstract, nearly empty universalism and detailed, concrete particularism, poses issues similar to those associated with the broader problem of a proper choice among levels of generality in description. See, e.g., Laurence H. Tribe & Michael C. Dorf, Levels of Generality in the Definition of Rights, 57 U. Chi. L. Rev. 1057 (1999).

[149] This language is borrowed from the American Civil Liberties Union discussion Hate Speech On Campus 2, available at www.aclu.org/hate-speech-campus (visited January 25, 2016).

[150] See, classically, Justice Brandeis’s nominal concurrence in Whitney v. California, 274 U.S. 357, 377 (1927) (Brandeis, J., concurring). See also Brown v. Hartlage, 456 U.S. 45, 61 (1982) (citing authority); ACLU, supra note 149, at 2; A.C. Grayling, Wimpering [sic] Students Need to Grow Up or Get Out of University 2, available at www.telegraph.co.uk/education/educationopinion (December 4, 2015) (visited January 25, 2016).

[151] See the authorities cited supra notes 131, 134.

[152] See id.

[153] See ACLU, supra note 149, at 2; Grayling, supra note 150, at 2.

[154] Grayling, supra note 150, at 2. Professor Grayling begins his argument, interestingly, by conceding that “[a] university . . . should be a safe place for diverse ethnicities, sexualities, and viewpoints. It should be a domain founded on tolerance and mutual respect, where no one feels excluded or marginalized.” Id.

[155] 547 U.S. 410 (2006).

[156] See id. at 419-22. The Garcetti majority thus built upon the foundations of Pickering v. Bd. of Educ., 391 U.S. 563 (1968) and Connick v. Myers, 461 U.S. 138 (1983). To see the logic of the Garcetti majority in this respect, one might think of speech within the scope of one’s job responsibilities as “hired” speech, with the content being bought, and specifiable, by the government employer, as distinct from, for example, a letter by the public employee to a general newspaper editor, or an occasional op-ed column.

[157] See Garcetti, 547 U.S. at 427, 438 (Souter, J., dissenting). Justice Souter cited a number of the most familiar academic freedom related cases, including Grutter v. Bollinger, 539 U.S. 306, 309 (2003) (“the expansive freedoms of speech and thought associated with the university environment”); Keyishian v. Bd. of Regents, 385 U.S. 589, 603 (1967) (“[o]ur nation is deeply committed to safeguarding academic freedom, which is of transcendent value to all of us”); Sweezy v. New Hampshire, 354 U.S. 234, 250 (1957) (academic freedom as an area “in which government should be extremely reticent to tread”). See also Healy v. James, 408 U.S. 169, 180 (1972) (“[t]he college classroom with its surrounding environs is peculiarly the ‘marketplace of ideas’”); Keyishian, supra, at 603 (“[t]he classroom is peculiarly the ‘marketplace of ideas’”). But see Urofsky v. Gilmore, 216 F.3d 401, 412 (4^th Cir. 2000) (en banc) (“[t]he Supreme Court, to the extent it has constitutionalized a right of academic freedom at all, appears to have recognized only an institutional right of self-governance in academic affairs”).

[158] Garcetti, 547 U.S. at 425.

[159] For a sense of the judicial division in this area, see the discussion in Klaassen v. Univ. of Kansas School of Medicine, 84 F. Supp. 2d 1228, 1251 (D. Kan. 2015). For a sense of the university reaction, see, e.g., Robert M. O’Neil, The AAUP in the Courts, available at www.aaup.org/article/aaup-courts (January-February, 2015) (visited February 21, 2016); Modern Language Association Committee on Academic Freedom, Ramifications of the Supreme Court’s Ruling in Garcetti v. Ceballos, available at www.mla.org/Resources/Research/Surveys (2010) (visited February 21, 2016).

[160] See Renken v. Gregory, 541 F.3d 769, 775 (7^th Cir. 2008) (“Renken made his complaints regarding the University’s use of NSF funds pursuant to his official duties as a University professor. Therefore his speech was not protected by the First Amendment”). Note, though, that the speech in question may seem more administrative than classically scholarly or pedagogical in nature. See Recent Case, 127 Harv. L. Rev. 1823, 1828 (2014) (emphasizing such a distinction).

[161] See Adams v. Trustees of Univ. of N.C., 640 F.3d 550, 563 (4^th Cir. 2011) (noting that the professional speech involved “scholarship and teaching” as distinct from “declaring or administering university policy”).

[162] See Demers v. Austin, 746 F.3d 402, 411-12 (7^th Cir. 2011) (Garcetti . . . consistent with the First Amendment, cannot . . . apply to teaching and academic writing that are performed ‘pursuant to the official duties’ of a teacher and professor”). Demers cites Adams, supra note 161, as well as the Grutter, Keyishian, and Sweezy cases, supra note 157. See also Leonard M. Niehoff, Peculiar Marketplace: Applying Garcetti v. Ceballos in the Public Higher Education Context, 35 J. College & U.L. 75 (2008) (noting critiques of the extensions of Garcetti into academic freedom contexts); Kermit Roosevelt, III, Not As Bad As You Think: Why Garcetti v. Ceballos Makes Sense, 14 U. Pa. J. Const. L. 631, 658-59 (2012) (Garcetti as it stands, or with only limited modification, as protecting the university’s institutional decision making autonomy, assuming the appropriate availability of tenure systems, civil rights and anti-discrimination statutes, and whistle-blower protection statutes).

[163] See Lochner v. New York, 198 U.S. 45, 76 (1905) (Holmes, J., dissenting) (“[g]eneral propositions do not decide concrete cases”).

[164] For background, see D.W. Hamlyn, The Concept of a University, 71 Phil. 205, 207-09 (1996) (noting certain inevitable limitations on a university’s institutional autonomy, given substantial external funding for partly externally chosen purposes).

[165] Legendarily, in a faculty hiring context, Professor Bertrand Russell’s potential interest in speaking freely about university campus lifestyle issues once came into conflict with particular conceptions of a university as promoter of civic responsibility and of student character and virtue. See the remarkable case of Kay v. Bd. of Educ., 18 N.Y.S. 2d 821 (Sup. Ct.), aff’d mem., 20 N.Y.S.2d 1016 (App. Div. 1940). See supra note 48. Or consider, say, a faculty member’s deep critique of a student’s basic abilities.

[166] Note the qualifications referred to in Roosevelt, supra note 162, at 658-59.

[167] See supra notes 25, 34 and accompanying text.

[168] See supra note 33 and accompanying text.

[169] See supra note 42 and accompanying text.

[170] See supra note 70 and accompanying text.

[171] See supra notes 39-41 and accompanying text, and classically, the designated foils critiqued in Thorstein Veblen, supra note 69.

[172] See supra note 52 and accompanying text.

[173] As in some interpretations of the sources cited in notes 60-61 supra and accompanying text.

[174] See supra notes 88-90 and accompanying text.

[175] See Robert J. Gordon, The Rise and Fall of Growth 649 (2016) (“the percentage of jobs subject to occupational licensing has expanded from 10 percent to 1970 to 30 percent in 2008”).

[176] 816 N.W.2d 509 (Minn. 2012). This discussion assumes that the student speech bears a sufficient nexus to the university, and that the speech cannot reasonably be attributed to the university itself.

[177] See id. at 516, 517, 520.

[178] See id. at 521, 523. For helpful commentary on Tatro and related cases, see Emily Gold Waldman, University Imprimaturs on Student Speech: The Certification Cases, 11 First Amend. L. Rev. 382 (2013); Mark A. Cloutier, Note, Opening the Schoolhouse Gate: Why the Supreme Court Should Adopt the Standard Announced in Tatro v. University of Minnesota to Permit the Regulation of Certain Non-Curricular Speech in Professional Programs, 55 B.C. L. Rev. 1659 (2014).

[179] Consider the more and less student speech-protective outcomes in Oyama v. University of Hawaii ____ F.3d ____ (9^th Cir. 2015); Ward v. Polite, 667 F.3d 727 (6^th Cir. 2012); Keeton v. Anderson-Wiley, 664 F.3d 865 (11^th Cir. 2011); Axson-Flynn v. Johnson, 356 F.3d 1277 (10^th Cir. 2004).

[180] See Oyama, ____ F.3d at _____.

[181] For an introduction to whether public high school student free speech rules should generally apply to more mature college and university students, see Hosty v. Carter, 412 F.3d 731 (7^th Cir. 2005) (en banc). See also Eric Posner, Universities are Right—and Within Their Rights—to Crack Down on Speech and Behavior, available at www.slate.com/articles (February 12, 2015) (visited February 21, 2016) (interrogating the distinction in maturity level between college and high school students). Much more broadly, see Butler v. Michigan, 352 U.S. 380 (1957) (adult speech not to be held legally hostage to only that which is fit for children).

[182] For a classic, if doubtless less than comprehensive, statement, see Brown v. Bd. of Educ., 347 U.S. 483, 493 (1954) (education as today linked to good citizenship, socialization, later training, and discharge of public responsibilities).

[183] Oyama, _____ F.3d at ______.

[184] Note that a graduate student in astronomy who intends solely to tout the explanatory and predictive power of astrology poses, in the absence of any fraud or deception, a much less disturbing case. Further afield, a professorial tenure candidate whose research and teaching interests universally strike institutional and external peers as bizarre, trivial, groundless, or eccentric, and as uninterestingly and unprovocatively so, should not rely on a sensible approach to individual academic freedom to save the tenure case. For background, see, e.g., the 1940 AAUP Statement of Principles on Academic Freedom and Tenure, available at www.aaup.org/report/1940-statement-principles-academic-freedom-and-tenure (visited February 4, 2016). On presumed academic competence, see Robert C. Post, Academic Freedom and Legal Scholarship, 64 J. Legal Educ. 530, 533 (2015).

[185] Hutchins, supra note 69 and accompanying text. See also Thaddeus Metz, A Dilemma Regarding Academic Freedom and Public Accountability in Higher Education, 44 J. Phil. Educ. 529 (2010) (noting possible conflicts between pursuing knowledge for its own sake and benefiting society).

[186] See supra note 25 and accompanying text.

[187] See supra note 26 and accompanying text.

[188] See supra note 34 and accompanying text.

[189] See supra note 43 and accompanying text.

[190] See supra notes 55-56 and accompanying text.

[191] See supra notes 39-41, 52 and accompanying text.

[192] See supra note 52 and accompanying text.

[193] The literature on individual and institutional academic freedom in general is of course immense. Beyond the works cited above, see, e.g., The Concept of Academic Freedom (Edmund L. Pincoffs ed., 1975); Judith Butler, Exercising Rights, in Who’s Afraid of Academic Freedom? 293 (Akheel Bilgrami & Jonathan R. Cole, eds.) (2015) (emphasizing the basic material prerequisites of academic freedom); J. Peter Byrne, The Social Value of Academic Freedom Defended, 91 Ind. L.J. 5 (2015); Stanley Fish, It’s Not About Free Speech or Academic Freedom, available at www.huffingtonpost.com/stanley-fish/its-not-about-free-speech (November 23, 2015) (visited February 5, 2016); Aziz Huq, Easterbrook On Academic Freedom, 77 U. Chi. L. Rev. 1055 (2010); Robert Post, Why Bother With Academic Freedom?, available at http://digitalcommons.law.yale.edu/fss_papers/4936 (2013) (visited February 5, 2016); Frederick Schauer, Is There a Right to Academic Freedom?, 77 U. Colo. L. Rev. 907 (2006); Ellen Schrecker, The New McCarthyism in Academe, Thought and Action 103 (Fall, 2005); Robert J. Zimmer, Address Delivered at Columbia University Conference on “What Is Academic Freedom For?,” available at https://president.uchicago.edu/page/address-delivered-columbia-university (October 21, 2009) (visited February 5, 2016).

Evidentiary Privilege for Researchers – OLD

11.23.2016  |  Comments Off on Evidentiary Privilege for Researchers – OLD

Its Present State and a Proposal for Its Future

 

Prof. Aman McLeod,
University of Idaho College of Law

This article addresses the importance of the ability of academics to maintain the confidentiality of the sources ued in their research. There are many academic disciplines (e.g., criminal justice, sociology, public health), in which the promise of confidentiality to research participants is essential to the discovery of information that might be of public or historic importance.   However, as this article reveals, academics in many jurisdictions enjoy little if any ability to protect the confidentiality of their sources from compulsory processes. A significant portion of this article surveys the current federal and state statutes and case law that allow scholars to protect the confidentiality of their sources. It then suggests the adoption of a decades-old, proposed statute that would erase the distinction between scholars and reporters in terms of whether they are legally entitled to protect their confidential sources. The article concludes with an assessment of the prospects for achieving reform on this issue.

Volume 43:1 Evidentiary Privilege for Researches

Abstract:

 

“If you have knowledge, let others light their candles in it.”

– attributed to Margaret Fuller[1]

For centuries, researchers have placed enormous importance on the freedom to research and write about what they choose.[2] It has long been understood that the advance of knowledge and the flourishing of artistic creativity are encouraged if researchers and artists are able to carry out their endeavors without fear of retaliation by institutions or governments.[3] Though researchers at universities and other institutions frequently speak out to defend academic freedom at universities from perceived threats like the elimination or weakening of tenure,[4] researchers have largely ignored an equally grave threat to their work, which entails being forced to divulge the identities of individuals who provide them with information for their academic work in legal or other governmental proceedings.

Reporters, and other persons who do investigative reporting, the results of which are published in newspapers, magazines, and other media, have considered their ability to protect the identity of those who provide them with information and their observations of them, to be of utmost importance.[5] Reporters argue that without the ability to reliably promise those who provide them with sensitive information that their identities will be protected from disclosure, such sources would be afraid to give the information to the press or to allow their activities to be observed.[6]   If the sources’ refuse to provide information to the press, it is further argued, that matters of vital public importance, such as corruption, threats to public health and safety, or worse will not come to the public’s attention.[7] However, all of these reasons apply with equal force to justify recognition of the right of academic researchers to keep their sources confidential as well.

Examples of the ways in which academic research serves a role similar to journalism in bringing matters of public concern to the light are not hard find. Academic studies of illicit subcultures or individuals engaged in illegal behavior help the public understand the history of conflicts, why people engage in criminal behavior, and how it can be prevented. However, such studies require academics to give their subjects assurances of confidentiality if the researchers are to secure the subjects’ participation in the study.[8] For example, researchers who interviewed participants in paramilitary groups in Northern Ireland argued in a recent federal court case that maintaining the confidentiality of their subjects was critical to their ability to document the course of the sectarian conflict that wracked that province for decades, so that future generations will have a better understanding of what occurred.[9] Similarly, the work of medical and psychological researchers alerts the public to threats to their health and leads to treatments for illnesses. However, to do their work, they also promise confidentiality to their subjects in order to secure their cooperation as a matter of course, given that subjects probably do not want information about their conditions made public.[10]   The need to promise confidentiality also extends to the study of government institutions. For example, researchers have noted that studies of police departments, including interviews with officers and observations of their activities while on duty, are often not possible without promising the participating officers that their identities will be protected by the researchers.[11]

A prominent case illustrating the need for laws protecting the confidentiality of research subjects, is that of sociologist Rik Scarse, who was incarcerated for 159 days for contempt of court because he refused to reveal information about a person that he had interviewed who was a member of a radical environmental group, and who was a suspect in a federal criminal investigation.[12] Scarce’s research into the radical environmental movement was the first of its kind, providing new insights into a branch of the environmental movement dedicated to “direct action,” a term describing tactics that diverged from more mainstream environmental groups to include civil-disobedience and property destruction.[13] Scarce’s ordeal stands as a reminder to all researchers who use subjects involved in criminal activities or who have sensitive or damaging information to divulge, that without protection from compelled revelation, they might face the difficult choice between contempt of court, and having to reveal information that could hinder future research into such topics.

The forgoing examples illustrate the point that without the ability to keep the identity of research subjects confidential, scholars would be impeded in their capacity to produce scholarship that serves the public interest, in the same way that failing to protect journalists’ ability to shield the identity of their sources impedes their ability to report news that is in the public interest. It follows that there is no logical reason for not protecting the subjects of academic research, if such protection should be offered to journalistic sources.

Arguments in favor of extending an evidentiary privilege to researchers that would permit them to keep their sources and subjects confidential have been made for many years,[14] but with little acknowledgment of the patchwork of existing law that protects researchers’ ability to maintain confidentiality.   The aim of this article is to survey the breadth of the evidentiary privilege that the work of academic researchers currently have in the United States, and to suggest the wide adoption of a proposed statute that erases the distinction between researchers and reporters in terms of whether they are legally entitled to protect their confidential sources and subjects, and grants a broad privilege to all information gained by researchers and journalists in the course of their work.

The article opens with a survey of state and federal law, which shows that the work of academic researchers probably enjoys some form of evidentiary privilege in at least seventeen states and in a minority of the federal circuits, and that this privilege is often grounded in two sources: 1) statutes and rules that were written to protect journalists, or 2) judicial opinions involving assertion of the journalist’s privilege by non-journalists. The article then discusses laws that allow government officers to extend privilege to researchers for specific projects, as well as the power that state and federal courts enjoy to privilege academic research under their rules of evidence and civil procedure. Finally, it will argue in favor of adoption, in modified form, of a model statute proposed by Profs. Samuel Hendel and Robert Bard,[15] at both the state and the federal level in order to erase the hard-to-justify distinction between journalists and researchers in terms of whose sources should be protected by an evidentiary privilege, and to eliminate the inconsistencies created by the multiplicity of laws that might offer some protection to researchers.

I. The Federal Constitutional Basis for Privilege: Branzburg v. Hayes

Branzburg v. Hayes[16] represents the U.S. Supreme Court’s primary exposition on the constitutional basis for the reporter’s privilege. This case arose when a reporter, Branzburg, observed the making of hashish from marijuana and was later called before a state grand jury to implicate the persons involved.[17] Two other petitioners, also reporters, both reported stories about the Black Panther Party, which, at the time, was a controversial revolutionary organization.[18] These two petitioners were later called to state and federal grand juries respectively to testify about what they had seen and heard while reporting their stories.[19] All three reporters claimed that the free flow of information protected by the First Amendment gave them a right not to divulge information about their confidential sources, and that being forced to give information about their sources would cripple their ability to gather and disseminate news.[20]

“In its holding, the Supreme Court refused to recognize a general privilege for reporters under the First Amendment’s guarantee of freedom of the press,[21] but made it clear that First Amendment rights were implicated when a reporter was forced to reveal confidential sources.[22] Furthermore, the Court specifically noted that a grand jury summons to a reporter to divulge information about a confidential source must be done in good faith,[23] and suggested that for the request to withstand constitutional scrutiny, the government must “convincingly show a substantial relation between the information sought and a subject of overriding and compelling state interest.”[24]

The Court’s reluctance to find a robust evidentiary privilege for journalistic sources was not surprising given judges’ general reluctance to recognize new evidentiary privileges.[25] In his article, Creating Evidentiary Privileges: An Argument for the Judicial Approach,[26] Raymond F. Miller noted that courts have generally justified the recognition of new privileges to protect the privacy of communications within important relationships, and to safeguard individual privacy.[27] Courts appear to take seriously the notion that new privileges should not be created unless they are strongly justified, given the importance of access to all relevant evidence in reaching just resolutions in criminal and civil cases. Accordingly, judges have generally left the creation of new privileges to legislatures.[28] However, the willingness of the Branzburg-Court to find that newsgathering enjoyed some protection under the First Amendment,[29] suggested the importance that the Court placed on this activity, and gave lower courts a precedent for the creation of a privilege for journalists’ sources.

In his opinion in McKevitt v. Pallasch,[30] Judge Richard A. Posner discusses the reception of Branzburg in the federal courts of appeals, and notes that many appeals courts that have considered the case have found that there is a reporter’s privilege.[31] Judge Posner inferred that one basis for these holdings is Justice Lewis F. Powell’s statement in his concurring opinion that claims of journalistic privilege should be decided on a case-by-case basis by balancing the freedom of the press against the obligation to assist in criminal proceedings,[32] along with the fact that the four dissenting justices in Branzburg would have gone further than Powell in protecting journalist’s sources under the First Amendment.[33] Judge Posner also notes that although many circuit courts recognize a reporter’s privilege, they do not agree as to its scope, with some, for example, recognizing the privilege generally, but not in cases, like Branzburg, that involved a grand jury proceeding.[34] Furthermore, according to Posner,[35] among the cases that recognize a journalist’s privilege, some do not refer to Branzburg as the source of the privilege,[36] some treat the “majority” opinion in Branzburg as a plurality opinion,[37] and some read as Branzburg as explicitly recognizing a reporter’s privilege.[38]

Some courts of appeals have been prepared to expand the definition of a reporter in terms of who is entitled to keep sources confidential. Von Bulow v. von Bulow,[39] which was decided by the United States Court of Appeals for the Second Circuit in 1987, exemplifies a case in which a circuit court extended the journalist’s privilege to a non-journalist. Von Bulow arose out of a civil suit that was filed against a wealthy man by his stepchildren who claimed he allegedly attempted to murder their mother.[40] During the discovery phase of the trial, the court ordered a close friend of the defendant to deliver to the plaintiff a copy of a manuscript that she was writing about the defendant’s earlier criminal trial for attempted murder.[41] When the friend refused to comply with the order claiming that she was entitled to the reporter’s privilege, the district court held that she was not entitled to such a privilege, and eventually cited her for civil contempt of court.[42] When the contemnor appealed the civil contempt ruling, the appeals court held that though she was not entitled to invoke the journalist’s privilege in her case,[43] that privilege extended to anyone who could demonstrate “…the intent to use material — sought, gathered or received — to disseminate information to the public and that such intent existed at the inception of the…process.”[44] As of 2015, four other circuit courts of appeals, the First,[45] the Third,[46] the Ninth,[47] and the Tenth,[48] appear to employ a definition of a journalist that it broad enough to encompass non-journalists who gather information for publication, which is a definition broad enough to include academic researchers.

By adopting a broad definition of who is entitled to protect their sources, all of these courts acknowledged, as did the Supreme Court in Branzburg,[49] that the process of newsgathering receives some protection under the First Amendment,[50] and that the source of this First Amendment protection is a strong belief in the importance of the free flow of information.[51]   This holding has led these courts to extend the protections of the First Amendment to all those who gather information with the intent to publish, just as reporters do, without requiring them to be affiliated with a traditional news corporation or to be explicitly identified as a journalist.[52] In other words, these courts saw no meaningful distinction between the work of journalists that was deserving of constitutional protection, and the work of the non-journalists at issue in the cases.

As Justice White pointed out in his opinion for the Court, this privilege had not been recognized by state courts.[53] However, by 1972, seventeen states had enacted statutes creating a privilege for journalists,[54] and, after Branzburg, some state courts used the Branzburg opinion in that case to justify recognizing a privilege.[55] In those states where a journalist privilege is protected by statute, state legislators and other officials have generally justified these laws by saying they are needed to protect the public’s right to receive information about matters of great importance specifically by facilitating journalists’ use of confidential sources.[56] Some officials have also cited the need to provide additional protection for whistleblowers who seek to expose corruption.[57] In the wake of Branzburg, at least one legislator spoke in support of her state’s shield law by saying that it was need to ensure protection for journalists’ First Amendment rights.[58] As of 2015, every state except Hawaii and Wyoming extended some privilege to journalists’ sources either by statute (thirty-seven states), court-made rule of evidence (two states) or state appellate court ruling (nine states).[59]

II. State Reporter’s Shield Statutes[60]

The fact that so many states have by one means or another decided to protect journalists from having to reveal their sources indicates that they place significant importance on the free flow of information that this protection facilitates. However, in finding a balance between protecting sources and facilitating discovery in the judicial process, states have adopted different definitions of who may protect their sources from court-ordered revelation. Although most of these statutes might have been written with journalists in mind, some employ a definition of journalist that is broad enough to encompass academic researchers. For the purposes of categorizing jurisdictions whose reporter’s shield laws extend to academic researchers, the term academic researcher follows the definition suggested in the Hendel and Bard article. Specifically, their proposed law would apply to any “…person regularly or occasionally engaged in the purposeful collection, collation, and analysis of information, when obtained under promise of confidentiality, with the intent of bringing such information, analysis, and/or recommendations to public attention.”[61] Obviously, this definition is very broad, and includes persons who are not affiliated with institutions of higher learning or organizations dedicated to research, but this definition accounts for the reality that there are people doing academic research who are not affiliated with such institutions.[62]

The states can be divided into two categories in terms of whether state law recognizes an evidentiary privilege for researchers. The first category includes states that have no statutes, rules, or appellate case law that could be plausibly read as extending an evidentiary privilege to researchers, and the second category includes states that have legislation or case law extending such a privilege. The following states have statutes or case law that arguably or explicitly create a researcher’s privilege: Alaska,[63] California,[64] Delaware,[65] Georgia,[66] Illinois,[67] Louisiana[68], Maine[69], Massachusetts[70], Michigan[71], Minnesota[72], Missouri[73], Nebraska[74], New Hampshire,[75] North Carolina,[76] South Carolina,[77] Tennessee,[78] Texas,[79] Utah,[80] and West Virginia.[81]

Georgia’s shield law is typical of those with language broad enough to protect researchers. Its protections extend to the following:

Any person, company, or other entity engaged in the gathering and dissemination of news for the public through any newspaper, book, magazine, radio or television broadcast, or electronic means shall have a qualified privilege against disclosure of any information, document, or item obtained or prepared in the gathering or dissemination of news in any proceeding where the one asserting the privilege is not a party….[82]

Conversely, Kentucky’s statute is a prime example of a narrowly focused shield law that extends its protection only to reporters who are associated with traditional media companies:

No person shall be compelled to disclose in any legal proceeding or trial before any court, or before any grand or petit jury, or before the presiding officer of any tribunal, or his agent or agents, or before the General Assembly, or any committee thereof, or before any city or county legislative body, or any committee thereof, or elsewhere, the source of any information procured or obtained by him, and published in a newspaper or by a radio or television broadcasting station by which he is engaged or employed, or with which he is connected.[83]

Even in states where the definition of a reporter is broad enough to extend to researchers, these statutes vary as to the situations in which their protections are applicable. For example, the Michigan shield statutes only protect reporters from subpoenas issued by grand juries and prosecutors,[84] while North Carolina’s shield law applies to all legal proceedings,[85] and Nebraska’s shield law applies to all state proceedings, including legislative hearings.[86] Note that some state shield laws provide a lower level of protection by providing for a host of conditions that make the privilege inapplicable,[87] while others provide apparently absolute protection for a reporter’s sources.[88]

III. Discretionary and Nondiscretionary Privilege for Research Subjects and Data

So far, the article has discussed the protection that researchers have acquired for their confidential sources and subjects under statutes and doctrines that were primarily devised with traditional reporters in mind. However, there are some state and federal statutes that allow government officials to provide evidentiary privilege to research subjects if they determine that such protection is necessary for the research to be conducted. The existence of these laws shows that policy makers understand the need for researchers to be able to credibly promise their subjects confidentiality if they are to glean information needed to make public policy.

For example, a federal statute gives the Secretary of Health and Human Services the right to do the following:

…authorize persons engaged in biomedical, behavioral, clinical, or other research that uses federal funds (including research on mental health including research on the use and effect of alcohol and other psychoactive drugs) to protect the privacy of individuals who are the subject of such research by withholding from all persons not connected with the conduct of such research the names or other identifying characteristics of such individuals. Persons so authorized to protect the privacy of such individuals may not be compelled in any Federal, State, or local, civil, criminal, administrative, legislative, or other proceedings to identify such individuals.[89]

Additional examples include a statute that authorizes the United States Attorney General to allow researchers studying matters related to the enforcement of federal narcotics laws to keep confidential the identities of the research subjects,[90] and a statute that prohibits federal employees and those engaged in research funded by the Office of Justice Programs from revealing the identities of research subjects.[91]

Some state officials also have the power to privilege the identities of research subjects who might not otherwise participate in a study without the promise of confidentiality. For example, a California law authorizes the state attorney general to privilege the identity of subjects that participate in research into the use of controlled substances,[92] and a New Hampshire law allows the state’s Commissioner of Health and Human Services to privilege information obtained for the purposes of medical or scientific research.[93] Minnesota[94] and Michigan[95] have laws that forbid, except in a few circumstances, the disclosure before any state tribunal of information that was collected by the state health department for the purpose of promoting public health.

IV. Rules of Civil Procedure

Federal and state rules of civil procedure provide some protection to researchers who do not wish to reveal sensitive information about their subjects, although not as comprehensively or with the same level of certainty as a shield law. The Federal Rules of Civil Procedure (FRCP) do this by limiting access to the normal tools of pre-trial discovery “…if the court determines that the discovery sought is unreasonably cumulative or duplicative, or is obtainable from some other source that is more convenient, less burdensome, or less expensive.”[96] Although this power granted by the FRCP does not formally privilege the information that researchers gather, it is a tool that provides some protection because it allows researchers to make the claim that turning over sensitive information about research subjects would be burdensome. This argument has succeeded on several occasions in federal court. For example, in In re Snyder,[97] the trial court granted a motion to quash a subpoena that had been served on a retired auto safety researcher to testify in a case against an auto manufacturer. Although the court rejected the researcher’s claim that his data were privileged under federal law,[98] it granted the motion to quash on grounds of burdensomeness, arguing, among other things, that forcing him to testify would set a precedent that could deter future research into topics where subjects would demand confidentiality, and could result in researchers having to answer many subpoenas regarding their work.[99]

Federal courts have also ruled that researchers may avail themselves of the courts’ power to issue protective orders limiting the scope of what they can be compelled to disclose in civil litigation under the Federal Rules of Civil Procedure.[100] Specifically, the rules allow courts to issue protective orders to shelter parties from, among other things, “…annoyance, embarrassment, oppression, or undue burden or expense” in the discovery process.[101] For example, in In re Bextra & Celebrex Mktg. Sales Practices & Prod. Liab. Litig.,[102] a federal district court issued a protective order that limited the information that the New England Journal of Medicine had to divulge regarding the identity and comments of its peer reviewers, since this would interfere with the journal’s peer review process.[103] Federal courts are divided on the question of whether and to what extent the confidentiality of the peer-review process should be upheld in litigation.[104]

The Federal Rules of Civil Procedure also allow courts to quash or modify subpoenas to “unretained experts,” if the subpoena requires disclosing the expert’s opinion, or information that does not relate to specific occurrences in the dispute and was not the result of a study requested by a party.[105] One of the intended effects of this rule has been to guard against experts having their intellectual property “taken” by being forced to testify,[106] but it also provides researchers with a tool to prevent the revelation of confidential sources that their work might have relied upon. Civil procedure rules like those in the Federal Rules of Civil Procedure that allow experts to quash or modify subpoenas or to issue protective orders also exist in state courts.[107]

V. Rules of Evidence

Federal and state rules of evidence provide yet another avenue for the protection of the confidentiality of research subjects. Specifically, the rules of evidence in federal courts and in the courts of several states give judges the discretion to recognize new evidentiary privileges, apart from any privileges that might exist in state statutes, or that are based on federal or state constitutional law. Accordingly, in these jurisdictions, there are three ways that the identity of research subjects might be protected.

Federal Rule of Evidence 501 is the most prominent example of a rule of evidence that allows for the recognition of new privileges. This rule reads as follows: “[t]he common law — as interpreted by United States courts in the light of reason and experience — governs a claim of privilege unless any of the following provides otherwise: The United States Constitution; a federal statute; or rules prescribed by the Supreme Court.”[108] Pursuant to this rule, the federal courts have recognized a host of privileges, including attorney-client, spousal, and clergy-penitent.[109]

To date, the federal courts have not been very receptive to claims that academic researchers deserve a privilege under Rule 501.   For example, in Wright v. Jeep Corp., a federal district court in Michigan rejected the notion that there was a common law evidentiary privilege for academic research, stressing the importance of access to evidence in the civil justice process.[110] On the other hand, in In re Grand Jury Subpoena, the Second Circuit Court of Appeals considered whether it was proper for the district court to have quashed a grand jury subpoena that would have required a graduate student, Mario Brajuha, to divulge information for his dissertation obtained from sources whom he had promised confidentiality.[111] Noting that Brajuha had not established a basis in the record for the court to rule on his request for recognition of an academic privilege under Rule 501, the court remanded the case to the district court for further proceedings.[112] However, it did not deny that an academic privilege might be protected under Rule 501, if Brajuha were able to establish an adequate basis for such protection.[113] No other federal court has suggested that a privilege for researchers’ sources might find protection under Rule 501.[114]

The states are split nearly evenly as to whether their trial courts are permitted to privilege evidence based on court rulings. Twenty-six states[115] allow their trial courts to create privileges, while the remainder and the District of Columbia explicitly prohibit their lower courts from issuing such rulings. In those states that allow their trial courts to create new privileges under state rules of evidence, none have used these provisions to protect a researcher’s privilege. Instead, such a privilege is protected, if at all, by state statute,[116] by rule of evidence,[117] or by appellate court decision based on a constitutional provision.[118]

Finally, it should be noted that some researchers can find sanctuary under the physician-patient[119] and psychotherapist-patient[120] privileges. Although these privileges were not intended to protect researchers, they might be available to physicians and psychotherapists who are basing their research on patients whom they have treated.

VI. A Proposal for Expanding Recognition of an Evidentiary Privilege for Researchers.

The foregoing discussion of the ways in which researchers are afforded privilege for their work reveals a makeshift system of protections that are available to researchers depending on the jurisdiction, and sometimes about the research or the researcher’s employer. The privilege for researchers’ sources is also not as widespread or as easily utilized as the privilege for journalists sources. The forgoing also suggests that efforts to expand the researcher’s privilege should be aimed at the adoption of legislation expanding the privilege, rather than seeking recognition of it in the courts.

The evidence supporting this conclusion is found in the judiciary’s reluctance to create new evidentiary privileges based on anything other than constitutional arguments.   When it comes to common law arguments for new privileges, the judges of American courts appear to be firm believers in the phrase popularized by Dean Wigmore in his treatise on evidence, that “[T]he public… has a right to every man’s evidence,”[121] and are, therefore, reluctant to find new privileges unless grounded in constitutional law.[122] For example, in the twenty-five years following the adoption of the Federal Rules of Evidence by the United States Supreme Court, “…the federal courts have exercised this authority [under FRE 501] to confirm the eight privileges which existed in the common law prior to 1973 and to introduce one new privilege [psychotherapist-patient].”[123] Over roughly the same time period, recognition of new privileges by state courts was negligible.[124]

Constitutional arguments for recognizing new evidentiary privileges have done better in courts. For example, important privileges and doctrines of exclusion in criminal cases are constitutionally based, as are doctrines that allow the exclusion of evidence that might reveal state secrets and the identity of government informers.[125] Furthermore, as was mentioned above, litigants have gotten at least some recognition of a privilege that would apply to researchers’ subjects in four of the federal circuit courts of appeals and in a few state appellate courts based on First Amendment arguments,[126] but only after the Supreme Court opened the door to this expansion with its Branzburg opinion when it noted that the First Amendment affords some protection to journalists from having to reveal their sources.[127] This suggests that Branzburg was the catalyst for these court opinions, as opposed to a general eagerness on the part of judges to create new privileges, and the fact that more courts have not used Branzburg to create a privilege for researchers is more evidence of this reluctance.

Since the Nineteenth Century, the legislatures have replaced the judiciary as the primary developers of privilege law,[128] given that the courts clear reluctance to create more evidentiary privileges. It follows from this conclusion that legislatures should be the focus of efforts to secure changes in the law that will provide researchers with an unambiguous evidentiary privilege for their subjects.[129]

V. A Legislative Proposal

Hendel and Bard’s 1973 proposal for a shield law for researchers is a useful proposal to build upon because of its breadth in terms of who enjoys its protections and because of the balance it strikes between protecting the identity of research subjects and the need for evidence in criminal and civil trials. Their proposal borrows from provisions in existing reporter’s shield laws to create a broad privilege for all of those who offer information in the public interest. For example, regarding its protections, the Hendel and Bard proposal is very similar to some reporter’s shield laws already in existence,[130] except that it eliminates any suggestion that the law’s protections are restricted to traditional journalists. Note also, that the proposal does not require anyone to be affiliated with a specific type of organization or institution to enjoy its protections. In this respect, the Hendel and Bard proposal is like the more liberal reporter’s shield laws that do not require affiliation with any traditional media organization, [131] and therefore, recognizes that independent researchers deserve the protection of the law as well.

Hendel and Bard would allow covered individuals to assert the privilege “… whenever there is a reasonable possibility that [compelled] testimony may compromise confidential sources of information relevant to public pursuits or require revelation of confidential information gathered in the course of his or her activities as a researcher.”[132] This language would appear to cover a range of information similar to that protected by some existing statutes,[133] in that it would protect the identities of a researcher’s sources and subjects, information obtained from them, and a researcher’s personal observations of sources and subjects. Hendel and Bard would also extend the privilege to non-confidential as well as to confidential communications, which also mirrors some existing statutes.[134] Finally, like some existing shield laws, the Hendel and Bard proposal would not require researchers to give a promise of confidentiality to their subjects and sources to invoke the privilege.[135]

The scope of the protection afforded by the Hendel and Bard proposal is also quite broad in terms of the fora in which it can be applied. For example, Hendel and Bard would allow researchers to assert the privilege before grand juries, legislative committees, and criminal and civil courts.[136] In this, the scope of the proposal’s protection mirrors some existing reporter’s shield laws,[137] and goes further than others which, for example, only protect against subpoenas in criminal investigations.[138] Extension beyond the civil and criminal justice context to legislative committees makes sense, in that these bodies have subpoena power,[139] and can force the revelation of confidential sources and subjects.

Hendel and Bard would allow assertion of the new privilege in all but the following circumstances:

• The government shows there is probable cause to believe that the [covered person] has information which is clearly relevant to a specific, probable, and imminent violation of law involving serious personal injury.
• He or she personally witnessed a crime involving serious personal injury.
• The material has actually been broadcast or published or otherwise publicly disseminated.
• The testimony is requested by a defendant charged with a felony and a judge determines that such testimony or records would have probative value in exculpating the defendant.
• The evidence is sought in a bona fide civil suit for libel or invasion of privacy against the [researcher] or his publisher.[140]

Furthermore, in all such cases, the authors would require that the party seeking disclosure of the information demonstrate that “…the information sought cannot effectively be obtained by alternative means less destructive of First Amendment rights.”[141] These provisions make the proposal less protective then some existing shield laws. For example, the Nebraska shield law has no exceptions,[142] but the proposal is similar to the North Carolina shield law in the exemptions that it lists.[143]

Although absolute protection for sources and subjects of academic studies might sound attractive, there are sound reasons why such a level of protection is problematic. First, privileges of all types interfere with one of the primary functions of the justice system, namely the search for truth,[144] which must be established for the courts to dispense justice under law. Some critics of broad evidentiary privileges point out the difficult position that a litigant can face if she cannot get access to evidence that could be very important to establishing her case.[145] Others argue that the lack of a reporter’s shield law does little to impede the flow of information from confidential sources to reporters,[146] and that such laws could have the effect of allowing confidential sources to use researchers and reporters to spread false information without being held accountable in court.[147]

For these reasons, the right balance must be struck between protection of sources, and the courts’ powers in discovery to bring the truth to light.[148] Hendel and Bard’s proposal was designed to strike a balance between these two imperatives,[149] and represents a middle ground between an absolute privilege for confidential sources (e.g. Nebraska’s shield law), and the case-by-case balancing approach advocated by some as an alternative to a shield law to protect researchers.[150]

Note particularly that the Hendel and Bard proposal gives the privilege to researchers, not to the subject that wishes to remain confidential.[151] Giving the privilege to the information gatherer is a common feature of reporter’s shield laws,[152] and stands in marked contrast to the attorney-client privilege, where the client holds the privilege.[153] There are practical reasons for this arrangement. First, researchers should be able to correct the record if sources make public statements that contradict information that was given in confidence to the researcher,[154] or if sources publicly attack the accuracy of researchers’ work.

The need to protect researchers by giving them the privilege weighs in favor of the deletion of two exceptions in the Hendel and Bard proposal: 1) the exception that allows a source who provided information to a researcher and who is facing a felony charge, to compel the researcher to provide exculpatory testimony, and 2) the exception that permits a researcher to be compelled to testify when the researcher has personally witnessed a crime involving serious personal injury. For reasons that will be discussed, these two exceptions have the potential to seriously undermine the benefits of the privilege that the proposal seeks to promote.

Hendel and Bard cite sensitivity to civil liberties as a reason for allowing researchers to be compelled to testify about confidential information provided by source when the source that provided the is facing a felony charge, and asks the researcher to provide exculpatory testimony;[155] however, the authors don’t consider the problems that this might cause for researchers. Some of the researchers who would need the privilege the most, particularly criminologists and sociologists studying individuals or groups that engage in criminal behavior would face the constant threat of becoming involved in criminal trials. Some researchers would certainly forgo studying certain subjects out of fear of becoming involved in a criminal case as a witness for the defense.

Similar reasons justify the deletion of the exception for situations in which researchers have witnessed a violent crime, given that some researchers would certainly forgo studying certain subjects if they thought it could result in having to testify about what they had seen. The extension of privilege to knowledge of another’s participation in a crime is well established in the law of evidence, such as in attorney-client privilege law.[156] Failure to extend the privilege to researchers in these situations could hamper the study of subjects who might regularly engage in violent activities, such as para-military groups or criminal gangs.

VI. Conclusion

This article has surveyed the condition of the privilege laws that enable researchers to protect the confidentiality of their subjects and sources and of their observations of them. It has also argued for the adoption of legislation that would extend this protection to researchers in the form of a law that would cover both researchers and reporters. Finally, the article has advanced the argument that efforts at reform should be aimed at legislatures as opposed to courts, given the latter’s reluctance to create new privileges.

Until most states modify their evidentiary privilege laws to include researchers, those who face having to reveal information about confidential sources should avail themselves of the protection of the laws of their jurisdiction, or take other steps to protect themselves from liability. For example, researchers should always fully inform their research subjects about the situations in which they will disclose, or might be forced to disclose, their identities and/or the information that the subjects have provided to the researcher. Reporters[157] and researchers[158] at most institutions are bound by ethical guidelines not to reveal the identity of sources who have been promised confidentiality subject to whatever conditions the parties agreed to without the permission of the source, and face civil liability for breach of contract if they violate a promise of confidentiality.[159]

A further precaution that can be taken to protect the identity of research subjects is to obscure the identity of the subjects in the data that is collected. Some of the measures that researchers have used to protect the identity of their subjects in this way include “…[the] immediate separation of identifiers from collected data; selective recording of information to reduce [the] potential for identifiability by inference; procedural controls, including rapid comingling of data to make linking responses to an individual more difficult; and technical controls like encryption to protect data in transit and storage.”[160] These techniques have the benefit of obscuring the identity of research subjects in the event that a researcher’s data are seized by the government[161] or by any unauthorized persons.

Still, adopting a shield law that covers researchers is a better option, given that the precautions listed above are not a substitute for laws that protect researchers from subpoenas and search warrants, and the legal problems these create. However, there are several reasons why it will be difficult to get any proposal to privilege researchers’ sources of information enacted in more jurisdictions. First, there does not appear to be any concerted lobbying effort by professional organizations that represent researchers in support of laws protecting a researcher’s privilege, although the American Sociological Association lent support to one of its members involved in a legal battle to keep his sources confidential.[162] This may be because the organizations, such as the American Association of University Professors, the Academy of Criminal Justice Sciences, and the America Public Health Association, prioritize changing policy in ways that are more closely related to the academic interests of their members,[163] or are focused on protecting academic freedom and tenure.[164] Second, researchers are a popular target for politicians, who frequently criticize them for laziness or irrelevance.[165] Until researchers make recognition of an evidentiary privilege for their confidential sources a priority, major changes will not happen.

 

 

 

[1] Margaretfuller.org http://www.margaretfuller.org/index.php?option=com_content&view=article&id=90:sermon-award-winner&catid=40&Itemid=82 (last visited December 30, 2014).

[2] See generally, Ralph F. Fuchs, Academic Freedom. Its Basic Philosophy, Function, and History. 28 Law and Contemp. Probs. 431 (1963).(discussing the history of protection of academic freedom in the academy).

[3] See generally id., and Stacey E. Smith, Note, Who Owns Academic Freedom?: The Standard for Academic Free Speech at Public Universities, 59 Wash & Lee L. Rev. 299 (2002).

[4] E.g., Evan R. Goldstein, Torture and Tenure at Berkeley, Chron. of Higher Ed., May 9, 2008, at 5.; Marianne M. Jennings & Stephen K. Happel, Op.-Ed., Don’t Eliminate Tenure Just to Trim Deadwood, Christian Sci. Monitor, Feb. 22, 1996, at 18; Aaron Petkov, Detroit’s Wayne State University Looks to Destroy Tenure, Labornotes (August 15, 2012), http://www.labornotes.org/2012/08/detroit%E2%80%99s-wayne-state-university-looks-destroy-tenure.

[5] See e.g., Hope Yen, Proposed Media Shield Law Offers Modest Shelter, Buffalo L. J., Mar. 20, 2008, p.18-22; SPJ Board Votes to Create Endowed Legal Defense Fund for Journalists, States News Service, Sept. 4, 2014.

[6] See e.g., Editorial, An Internet-Era Shield Law, L.A. Times, Dec. 31, 2009, p.28.; David B. Rivkin Jr., & Lee A. Casey, Reporters Need a Federal Shield Law, Wall St. J., Apr. 22, 2013, p. A15; Margaret Sullivan, A Blow for the Press, and for Democracy, N.Y. Times, Jul. 28, 2013, p.12; Editorial, Shielding Journalists, Wash. Post, Sept. 23, 2013, p.A14.

[7] Id.

[8] See e.g., Marvin E. Wolfgang, Confidentiality in Criminological Research and Other Ethical Issues, 72 J. Crim. L. & Criminology 345,350 (1981); Josine Junger-Tas & Ineke Haen Marshall, The Self-Report Methodology in Crime Research, 25 Crime and Just. 291, 349 (1999); Paul J. Draus, et. al., Cracking the Cornfields: Recruiting Illicit Stimulant Drug Users in Rural Ohio. 46 Sociological Q. 165, 196 (2005).

[9] See United States v. Moloney (In re Price), 685 F.3d 1, 16 (1st Cir. 2012).

[10] Ronald Bayer et. al., Guidelines for Confidentiality in Research on AIDS, 6 IRB: Ethics and Human Res. at. 1 (1984);   Christine Khosropour & Patrick S. Sullivan, Risk of Disclosure of Participating in an Internet-Based HIV Behavior Risk Study of Men Who Have Sex with Men, 37 J. of Med. Ethics 768 (2011); Ross A. Thompson, Vulnerability in Research: A Developmental Perspective on Research Risk, 61 Child Development 1, 2 (1990)

[11] See e.g., Richard J. Lundman & James C. Fox, Maintaining Research Access in Police Organizations, 16 Criminology 87, 92, 94 (1978).

[12] Rik Scarce, Researcherly Ethics and Courtroom Antics: Where Researchers Stand in the Eyes of the Law, 26 Am. Sociologist 87, 90-91, 95 (1995).

[13] Id. at 89-90.

[14] E.g. Kathleen Bond et. al., Confidentiality and the Protection of Human Subjects in Social Science Research: A Report on Recent Developments [with Comments and Rejoinders], 13 Am. Sociologist 144, 146-47 (1978); Robert H. McLaughlin, From the Field to the Courthouse: Should Social Science Research be Privileged?, 24 Law & Soc. Inquiry 927, (1999); Development in the Law- Privileged Communication in the Law: VI. Institutional Privileges, 98 Harv. L. Rev. 1592, 1610 (1985); Kathryn L. Steffen, Comment, Learning from our Mistakes: The Belfast Project Litigation and the Need for the Supreme Court to Recognize and academic Privilege in the United States, 3 Penn. St. J. of L. & Int’l. Aff. 324,326 (2014);

[15] Samuel Hendel & Robert Bard, Should there be a Researcher’s Privilege?, 59 AAUP Bull. 398 (1973)

[16] 408 U.S. 665 (1972).

[17] Id. at 668.

[18] See Garrett Albert Duncan, Black Panther Party, Encyclopaedia Brittanica, http://www.britannica.com/topic/Black-Panther-Party (last visited Jul. 7, 2015)

[19] Branzburg at 672-80.

[20] Id. at 679-81.

[21] Id. at 697.

[22] Id. at 707.

[23] Id.

[24] Id. at 700.

[25] See infra p.20-22.

[26] 31 Conn. L. Rev. 771 (1999).

[27] Id. at 782.

[28] Infra, p.20-22.

[29] Supra note 22.

[30] 339 F.3d 530 (7^th Cir. 2003).

[31] Id. at 532.

[32] Branzburg v. Hays, 408 U.S. 665, 709-10 (1972).

[33] McKeivitt at 531-32.

[34] Id. at 532. See e.g. In re Grand Jury Proceedings, 5 F.3d 397, 402-03 (9th Cir. 1993).

[35] Id.

[36] E.g., Titan Sports, Inc. v. Turner Broad. Sys., 151 F.3d 125, 128 (3^rd Cir. 1998).

[37] E.g., United States v. Smith, 135 F.3d 963, 968-69 (5^th Cir. 1998).

[38] E.g., Shoen v. Shoen, 5 F.3d 1289. 1292 (9^th Cir. 1993).

[39] 811 F.2d 136 (2nd Cir. 1987)

[40] Von Bulow Stepchildren Sue Him for $56 Million, N.Y. Times, July 20, 1985, http://www.nytimes.com/1985/07/20/us/von-bulow-stepchildren-sue-him-for-56-million.html

[41] Von Bulow v. Von Bulow, 652 F. Supp. 823, 824 (S.D.N.Y 1986).

[42] Von Bulow v. Von Bulow, 811 F.2d at 138.

[43] Id. at 146-47.

[44] Id. at 144.

[45] See e.g., Cusumano v. Microsoft Corp., 162 F.3d 708, 715 (1st Cir. 1998) (applying the privilege to an academic researcher).

[46] See e.g., Titan Sports, Inc. v. Turner Broad. Sys., 151 F.3d 125, 131 (3^rd Cir. 1998) (adopting the broad definition of a journalist used in von Bulow).

[47] See e.g., Shoen v. Shoen, 5 F.3d 1289, 1293 (9^th Cir. 1993) (applying the privilege to a book author in a civil case); but see, In re Grand Jury Proceedings, 5 F.3d 397, 399-400 (9th Cir. 1993) (refusing to apply the privilege to an academic researcher in a grand jury proceeding).

[48] See e.g., Silkwood v. Kerr-McGee Corp., 563 F.2d 433, 438 (10th Cir. 1977) (applying the privilege to a filmmaker).

[49] Branzburg v. Hays, 408 U.S. 665, 707 (1972).

[50] See Titan Sports, Inc., 151. F.3d at 128-30; Cusumano, 162 F.3d at 714; Shoen, 5 F.3d at 1293; Von Bulow, 811 F.2d at 144; Silkwood, 563 F.2d at 436.

[51] See Titan Sports, Inc., 151. F.3d at 128; Cusumano, 162 F.3d at 714; Shoen, 5 F.3d at 1292; Von Bulow, 811 F.2d at 142; Silkwood, 563 F.2d at 437.

[52] See e.g. notes 45-48.

[53] Id. at 685-86.

[54] Id. at 689 n.27.

[55] See e.g., Morgan v. State, 337 So. 2d 951, 953 (Fla. 1976); State v. St. Peter, 315 A.2d 254,255-56 (Vt. 1974); Brown v. Commonwealth, 204 S.E.2d 429, 431 (Va. 1974);

[56] E.g., Associated Press, Shield Law Balances Free Press, Fair Trial, May 7, 2009, available at 2009 WLNR 30344154.

[57] E.g., Jennifer Byrd, Reporter Shield Law Heads to WA Governor, Associated Press, Apr. 17 2007; Dee Hall, Wisconsin Shield Law Is Promising Step Forward, Green Bay Press-Gazette, May 7, 2010, at A10.

[58] See Henny Wallis, Reporter’s Shield Law Passes First Test, Eugene Register-Guard, Feb. 20, 1973, at 1A.

[59] This information was gathered by the author through a survey of state statutes, court rules and applicable precedents. Note that state appellate courts have based their rulings protecting journalists’ sources on both state and federal constitutional provisions.

[60] For the purposes of this study, the District of Columbia is considered a state.

[61] Hendel and Bard, supra note 15 at 399.

[62] See e.g., Audra Wolfe, Doing Scholarship from Outside Academe, Vitae, Dec. 4, 2014, https://chroniclevitae.com/news/824-doing-researchership-from-outside-academe, (last visited Jul. 21 2015).

[63] Alaska Stat. §§9.25.300-390 (2014).

[64] Cal. Evid. Code § 1040 (West 2015) (arguably giving academic researchers at public educational institutions a privilege against divulging confidential information related to researchership).

[65] Del. Code Ann. tit. 10 §4320 (2015).

[66] Ga. Code Ann. §24-5-508 (2015).

[67] 735 ILL. Comp. Stat. Ann. 5/8-902 (2015).

 

[68] La. Rev. Stat. Ann. §§ 45:1451-1459 (2015); See also Louisiana v. Fontanille, 1994 La. App. LEXIS 191, *3 (La. App. 5th Cir. 1994).

[69] Me. Rev. Stat. tit. 16 § 61 (2015).

[70] See Sinnott v. Boston Retirement Bd., 524 N.E.2d 100, 103-04 (Mass. 1988).

[71] Mich. Comp. Laws §§ 767.5a.,767A.6(6) (2015); See also In re Photo Marketing Assoc. Int’l., 327 N.W. 2d 515, 517-18 (Mich. Ct. App. 1982).

[72] Minn. Stat. § 595.023 (2015).

[73] See State ex. Rel. Classic III v. Ely, 954 S.W.2d 650, 655-56 (Mo. Ct. App. 1997).

[74] Neb. Rev. Stat. §§20-144-147 (LexisNexis 2015).

[75] See Mortgage Specialists v. Implode-Explode Heavy Indus., 999 A.2d 184, 189 (2010).

[76] N.C. Gen. Stat. § 8-53.11 (2015).

[77] S.C. Code Ann. § 19-11-100.

[78] Tenn. Code Ann. § 24-1-208 (2015).

[79] Tex. Civ. Prac. & Rem. Code § 22.021 (West 2015)

[80] Utah R. Evid. Rule 509.

[81] W. Va. Code § 57-3-10 (LexisNexis 2015).

[82] Ga. Code Ann. §24-5-508 (2015).

[83] Ky. Rev. Stat. Ann. § 421.100 (LexisNexis 2015).

[84] Mich. Comp. Laws Serv.§§ 767.5a.,767A.6(6) (LexisNexis 2015).

[85] N.C. Gen. Stat. § 8-53.11.

[86] See Neb. Rev. Stat. §20-146.

[87] See e.g., N.C. Gen. Stat. § 8-53.11(c)-(d).

[88] See e.g., NEB. REV. STAT. §20-146.

[89] 42 U.S.C.S. §241(d) (LexisNexis 2015).

[90] 21 U.S.C.S. § 872(c) (LexisNexis 2015).

[91] See 42 U.S.C.S. §3789g(a) (LexisNexis 2015).

[92] Cal. Health & Safety Code § 11603 (Deering 2015).

[93] N.H. Rev. Stat. Ann.§ 126-A: 11 (LexisNexis 2015)

[94] Minn. Stat. § 144.053 (2015).

[95] Mich. Comp. Laws Serv. §§ 333.2631 – 2632 (LexisNexis 2015).

[96] Fed. R. Civ. P. 26(b)(2)(B),(b)(2)(C).

[97] 115 F.R.D. 211 (D. AZ. 1987).

[98] Id. at 213.

[99] Id. at 215. See also, Morriss v. BNSF Ry. Co., 2014 U.S. Dist. LEXIS 3757 at *6-7, 17 (D.NE. 2014).

[100] Fed. R. Civ. P. 26(c)(1).

[101] Id.

[102] 249 F.R.D. 8 (D.Mass. 2008)

[103] See id. at 13-15.

[104] See Martin J. McMahon, Academic Peer-Review Privilege in Federal Court, 85 A.L.R. Fed. 691.

[105] F.R.C.P. 45(d)(3)(b)(ii).

[106] See F.R.C.P. 45 advisory committee’s note.

[107] E.g.,Fla. R. Civ. P. 1.280.(c) (FL); I.R.C.P. 45(d)(1) (ID); Mass.R.Civ.P. 26(c) (MA)

[108] F.R.E. 501.

[109] See 2 Christopher B. Mueller & Laird C. Kirkpatrick, Federal Evidence 384-961 (4^th ed. 2013)(discussing the evidentiary privileges that have been recognized in federal court).

[110] 547 F. Supp. 871, 875 (E.D. Mich. 1982).

[111] 750 F.2d 223, 224 (2nd Cir., 1984).

[112] Id. at 225-26.

[113] Id. at 225.

[114] See F.R.E. 501 case note 75.

[115] Arizona, Colorado, Connecticut, Delaware, Georgia, Illinois, Iowa, Kansas, Maryland, Massachusetts, Michigan Minnesota, Missouri, New Jersey, New York, North Carolina, Ohio, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Utah, Virginia, Washington, West Virginia.

[116] E.g., Del. Code Ann. tit. 10 §4320.

[117] E.g., Utah R. Evid. Rule 509.

[118] E.g., State ex. Rel. Classic III v. Ely, 954 S.W.2d 650 (Mo. Ct. App. 1997).

[119] See Mueller & Kirkpatrick, supra note 109, at 765.

[120] See Jaffee v. Redmond, 518 U.S. 1, 7 (1996).

[121] United States v. Bryan, 339 U.S. 323, 331 (1950) (quoting Wigmore, Evidence (3d ed.) § 2192).

[122] See Branzburg v. Hayes, 408 U.S. 665, 688 (1972) .

[123] Miller, supra note 26 at 775.

[124] Id. at 780.

[125] See e.g., Mueller & Kirkpatrick, supra note 109 at 430-31.

[126] See supra notes 39 -48 and accompanying text.

[127] See e.g., von Bulow v. von Bulow, 811 F.2d 136, 142 (2nd Cir. 1987)(noting that Branzburg established that newsgathering enjoyed some First Amendment protection).

[128] See Development in the Law – Privileged Communication: I. Introduction: The Development of Evidentiary Privileges in American Law (p.1), 98 Harv. L. Rev. 1450, 1455-63 (1985).

[129] But see Miller, supra note 26, at 801 (arguing for greater involvement by the courts in the development of privilege law).

[130] See e.g., supra note 83 and accompanying text.

[131] See e.g., Minn. Stat. §595.023.

[132] Hendel & Bard, supra note 15, at 399.

[133]See e.g., Colo. Rev. Stat. §13-90-119(2) protects “…news information received, observed, procured, processed, prepared, written, or edited by a newsperson, while acting in the capacity of a newsperson.”

[134] See e.g., Colo. Rev. Stat. §13-90-119(1)(b); In re Paul, 513 S.E.2d. 219, 223 (Ga. 1999) noting that “…statutory language [of Georgia’s reporter’s shield law] does not distinguish between the source’s identity and information received from that source or between non-confidential and confidential information.”

[135] See e.g., Kurzynski v. Spaeth, 538 N.W.2d 554, 599 (Wi. 1995) (holding that a reporter’s right to keep information confidential does not depend on whether a promise of confidentiality was made to the source of the information).

[136] Hendel & Bard, supra note 15, at 399.

[137] See supra note 86 and accompanying text.

[138] See supra note 84 and accompanying text.

[139] Frank Arey, Legislative Subpoenas, 1, http://www.ncsl.org/documents/lsss/legislative_subpoenas.pdf (last visited Jul. 17, 2015).

[140] Hendel & Bard, supra note 15, at 399.

[141] Id.

[142] E.g.,Neb. Rev. Stat. §20-146.

[143] See N.C. Gen. Stat. § 8-53.11.

[144] See David A. Kaplan & Brian M. Cogan, The Case Against Recognition of a General Academic Privilege, 60 U. Det. J. Urb. L. 205, 216 (1983) (quoting In re Dinnan, 661 F.2d 426, 430 (5th Cir. 1981))

[145] See id. at 207-08. See also Mueller & Kirkpatrick, supra note 109, at 413-14.

[146] See John D. Castiglione, A Structuralist Critique of the Journalist’s Privilege, 23 J. L. & Pol. 115, 140 (2007).

[147] Cf. id. at 132-34.

[148] See generally Mueller & Kirkpatrick, supra note 109, at 409-14. (discussing the concepts underlying evidentiary privileges, and how privileges are balanced with the need for fact-finding).

[149] See Hendel & Bard, supra note 15, at 400.

[150] See Kaplan & Cogan, supra note 144, at 224, 235-37.

[151] See Hendel & Bard, supra note 15, at 399.

[152] See e.g., supra notes 63-69, 71-72, 74, 76-79.

[153] Mueller & Kirkpatrick, supra note 109, at 654.

[154] See Richard Sauber, When Can Reporters Reveal Sources?, Wash. Post, Apr. 10, 2006 at A17, suggesting that reporters have the right to reveal the identity of a source if the person publicly denies being a source in some situations.

[155] Hendel & Bard, supra note 15, at 400.

[156] See Mueller & Kirkpatrick, supra note 109, at 614.

[157] See e.g., Society of Professional Journalists, Anonymous Sources, http://www.spj.org/ethics-papers-anonymity.asp, (last visited Jul. 22, 2015)

[158] See e.g., Stanford University Human Research Protection Program Policy Manual, ch. 11, http://humansubjects.stanford.edu/hrpp/Chapter11.html (last visited Jul. 19, 2015).

[159] Cf. Cohen v. Cowels Media Co., 501 U.S. 663, 670 (1991).

[160] Brian Jackson et. al., Human Subjects Protection and Research on Terrorism and Conflict, 340 Science 434 (2013).

[161] Data from researchers might be admissible in court depending on its content and intended use. The seizure of such data is a possibility in states where the shield law only protects researchers from being compelled to divulge confidential information, as opposed to those that protect researchers from being compelled to testify and protect their data from compelled disclosure. Compare N.C. Gen. Stat. § 8-53.119(b) (protecting a journalist’s materials from disclosure) with Ky. Rev. Stat. Ann. § 421.100 (offering no protection to a journalist’s materials).

[162] Facing jail, a sociologist raises questions about a researcher’s right to protect sources, Chron. Higher Educ., Apr. 7, 1993, at A10.

[163] See e.g., American Public Health Association, Policy Statements, https://www.apha.org/policies-and-advocacy/public-health-policy-statements (last visited Jul. 21, 2015).

[164] See e.g., American Association of University Professors, About, http://www.aaup.org/about/mission-1 (last visited Jul. 21, 2015).

[165] See e.g., Karen Hertzog, Educators frustrated by Walker’s comments about Faculty Work, Milwaukee J.-Sentinel, Jan. 30^th 2015, 2015 WLNR 2941493. (discussing Wisconsin Gov. Scott Walker’s comment that University of Wisconsin faculty did not work hard enough); Kevin Kiley, Another Liberal Arts Critic, Inside Higher Ed., Jan. 30^th 2013, https://www.insidehighered.com/news/2013/01/30/north-carolina-governor-joins-chorus-republicans-critical-liberal-arts (last visited Jul. 21, 2015); Tyler Kingkade, Pat McCrory Lashes Out Against ‘Educational Elite’ And Liberal Arts College Courses, Huffington Post, Feb. 2^nd, 2013, http://www.huffingtonpost.com/2013/02/03/pat-mccrory-college_n_2600579.html (last visited Jul. 21, 2015).

The Risks and Liability of Governing Board Members to Address Cyber Security Risks in Higher Education – OLD

01.27.2017  |  Comments Off on The Risks and Liability of Governing Board Members to Address Cyber Security Risks in Higher Education – OLD

By Luis J. Diaz, Maria C. Anderson, John T. Wolak and David Opderbeck[1]*

 

Abstract

Cloud computing can be a highly effective means of avoiding information technology costs and are an attractive option to higher education institutions. Cloud computing also creates an incremental potential risk for data breaches and the accompanying privacy concerns that arise when personally identifiable information is stored on third party servers accessible over the internet. Officers and board members of an institution considering a move to the cloud are well-advised to engage in robust diligence and be adequately informed of the benefits and risks of migrating substantial amounts of sensitive data to the cloud. This article provides timely information to higher education institutions to assist the understanding of the nature of cybersecurity risks and preparedness, and how those risks may be mitigated so that the fiduciary duties owed by institutional officers and board members are properly discharged.

 

 

Volume 43:1 The Risks and Liability of Governing Board Members to Address Cyber Security Risks in Higher Education

I. Introduction

Technological innovation now makes it possible to conduct business at the speed of thought. The resulting mass of data resulting from the “internet of things”[2] is stored on remotely-connected servers located throughout the world. While the benefits of this innovation revolution undoubtedly benefit society, business, and institutions of higher education, it also creates incremental risks in the form of data breach disasters when personally identifiable information (PII) and other sensitive information about customers, employees, and business partners is inadvertently disclosed.

Today, the news is filled with horror stories of such data breach disasters at some of the world’s leading organizations. It seems that no one is immune from a data breach. In the aftermath of such an event, stock prices can plummet, public opinion shifts, and officers and directors can be terminated for failure to exercise best judgment in monitoring and mitigating those risks. The recent breaches at Target Corp.[3] and Parsippany, New Jersey-based Wyndham Worldwide Corp.[4] exemplify the tsunami of litigation that is likely to result when a major breach occurs. But, this is just the beginning as the duty of officers and directors relating to these global economy realities is just beginning to evolve. With the changing standards now emerging in the case law, it is reasonably foreseeable that there will be many more data breach related lawsuits in the future. As evidence of this fact, the Securities and Exchange Commission issued guidance in 2011 that it deems technology and privacy breaches as potentially material. SEC Chairwoman Mary Jo White has said that cyber threats are “of extraordinary and long-term seriousness. They are first on the (SEC’s) division of (market) intelligence’s list of global threats, even surpassing terrorism.”[5]

In light of these new world realities, officers and directors at all types of organizations, including colleges and universities, would be well advised to ensure that their organizations engage in a thoughtful process to implement adequate physical, electronic, and other security measures to prevent, manage, and respond to data breaches. The failure to do so can result in what happened at Target, where seven of ten directors were unseated because they failed to adequately manage cyber risks. Aside from the risk of breach-related litigation, it is also reasonably foreseeable that both federal and state regulators will become increasingly more aggressive in terms of regulatory compliance, fines, and monitoring activities.

Higher education institutions and their officers and directors are not exempt from these obligations. Many state laws impose a fiduciary duty upon boards of governors or trustees and administrators of public and private universities that require engaging in a robust due diligence process to ensure that cyber risks are properly identified and managed. This article seeks to provide some practical guidance concerning the federal and state laws applicable to higher education, and how officers and directors at these institutions can implement adequate policies, procedures, and practices to mitigate cyber risks and threats relating to potential data breaches.

II. Director and Officer Fiduciary Duties in the Face of Cyber Security Issues

Public awareness of director and officer liability for cyber attacks was elevated after a breach of consumer records at Target.[6] In reliance upon case law recognizing a board’s obligation to oversee corporate risk post-Target, commentators suggested that liability for failure to monitor cyber-risk could be imputed to individual board members who were not discharging their fiduciary obligations by either: (a) “utterly” failing to implement “any reporting or information system or controls”; or (b) if such reporting or information systems were in place, consciously failing to monitor or oversee them so that board members were “disabled from being informed of risks or problems requiring their attention.”[7] Therefore, University officials should be mindful of the legal risks posed to the members of their governing boards by ensuring they take an active role in the assessment of risk associated with information security systems selected for implementation and are regularly updated through reporting systems.[8]

In the United States, there are a multitude of sources that may impose liability upon board members for lapses in judgment related to cyber security. These sources may be found in federal laws – such as the Fair Credit Reporting Act, the Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act (HIPAA), Family Educational Right to Privacy Act (FERPA), and the Federal Information Security Management Act (FISMA) – or state and common laws. Potential plaintiffs include the Federal Trade Commission, the U.S. Securities and Exchange Commission, the Department of Justice, state attorneys general, and the individuals or companies whose data has been breached.[9] Higher education is particularly vulnerable to data breaches because, as the U.S. Department of Education has noted, “[c]omputer systems at colleges and universities [are] favored targets because they hold many of the same records as banks but are much easier to access.”[10]

In a survey conducted by the Association of Governing Boards of Universities and Colleges and United Educators found that, while full boards have been increasingly engaged in risk discussions, “conflicting answers on the amount and quality of information boards receive on risk raised questions about the value of that information.”[11] While 60 percent of respondents to that survey reported that the information boards received – particularly in connection with financial risks – was adequate, only 39 percent strongly agreed that enough information was shared to fulfill their legal and fiduciary duties.”[12] Accordingly, because the failure of a board to actively address cyber risk management and information security risks can impose liability upon individuals,[13] members of governing boards must be provided adequate information in order to discharge their fiduciary duties.[14]

Although the Sarbanes-Oxley Act has limited application to higher education, it has raised expectations of accountability in governance, regardless of whether a governing board manages a corporation or not-for-profit institution.[15] Members of not-for-profit governing boards who fail to meet the expectations of this Act may find themselves subject to removal or may not be indemnified in the event of suit by affected students, alumni, or employees.[16] Board members of not-for-profit institutions, whether public or private universities, may be subject to director and officer liability suits for failing to discharge their duties by broader classes of plaintiffs that may include other board members, donors, employees, students, vendors, contractors, other not-for-profit entities working in collaboration with the institution, and/or government agencies with regulatory authority over the institution.[17] While suits based upon such causes of action have thus far largely settled or been dismissed based upon failure to demonstrate causation or damages related to identity theft, suits continue to be filed, and the technological capacity to identify the use of such information continues to develop and requires constant monitoring to evaluate its evidentiary potential in damage claims.[18]

Governing boards of higher education institutions are commonly referred to as “the guardians” of the university and, as such, owe fiduciary duties of care and loyalty similar to their counterparts at for-profit corporations.[19] The degree of their fiduciary obligations vary, depending upon the institution’s bylaws. However, as a general rule, board members must promote the institution’s best interest, disclose to fellow board members any material information that may not be readily known, and exercise good faith duties of care and loyalty toward the institution.[20]

A. The Duty of Care

The duty of care relates to the governing board member’s competence in performing his/her functions and requires the use of care that an ordinarily prudent person would exercise in a like position under similar circumstances.[21] The duty of care also requires the board member to exercise his or her responsibilities and decision-making in good faith and with due diligence.[22] The duty of care does not allow a board member to fail to supervise the organization or, even when acting in good faith, neglect to make informed decisions.[23] Finally, the duty of care requires that board members are well-equipped with information that is required in order to make informed decisions.[24] A recent survey found that only 12 percent of board members frequently receive briefings and reports on cyber-threats.[25] If a board member is not regularly informed as to the institution’s cyber security policies, procedures, and risks, he or she may not effectively oversee or approve institutional initiatives that may result in a breach of the duty of care.[26]

B. The Duty of Loyalty

The duty of loyalty requires a member of a governing board for a higher education institution to act in what he or she reasonably believes to be in the best interests of the organization, in light of its stated purposes.[27] This requires the trustee to affirmatively protect the interests of the organization and to refrain from doing anything that would be injurious to the organization.[28] The duty of loyalty requires the board member to place the interests of the institution above his or her own, and is largely concerned with addressing direct or indirect conflicts of interest between the board member and the organization.[29] As with the duty of care, the vast majority of state laws provide that board members of a not-for-profit are subject to a duty of loyalty, just as board members of a for-profit corporation are.[30]

III .Summary of Legal Obligations to Facilitate A Board’s Duty of Care and Loyalty

 

A. The Applicability of FERPA, HIPAA, and FISMA to Higher Education

Higher educational institutions must comply with FERPA,[31] FISMA,[32] and, if applicable, HIPAA,[33] in order to regulate the security of their student records or other data.[34] FERPA sets the standard for student privacy, and federal funding may be withheld from any institution with a policy or practice of disclosing student information without authorization.[35] Because FERPA ensures that the privacy of student educational records[36] is protected by regulating to whom and under what circumstances such records may be disclosed, its provisions have important application when those records are shared with cloud software services providers.[37]

Directory information may be made public after an institution gives notice of the categories of directory information to all students and provides students an opportunity elect to keep such information private.[38] Non-directory information is all other information related to a student and maintained by a higher education institution, including, without limitation, social security numbers or student identification numbers.[39] The disclosure of non-directory information or PII to a third party is only permitted if it qualifies as one of FERPA’s defined exceptions.[40] Faculty, staff, and other officials of the institution may access non-directory information under FERPA if they have a legitimate academic interest to do so.[41] The school official exception applies to third party cloud providers who are given access to student education records regulated by FERPA[42] so long as they agree: (1) to not redisclose the information without the student’s prior consent,[43] and (2) to use the information only “for the purposes for which the disclosure was made.”[44]

Higher education institutions providing academic programs that include the operation of medical hospitals or other treatment centers and submit claims for reimbursement of medical expenses to third parties are generally subject to HIPAA.[45] HIPAA requires a receiving party to maintain the confidentiality of protected health information (PHI) that includes individually identifiable health information[46] transmitted by, or maintained in, electronic, paper, or any other medium.[47] The HIPAA Privacy Rule requires that a covered entity maintain reasonable and appropriate administrative, technical, and physical safeguards to protect PHI privacy.[48] The Privacy Rule also requires covered entities to enter into business associate agreements with third party vendors who create, receive, maintain, or transmit PHI on their behalf.[49] Under the Privacy Rule, covered entities may only use or disclose PHI without patient authorization for treatment, payment, or health care operations.[50] For other purposes, a covered entity must obtain patient authorization prior to using or disclosing PHI, albeit subject to certain exceptions.[51]

In addition, and pursuant to HIPAA, a national security standard for the protection of individually identifiable health information was established (“Security Rule”).[52] The Security Rule regulates electronic PHI (ePHI) and requires any entity subject to it to adopt policies and measures to ensure the confidentiality, integrity, and availability of any ePHI created, received, maintained, or transmitted.[53] As with FERPA, covered entities must also enter into written agreements with third parties who create, receive, maintain, or transmit ePHI on their behalf that are consistent with the obligations under the Security Rule.[54] Consequently, if a higher education institution is subject to HIPPA and intends to use cloud computing to manage its ePHI, the written agreement with the third party vendor must be drafted to protect the institution from liability from improper disclosures.

Notably, the Security Rule anticipates that covered entities will be permitted some “flexibility” in their approach to implement security protocols.[55] As part of that flexible approach, covered entities are required to consider the following factors: (1) the size, complexity, and capabilities of the covered entity or business associate, (2) the covered entity’s or business associate’s technical infrastructure, hardware, and software security capabilities, (3) the costs of security measures, and (4) the probability and criticality of potential risks to electronic protected health information.[56] Penalties for violations of HIPAA can be severe and may include criminal charges as well as significant civil penalties.[57]

B. State Laws and Data Security

In the United States, there is no comprehensive, uniform set of laws in either the federal or state systems to regulate data privacy and the collection, use, and disposal of personal information.[58] There are, however, hundreds of privacy and data security laws that govern the collection and use of personal information, all with varying obligations and degrees of scope.[59] States have individual data privacy and security laws directed toward the protection of student or employee PII.[60] For example, many states have adopted laws that govern the collection, use, and disclosure of Social Security numbers, and other states such as California, New Jersey, and New York have enacted laws requiring the proper disposal of records that contain personal information.[61] Additionally, some state laws are more stringent than the protections afforded by HIPAA and are not preempted by federal regulation, so long as the state’s laws are not inconsistent with the federal regulatory scheme.[62]

C. Cyber Security Compliance in Higher Education

Congress has debated comprehensive cyber security legislation since at least 2009.[63] Earlier proposals would have included a mandatory federal framework for cyber security compliance.[64] Later proposals have stressed voluntary public-private partnerships with liability protections and other incentives for compliance.[65] Comprehensive reform, however, has stalled in Congress for a variety of political and practical reasons.[66]

In February 2013, frustrated with Congress’ inability to pass comprehensive cyber security reform, President Obama issued Executive Order 13636, “Improving Critical Infrastructure Cybersecurity.”[67] This Order directed the National Institute of Standards and Technology (NIST) to develop a framework for cyber security compliance by owners and operators of critical infrastructure, although the Order does not impose any specific legal obligations on non-governmental entities.[68] NIST released its framework in February 2014, and it has become recognized as a “gold standard” in cyber security compliance.[69]

The NIST standards are arranged around what NIST calls the “Framework Core.”[70] The Framework Core identifies high-level cyber security functions, divides those functions into categories of outcomes, and relates the categories of outcomes to specific subcategories and informative resources:[71]

As the graphic from the NIST Framework illustrates, the core functions are “Identify,” “Protect,” “Detect,” “Respond,” and “Recover.”[72] If these core functions seem obvious, that is because they are in a sense obvious. The NIST Framework does not break any new ground concerning the basic requirements to prepare for and respond to cyber attacks. Rather, the Framework seeks to require organizations to think systematically and carefully about cyber risk. Surprisingly, even large organizations with significant information technology assets and professional IT staff often fail to engage in this kind of deliberate risk identification and planning.

The “Identify” function requires the organization to take an inventory of all of its “systems, assets, data and capabilities.”[73] The “Protect” function requires the organization to proactively develop safeguards to keep critical infrastructure services online in the event of a cyber emergency.[74] The “Detect” function requires the organization to implement procedures and technologies to identify adverse cyber security events,[75] including continuous, around-the-clock monitoring of security status and robust processes for detecting intrusions.[76] The “Respond” function focuses on containing the impact of adverse events;[77] this function recognizes that adverse cyber security events are inevitable despite robust protection and detection mechanisms, and the risk of such events cannot entirely be eliminated but often can be contained. The category responses under this function are among those most frequently overlooked in cyber security risk management. Finally, the “Recover” function requires plans to restore information capabilities lost during an attack. The category responses under this function should include restoration plans with definite timelines as well as plans to learn from the event and make improvements in the protect, detect, and respond functions.[78]

The NIST Framework includes a tier structure that enables an organization to assess its current state of compliance and to move towards higher levels of compliance.[79] A vital measure of which tier an organization has reached involves the formal approval and adoption at a policy level of organization-wide cyber security risk management practices. This means that cyber security should become elevated to a top institutional priority that entails functions across all business units from the executive level down. Cyber security is no longer an afterthought for only a few information technology functions. The following graphic from the NIST Framework illustrations this dynamic:[80]

Again, there is nothing particularly novel in this structure, but it illustrates that cyber security must become an executive level issue that receives constant attention and, importantly, budgeting.

Appendix A to the NIST Framework includes a coded tool that can be used to conduct a cyber security compliance assessment[81] in a methodical, standardized fashion, providing codes for specific subcategory designators and identifying specific published standards relating to each subcategory.[82] For example, here are the cells for the first function, category, and subcategory:[83]

Obviously, with 14 pages of such detailed mappings within Appendix A to the NIST Framework (pages 20 to 34), the work involved in becoming compliant can seem impossibly daunting.[84] Moreover, some of the standards referenced in the NIST framework may not map directly onto the unique circumstances of higher education institutions. For these reasons, some universities and university trade organizations have adopted or proposed simplified models that focus on particular standards.

For example, the Higher Education Information Security Council (HEISC) has published an Information Security Guide keyed to the ISO/IEC 27002:2013 standard, which is one of the standards referenced in the NIST Guidelines.[85] The HEISC Guide incorporates 15 compliance domains, ranging from cryptography to supplier relationships.[86] As another example, the University of Ohio Information Risk Management Program condenses the NIST Framework into 30 risk areas within seven business functions, and condenses the text into eight pages.[87] The business functions identified in the University of Ohio policy include management, legal, purchasing, human resources, facilities, and information technology.[88]

Other universities, colleges, and higher education providers similarly may benefit from information security planning that customizes the NIST Framework for application within their specific circumstances. Although cyber security compliance policies can become complex at the granular level of application, they all include some basic over-arching themes, including the following:

• Cyber security compliance involves more than adherence to a specific legal requirement. It includes multiple legal requirements as well as contractual obligations and institutional risk management practices.

• Cyber security compliance is an ongoing process, not a one-time project.
• Cyber security compliance involves both technological measures and human resource management measures.
• The risks of a cyber security incident cannot be entirely eliminated. Cyber security compliance therefore involves procedures to identify and remediate incidents as well as procedures aimed at preventing incidents.
• Cyber security compliance is an executive-level concern that requires coordination across every significant operational unit in the organization.[89]

These general principles are as true for higher education institutions as they are for any other kind of enterprise. Indeed, the wide variety of sensitive data handled by higher education institutions, including sources as diverse as confidential and trade secret technological research and student health information, together with the diffuse nature of governance in many university systems, suggests that such institutions must make particular efforts to develop comprehensive, meaningful cyber security compliance programs.

Finally, in addition to these overarching compliance themes, public attention recently has focused on legislation that would facilitate information sharing about security risks between the public and private sectors. The Cyber Information Sharing Act (CISA) was signed into law by the President on December 18, 2015 as part of the omnibus spending bill.[90] The CISA allows private entities to share cyber threat information with the federal government without incurring liability under other laws – such as, for example, FERPA and HIPAA – that require certain information to be kept confidential.[91] The new law apparently would include colleges and universities, as well as their officers, employees, and agents.[92] Information sharing proposals have been very controversial with cyber civil liberties advocates.[93] Now that the CISA has been signed into law, colleges and universities will need to think carefully about procedures for logging potential threat information and for whether and when an employee or officer should report such information to the federal government.

However, the recent onslaught of cyber security cases does not require board members to become experts in cyber security risk. In looking to the Wyndham, supra, case for guidance, there are several actions that the board can proactively take in advance of a cyber security event, which include making data privacy and data security regular topics of discussion at board meetings; providing that a specific committee has primary oversight on data security and ensures that data protection measures are discussed regularly at committee meetings; periodically retaining third-party consultants to assess the institution’s cyber security practices and remediating any deficient areas; and establishing a cross-functional incident response team that has primary responsibility for investigating and responding to a cyber security breach.[94]

IV. Risk and Mitigation

Through a comprehensive risk analysis, a University’s board of governors or trustees and administrators can ensure that organizational cyber risks are adequately mitigated through a combination of effective diligence, contract negotiation, and, in many instances, the purchase of cyber insurance coverage. These steps are necessary to provide effective governance and management of the university. Cloud vendor contracts are not yet associated with the typical collateral issues that are raised in outsourcing or shared control contracts. These models offer worthwhile guidance about risks created by shared responsibilities and possible liabilities, as well as ways to contract around common problems. As recent large-scale cloud failures demonstrate, a breach results not only in data recovery problems, but also in attendant unfavorable publicity and extensive remediation and legal costs.[95]

A.  Overview of Risks Associated with Cloud Computing

Cloud computing offers both benefits and risks that must be weighed. Educational institutions have employed cloud computing for a variety of needs, from hosting of simple applications to complex, enterprise-wide human resources and student information management systems.[96] Cloud computing frequently offers granular pricing that lets institutions optimize software or services utilization and tailor the same to meet the needs of students, alumni, or employees.[97] Moving system architecture to the cloud reduces the long-term costs of IT resources while increasing employees’ and students’ “anywhere, anytime” access to the resources the institution selects for common availability.[98] Resources hosted remotely are necessarily flexible, potentially including infrastructure, platforms, or even stacked software as a service, and these options offer cost savings through economies of scale, off-site hosting, and off-site maintenance.[99] The cloud’s modular, on-demand model permits educational institutions to reduce the sunk costs of quickly outdated hardware or data storage and to easily swap out software on a global level for more recent applications.[100] By enabling faster updates, with no delay for procurement or individual installation, the institution can more efficiently serve its various stakeholders while reducing overhead costs.[101]

Against these benefits, decision-makers must educate themselves about the associated cyber risks in order to exercise sound judgment before migrating PII to the cloud. The use of cloud computing forces an institution to rely on the policies and security of a third party vendor (and any affiliated data center utilized by the vendor), which creates incremental organizational risk that must be analyzed as compared to the inherent risk of the institution managing its own data and IT resources.[102] Here, we analyze the risks associated with the most common cloud service offered by vendors, that being public, multi-tenant cloud services, where remote data centers host multiple customers’ data on the same servers without segregation.

As stated earlier, cloud computing creates incremental risk by outsourcing an institution’s IT functions to third party vendors, which eliminates or impairs the institution’s control over its data, processing, and security.[103] This increased risk and the resulting increased liability from a breach by a third party vendor are frequently borne directly by the institution itself.[104] These new risks must be analyzed in addition to the familiar vulnerabilities associated with IT functions, such as cyber security threats from networked mobile media, hardware malfunction, software installations, and malicious insiders or external cyber attacks. As a result, some institutions, particularly those with a larger volume of PII, trade secrets, or confidential data subject to high levels of regulation (i.e., under HIPAA requirements, Department of Defense procedures, or SEC oversight), may choose to avoid cloud computing because the additional risks, requirements, and potential exposures are too great.[105] Alternatively, such institutions may choose to create private, self-contained cloud computing systems to increase the level of control retained over the security of the data centers.[106]

Other educational institutions, particularly smaller schools with more limited data sets, may find it is both safer and economically efficient to rely on the more advanced security provided by larger cloud vendors.[107] However, even these schools must ensure that such vendors can comply with the “school official exception” under FERPA.[108] For these smaller institutions, the incremental risk created by outsourcing the security of their student data is offset by the net benefits to overall security offered by more advanced security systems than those the smaller organizations can individually afford. Larger educational institutions with more robust security processes will have to find other benefits and methods of risk mitigation to offset the incremental risk and craft a positive net benefit bargain by switching to cloud computing.[109]

Universities may also face different risk levels depending on whether they are public or private institutions. With different appetites for risk or different security risk profiles, each institution must achieve an acceptable balance of risk against benefit by identifying the incremental risks associated with cloud computing that are germane to their programs and then finding ways to mitigate those risks.[110] Some of the risks that require consideration include:

• Educational institutions remain legally liable for data breaches, even though control over security shifts to the cloud vendor. Accordingly, data breaches can leave the institution subject to different laws for each jurisdiction implicated, by the location of either the data, compromised employee, student or alumnus/a, or cloud vendor’s citizenship.[111]
• Any single breach may put a cloud vendor out of business or in bankruptcy, while for young or small vendors, lack of significant assets and limited applicable or available insurance coverage may preclude full recovery of losses.
• PII may be compromised or commingled with third party data, including that of competitors, with respect to the university’s research or intellectual property.[112]
• Cloud vendors may impose unreasonable or otherwise unacceptable policies or terms of service, including: failure to provide adequate indemnity for claims resulting from security breaches; failure of transparency regarding third party data center security; limitation of liability to amounts inadequate to meaningfully remedy the loss; exclusion of consequential damages; refusal to limit future use of client data; refusal to secure client consent before transferring data overseas; refusal to provide service level agreements or damages for disruption during outage; refusal to return data in usable form to client after termination of agreement; or refusal to agree to abide by FERPA’s “school official exception” as it relates to direct control or the use and redisclosure of PII.[113]
• The physical location of cloud vendors’ servers around the world may result in trans-border information flow and could subject information to the laws of multiple foreign jurisdictions.[114]
• Cloud computing makes it difficult to administer enterprise-wide information security policies for risk mitigation, as well as resource mapping procedures for data forensics, preservation, and management.
• Because sensitive personal, financial, and other confidential information may be stored on the cloud vendors’ servers, risk of breach, loss, or liability must be analyzed in terms of publicity as well as the financial and legal consequences. Cyber attacks directed at cloud vendors may impact a large population of unrelated users and generate greater publicity.

Cloud vendors are reluctant to assume significant risks or the resulting liability because the pricing models are kept low through contractual provisions limiting liability and avoiding indemnification for breaches of data availability, security, or privacy.[115] While weighty bargaining power or competitive leverage can aid in bringing cloud vendors to the bargaining table to negotiate risk-sharing, these advantages likely will not be available to individual universities or smaller higher education nonprofits.[116] Because few institutions can individually lay claim to those bargaining advantages, universities may consider pooling resources and forming consortiums to collectively bargain with vendors, share the costs of due diligence, and secure insurance. Due diligence in determining which risks are the most vital remains the best method to shore up bargaining positions, as can be seen below.

B. Best Practices for Higher Education When Considering a Move to the Cloud

When an institution of higher education intends to make the strategic decision to move its data and information technology systems to a third party cloud provider and procure software as a service, it should first establish a team of stakeholders. The team should include the institution’s general counsel; the highest ranking officials charged with overall authority to oversee information technology and security, risk management, finance, and business administration; and the head of the business unit that will utilize the technology. These stakeholders should participate in the due diligence of the software service providers and the negotiation of their contracts, so that they are fully informed of and understand the nature of the risks to the institution by moving to a cloud environment. By involving key stakeholders in this manner, the institution will achieve consensus in making recommendations to its president and governing body to approve the individual contract and use of the particular technology resource, as well as to ensure that there is fully informed consent to the risks inherent in this type of transaction and that techniques have been developed by the institution to mitigate them.

The information technology stakeholder should develop a checklist soliciting information from the providers to assist in the evaluation of their security, and general counsel should also develop a form of agreement with the provider that contains the terms and conditions appropriate for the risks the institution is willing to accept. The institution should solicit a response to the checklist from those providers of software services that are appropriate for the institution’s needs. Because the checklist will solicit sensitive security information, the institution should be prepared to enter into a non-disclosure agreement with the provider prior to receiving its response. The responses to the checklist should then be evaluated by the individual assigned to oversee information technology security for the institution and make a recommendation to the stakeholders. If the responses are determined to create an acceptable level of risk to the institution, the vendor should be provided the institution’s form of agreement to begin negotiations.

The checklist is the first step in the institution’s due diligence of the provider and should focus on the vendor’s security policies and processes to maintain, monitor, and test the adequacy of security to protect data from disclosure to unauthorized parties.[117] The checklist should identify the type of institutional data to be shared with or stored by the provider and should specifically focus on whether it includes credit card information, health records, student records, and personally identifiable information, because federal and state law impose heightened obligations in the event of a breach. The checklist should inquire if the data will be stored outside of the United States so that the institution can determine if it would be subject to the laws of any foreign jurisdiction in the event of a breach.[118] The provider should also be asked to identify its methodology for exchanging the data, such as upload via a secure web interface, secure file transfer, etc., so that the institution can evaluate the security of the transfer. The checklist should solicit the policies of the provider (and any third party subcontractors of the provider) on data security, data storage and protection, network systems and applications, and disaster recovery; the procedures for review and updating of those policies; and policies that ensure compliance with laws applicable to PCI, HIPAA, and FERPA, so that the institution can verify the provider has a comprehensive plan for compliance. The checklist should request the provider’s SOC1 and SOC2 reports and the results of recent external audits and other tests, to determine the integrity of its system and penetration vulnerabilities. In addition, the checklist should inquire about the physical security and access restrictions to the provider’s data center, data storage area, and network systems; the provider’s response to security incidents; and the provider’s awareness training, so that the institution can evaluate the provider’s preparedness for a breach and strategies for prevention.[119]

In addition to the items on the checklist, the provider should be asked to provide its most recent audited financial statements and, if publicly traded, its 10K and 10Q reports, so that the institution may examine its assets and liabilities and the risks to it as an entity and within its industry. The stakeholders should also perform an independent assessment of the provider by conducting reference checks with existing customers, verifying the size of the provider’s customer base, and estimating the total amount of individual information stored within the provider’s services. In doing so, stakeholders will be able to project the potential losses the provider might suffer in the event of a system-wide breach and whether there is heightened risk of an attack if data is aggregated. An examination of the checklist and the additional information solicited will provide a clear picture of the potential risk of a data breach by using the vendor’s services; the vendor’s ability to prevent, detect, mitigate, and respond to a breach; and the vendor’s ability to withstand the financial impact of a significant breach.

If the institutional stakeholders are satisfied that the risks disclosed during due diligence of the provider may be adequately addressed through contract negotiation or other means, the provider should be forwarded the institution’s form of agreement.[120] While the agreement will contain standard provisions applicable to all purchase agreements, it should include the following key provisions relevant to the heightened risks associated with data security and breaches.

Specifically:

• The agreement should contain representations by the provider that service and support will meet specified levels of service, that security will be provided to prevent unauthorized access or destruction in accordance with industry standards, and that storage and backup will be maintained so that data is in retrievable form to ensure the institution’s continuity of use after contract termination.
• The agreement should clearly state that the data is owned by the institution and may be used by the provider only to deliver the services. Data that constitutes confidential information should be clearly defined in the agreement and include, at a minimum, passwords, institutional data, personally identifiable information, student records, and health records.
• The agreement should identify the actions to be taken in the event of a data breach, which should include, at a minimum, prompt notice to the institution, investigation of the cause and prevention of any reoccurrence, responsibility for all institutional losses as a result of the breach, and the granting to the institution of sole authority to determine if, when, how, and to whom notice of the breach should be sent.
• Moreover, the agreement should exclude from any limitation of liability clause the provider’s intentional or gross negligence and breach of data or confidential information.
• To adequately protect against the risk of a data breach, the agreement should require the provider to name the institution as an additional insured on the provider’s relevant insurance policies, including cyber insurance and commercial general liability insurance (which should have limits of liability of no less than $1 million per occurrence or per claim), umbrella or excess insurance, and professional liability insurance (with limits of liability of at least $10 million unless the amount of data to be stored with the provider demonstrates that a higher limit is appropriate).
• Finally, the agreement should require the destruction of the institution’s data after the agreement is terminated and certification that destruction has occurred.

Very often, a provider will seek to restrict its liability for data breaches through a limitation of liability and may be unwilling to agree to an absolute exclusion for a data breach. In that event, the institution should evaluate the potential costs it may incur and losses it may suffer as a result of a data breach by considering the total number of records and number of individuals related to the data that will be transferred to the provider. At a minimum, the institution should expect to incur, in the event of a breach, costs associated with providing notice to individuals, credit monitoring, undertaking forensic analysis to identify the cause of the breach, adequately and responsibly responding to media inquiries while protecting the institution’s reputation, and responding to or defending third party claims. Studies that examined the losses associated with responding to data breaches over the past few years estimate these costs are approximately $200 per individual or 57 cents per record, and institutions should annually reevaluate this information to determine if costs are increasing.[121] At the present time, these studies provide a guideline for institutions to negotiate secondary caps on limitation of liability clauses for claims arising out of data breaches. In the event the provider is unwilling to agree to a secondary cap that will limit its liability for data breaches in an amount that is acceptable to the institution, the purchase of cyber insurance by the institution provides an alternative for mitigating that risk.[122]

The risks inherent in storing personally identifiable information with a third party are an institutional risk, and the members of the governing body owe a fiduciary duty to the institution to be fully informed of and consent to these risks.[123] Therefore, it is recommended that the team of stakeholders present to the governing body, with participation and approval by the institution’s president, their summary of the due diligence undertaken of the selected cloud provider and the terms of the agreement, along with an explanation of how the agreement or a cyber insurance policy will mitigate the risks associated with cloud data storage. Upon approval by the governing body, the stakeholders’ work does not end. As we have seen in recent media associated with Rutgers University[124], Penn State University[125], and the Internal Revenue Service, the risk as to “if” a data breach will occur no longer exists; it is really a question of “when.” Consequently, institutions would be well served to prepare in advance of a data breach by creating a response team; implementing a response protocol and performing practice drills; establishing compliance activities to implement, monitor, review, and update data security policies; and regularly informing the governing body so it can properly discharge its fiduciary duties.[126]

C. Insurance Coverage for Cyber Security Breaches

The importance of investing the necessary time, effort, and expense to identify and establish appropriate IT solutions for an institution’s ongoing educational, research, or business operations – including cloud-based alternatives – cannot be overstated. But even after an institution completes a comprehensive due diligence process and negotiates maximum contractual protection, the vast majority of cloud-based IT opportunities will nonetheless expose the institution to additional (and potentially substantial) risk, which must be mitigated to satisfy the governors’ or trustees’ obligations to exercise sound judgment and risk management in university governance. Accordingly, an institution must pursue an in-depth analysis of its existing insurance coverage to determine whether additional coverage is required to transfer the risk of potential loss and damage in the event of a data security breach.

At the outset, it is important to recognize that reliance on existing commercial general liability (CGL) insurance to mitigate the risk of loss and damage from cyber security breaches is simply not appropriate without careful assessment, analysis, and decision-making with respect to potential risks the institution faces as a result of its data processing and data storage solutions, and the need for alternative risk mitigation and risk transfer mechanisms.[127] Recent developments regarding the availability of insurance coverage under a CGL policy for losses resulting from a cyber security breach demonstrate that the existence of coverage is far from certain. For example, the Connecticut Supreme Court recently affirmed an intermediate appellate court decision that there was no coverage available under a CGL policy for $6 million of costs incurred as a result of the loss of 130 back-up tapes that contained employment related data of more than 500,000 past and current employees.[128] Similarly, a New York trial court concluded that the insurance company had no duty to defend under a CGL policy because it was the acts of a third party – not the policyholder – that caused the release of personal information as a result of a data security breach.[129] Other courts, however, have reached the opposite result, concluding that insurance coverage was available because the disclosure of personal information was within the scope of the terms of the relevant CGL policy at issue.[130] Separately, the insurance industry has taken affirmative steps consistent with its steadfast position that the CGL policy was not intended to provide insurance for the losses and damage that may be suffered as a result of cyber security breaches, as evidenced by the introduction of specific exclusions for general liability policies that purport to eliminate coverage for liability arising out of certain data breaches.[131] Due to this “mixed bag” regarding availability, an institution relying on a CGL policy to provide insurance coverage in the event of a data breach might be successful, but its likelihood of actual success is increasingly narrow and depends on the jurisdiction and law applied to policy interpretation, the relevant facts, and the specific terms, conditions, and exclusions of the individual CGL policy.

Standalone cyber insurance policies can serve as an effective “gap filler” to cover some of the potential losses and damage that the educational institution may suffer from a data security breach that is not covered under other insurance. In general, cyber insurance provides coverage for certain losses arising out data breaches, but not all cyber insurance policies are created equal. Therefore, the terms of each policy must be carefully reviewed to verify that coverage is provided for potential losses identified in the due diligence process, including losses resulting from services of third party cloud providers. In this regard, insurance coverage is available for losses related to third party claims, notification to individuals, credit monitoring, forensic investigations, public relations and crisis management, data recovery, and government sanctions (within and outside of the United States). It is also very important to consider the appropriate geographic scope of coverage, particularly with respect to cloud computing, which, as noted above, may result in data being sent and/or stored outside a defined geographic location or area, including outside the United States. Finally, the cost of cyber insurance varies by insurer and the scope and amount of insurance desired, so focusing on the extent of necessary insurance is essential to obtaining appropriate, cost effective coverage. In addition, by keeping IT security and data policies up-to-date and ensuring that third party cloud vendors adhere to those updated policies, any requirements imposed by law, and the terms of the negotiated contracts, institutions can minimize the costs of cyber insurance coverage while also lowering potential exposure.

It should be emphasized, however, that any cyber security breach that results in wrongfully disclosed data carries hidden costs that are difficult, if not impossible, to quantify and are generally not insurable. In this regard, institutions must be concerned with damage to their endowments, enrollment, and reputations, both from those individuals directly affected and because large or sensitive breaches draw unfavorable media attention. Further, efforts directed at responding to a breach impair institutional productivity due to employee time and effort being redirected toward response instead of normal operations. Finally, a large breach erodes public trust, potentially further damaging future opportunities with prospective employees, potential students, alumni, and endowments.

In an effort to mitigate some of the risk associated with cloud-based data solutions, cyber insurance should be considered for the following categories of potential liability:

• Costs of notice, reporting, investigation, and credit monitoring in the event of a data security breach;
• Costs of defending third party lawsuits that may result from the loss of personally identifiable employee, alumni, or student information, in particular for public universities in the event the state attorney general’s office declines to defend;
• Statutory and/or regulatory investigation costs, penalties, and fees;
• Public relations and crisis management fees;
• Wrongful acts of outside vendors, consultants, or service providers;
• Data restoration costs to replace or restore a system that suffered a data security breach;
• Failure to prevent the spread of a virus or cyber attack within the institution’s network;
• Expenses required to respond to threats to harm or release data, as well as ransom payments; and
• Impairment or loss of data as the result of a criminal or fraudulent cyber incident, including theft and transfer of funds.

When evaluating the amount of coverage and the relevant terms, conditions, and exclusions, note that a recent study estimates that costs of a data breach per lost or stolen record for an educational institution could average as high as $300 per compromised record, which would quickly exhaust a $5 million policy with a breach of only 16,700 records (well below the average records per breach in 2015).[132] Moreover, educational institutions should insist on readily understandable policy wording – e.g., some policies make distinctions between “lost” and “stolen” data that can serve to exclude coverage.[133] In addition, as noted above, for an institution that was unable to secure sufficiently favorable terms with respect to a vendor’s obligations in that contract, negotiating with the insurer to include coverage for certain acts and omissions of cloud vendors may present a way to nonetheless mitigate some of that risk. Finally, since data breaches are a relatively recent phenomenon, and the costs and manner of resolving any resulting third party claims are evolving, purchasers of cloud services should reevaluate annually the limits of liability and the terms, conditions, and exclusions of their cyber insurance policy to verify that they are adequately insured.

V. Conclusion

Optimizing an educational institution’s cyber risk protection mechanisms involves a considerable commitment of resources to achieve focused preparation, analysis, and decision-making. Given the ever-increasing sophistication of cyber security threats and the expanding use of cloud-based alternatives to data processing and storage needs, educational institutions must take proactive steps to protect information and secure maximum protection against potentially crippling liability in the event of a data security breach. Even where high levels of security controls are implemented in response to high levels of risk, many educational institutions have been victims of data breaches or experienced serious system failures within the past year.[134] Appropriate cyber insurance thus should be considered an integral part of any institution’s cyber security protections. Cyber insurance is not a substitute for properly designed and implemented data security programs, but it can serve as effective supplementary protection that educational institutions and boards of trustees or governors may turn to when data security breaches occur despite best efforts at prevention.

 

 

[1] Maria C. Anderson is Associate University Counsel for Montclair State University. Luis J. Diaz is a Director and Chief Diversity Office for Gibbons P.C., and focuses his practice on a broad range of technology related matters. John T. Wolak is a Director at Gibbons who focuses his practice on a broad range of commercial and insurance related matters. David Opderbeck is a Professor at Seton Hall University’s School of Law and Director of the Gibbons Institute of Law, Science and Technology. In recognition of her extensive editorial assistance, the authors express gratitude to June Kim, Associate at Gibbons.

[2] Peter T. Lewis, Speech, CONGRESSIONAL BLACK CAUCUS FOUNDATION 15^TH ANNUAL LEGISLATIVE WEEKEND, September 1985. See also, International Telecommunications Union, ITU Internet Reports: The Internet of Things, November 2005, available at: https://www.itu.int/net/wsis/tunis/newsroom/stats/The-Internet-of-Things-2005.pdf.

[3] See, infra, n. 6.

[4] Federal Trade Commission v. Wyndham Worldwide Corporation, U.S. District Court for New Jersey, Civil Action No. 2:13-CV-01887-ES-JAD.

[5] Mary Jo White, Opening Statement at SEC Roundtable on Cybersecurity, U.S. SECURITIES AND EXCHANGE COMMISSION, March 26, 2014, available at https://www.sec.gov/News/PublicStmt/Detail/PublicStmt/1370541286468.

[6] After the breach of consumer records by Target, a shareholder derivative suit was filed in 2013 in the District of Minnesota alleging that board members breached their fiduciary duties to the company by failing to maintain adequate controls to ensure the security of data affecting as many as 70 million customers who shopped at Target between November 27, 2013 and December 15, 2013. See Kulia v. Steinhafel, No. 14-CV-00203 (D. Minn. July 18, 2014). An audit commissioned through Institutional Service Shareholders recommended seven out of Target’s ten board members be removed after the data breach. See Kavita Kumar, Most of Target’s Board Members Must Go, Proxy Advisor Recommends, Star Tribune, May 29, 2014, http://www.startribune.com/most-of-target-s-board-should-go-proxy-adviser-recommends/260960251/. The data breach required Target to defend its board members under public scrutiny in response to pressure from an influential shareholder. See Kavita Kumar, Target Board Defends its Role, Before and After Data Breach, Star Tribune, June 4, 2014, http://www.startribune.com/target-board-defends-its-role-before-and-after-data-breach/261527581/. Although the Board remained intact, Target replaced its Chief Executive Officer following the breach and appointed a new Chief Information Officer. See Kavita Kumar, Target’s 10 Member Board Survives Vote of Shareholders, Star Tribune, July 2, 2014, http://www.startribune.com/june-12-target-s-board-survives-vote-of-shareholders/262727811/.

[7] Eduardo Gallardo and Andrew Kaplan, Board of Directors’ Duty of Oversight and Cybersecurity, Delaware Business Court Insider, August 20, 2014 (citing Stone v. Ritter, 911 A.2d 362, 370) (Del. 2006) and relying upon In re Caremark Int’l Derivative Litigation, 698 A.2d 959 (Del. Ch. 1996)).

[8] Foley and Lardner LLP, Taking Control of Cybersecurity: A Practical Guide for Officers and Directors, March 11, 2015, available at http://www.foley.com/taking-control-of-cybersecurity-a-practical-guide-for-officers-and-directors-03-11-2015/.

[9] See Noah G. Susskind, Cybersecurity Compliance and Risk Management Strategies: What Directors, Officers, and Managers Need to Know, 11 N.Y.U. J. L. & Bus. 573, 603 (2015).

[10] Family Educational Rights and Privacy Act, 73 Fed. Reg. 74806, 74843 (Dec. 9, 2008) (codified at 34 CFR §99) available at http://www2.ed.gov/legislation/FedRegister/finrule/2008-4/120908a.pdf.

[11] See Association of Governing Boards of Universities and Colleges, A Wake-Up Call: Enterprise Risk Management at Colleges and Universities Today at 2 (2013), available at http://agb.org/sites/agb.org/files/RiskSurvey2014.pdf.

[12] Id.

[13] Susskind, supra note 5, at 603.

[14] Salar Ghahramani, Fiduciary Duty and the Ex Officio Conundrum in Corporate Governance: The Troublesome Murkiness of the Gubernatorial Trustee’s Obligations, 10 Hastings Bus. L.J. 1, 11 (2014).

[15] Lyman P.Q. Johnson & Mark A. Sides, Corporate Governance and the Sarbanes-Oxley Act: The Sarbanes-Oxley Act and Fiduciary Duties, 30 Wm. Mitchel L. Rev. 1149, 1223-1224 (2004).

[16] See N.Y. Not-for-Profit Corp. Law § 722 (2014). See also, Vacco v. Diamandopoulos, 715 N.Y.S. 2d 269 (N.Y. Sup. Ct.,1998) (defendants, as former university trustees, were held financially accountable for mismanagement of the university’s assets and held to violate the duties of care and loyalty owed to the university). See also, N.Y. Not-for-Profit Corp. Law § 717 (directors are required to discharge their duties in good faith and “with the care an ordinarily prudent person in a like position would exercise under similar circumstances”).

[17] Joseph Anthony Valenti, Know the Mission: A Lawyer’s Duty To a Nonprofit Entity During An Internal Investigation, 22 St. Thomas L. Rev. 504, 509 (2010).

[18] Erin Kenneally & John Stanley, Beyond Whiffle-Ball Bats: Addressing Identity Crime In An Information Economy, 26 J. Marshall J. Computer & Info. L. 47, 130 (2008). Although most data breach class actions have been unsuccessful because of the plaintiffs’ inability to plead an “actual or imminent” injury that is sufficient to establish Article III standing, on December 18, 2014, the U.S. District Court for the District of Minnesota ruled that a class of consumers could proceed with a majority of their claims against Target arising from the data breach it suffered in late 2013. See In re: Target Corporation Customer Data Security Breach Litigation, MDL No. 14-2522, U.S. Dist. LEXIS 175768 (D.M.N. Dec. 18, 2014). In addition, a class action filed against AvMed, Inc. settled for $3 million (after being dismissed twice by a Florida District Court and reinstated by the U.S. Court of Appeals for the Eleventh Circuit) and did not require class members to prove actual damages, suggesting damages may not require proof or causation. See Philippa Maister, After the Breach: Plaintiffs Secure a Settlement that Doesn’t Require Proof of Damages, Corporate Counsel, July 2014, at 15.

[19] Salar Ghahramani, Fiduciary Duty and the Ex Officio Conundrum in Corporate Governance: The Troublesome Murkiness of the Gubernatorial Trustee’s Obligations, 10 Hastings Bus. L.J. 1, 7 (2014).

[20] Id. at 13.

[21] Id.

[22] Id.

[23] Id.

[24] Id.

[25] Ponemon Institute LLC, Cyber Security Incident Response: Are We as Prepared as We Think?, January 2014, available at https://www.lancope.com/sites/default/files/Lancope-Ponemon-Report-Cyber-Security-Incident-Response.pdf.

[26] The vast majority of states provide that the members of a board of a not-for-profit are held to the same standards as those applicable to the board of a for-profit corporation. See 15 Pa. Cons. Stat. § 5712 (2014). See also Ariz. Rev. Stat. § 10-830 (LexisNexis 2014), Ark. Code Ann. § 4-28-618 (2014), Cal. Corp. Code § 5231 (Deering 2014), Colo. Rev. Stat. 7-128-401 (2014), Conn. Gen. Stat. § 33-1104 (2014) (director must discharge his duties “in a manner he reasonably believes to be in the best interests of the corporation); Fla. Stat. § 617.0830 (2014), Ga. Code Ann. § 14-3-830 (2014), Haw. Rev. Stat. § 414D-149 (2014), Idaho Code Ann. § 30-3-80 (2014), Ind. Code Ann. § 23-17-13-1 (2014), Iowa Code § 504.831 (2014), Ky. Rev. Stat. Ann.§ 273.215 (LexisNexis 2014), La. Rev. Stat. Ann. § 12:226 (2014), Me. Rev. Stat. tit. 13-B, § 717 (2014), Mass. Ann. Laws. ch. 180, § 6C (LexisNexis 2014), Minn. Stat. § 317A.251 (2014), Miss. Code Ann. § 79-11-267 (2014), Mo. Rev. Stat. § 355.001 (2014), Mont. Code Ann. 35-2-416 (2014), Neb. Rev. Stat. Ann. § 21-1986 (LexisNexis 2014), Nev. Rev. Stat. Ann. § 82.221 (2014), N.J. Rev. Stat. § 15A:6-14 (2014)(trustees and members of any committee designated by the board are required to “discharge their duties in good faith and with that degree of diligence, care and skill which ordinary, prudent persons would exercise under similar circumstances in like positions”); N.M. Stat. Ann. § 53-8-25.1 (LexisNexis 2014), N.C. Gen. Stat. § 55A-8-30 (2014), N.D. Cent. Code § 10-33-45 (2014), Ohio. Rev. Code Ann. § 1702.30 (LexisNexis 2014), 15 Pa. Cons. Stat. § 5712 (2014) (a director of a not-for-profit corporation is held as a fiduciary and must perform his or her duties in good faith and with such care as a person of ordinary prudence would use under similar circumstances); R.I. Gen. Laws § 7-6-22 (2014), Tenn. Code Ann. § 48-58-301 (2014), Tex. Bus. Orgs. Code Ann. § 22.221 (2014), Utah Code Ann. § 16-6a-822 (LexisNexis 2014), Vt. Stat. Ann. tit. 11B, § 8.30 (2014), Va. Code Ann. § 13.1-870 (2014), Wash. Rev. Code Ann. § 24.03.127 (LexisNexis 2014), W. Va. Code § 31E-8-830 (2014).

[27] Id. at 15.

[28] Id.

[29] Id.

[30] Supra note 24.

[31] 20 U.S.C. § 1232g. Regulations under FERPA are codified at 34 C.F.R. § 99 (2011). In addition to FERPA, some other federal laws also implicate the privacy of educational records and should be considered during the due diligence phase. See, e.g., Individuals with Disabilities Education Act, 20 U.S.C. §§ 1400-1487; Protection of Pupil’s Rights Amendments, 20 U.S.C. § 1232h (1978); USA Patriot Act, Pub. L. 107-56 (2001); Privacy Act of 1974, 5 U.S.C. Part I, Ch. 5, Subch. 11, Sec 552; and Campus Sex Crimes Prevention Act, Pub. L. 106-386.

[32] FISMA requires that every federal agency develop and implement an agency-wide program to provide information security for the information systems and information that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. See 44 U.C.S.A. §3544, et. seq. This requirement is often passed through to higher education institutions as a condition of grants or contracts with federal agencies funding research. Charles H. Le Grand, Handbook for Internal Auditors §23.07 (Matthew Bender & Company Inc. 2014).

[33] See 42 U.S.C. §§ 1320d, et. seq. HIPAA required the Secretary of the U.S. Department of Health and Human Services (the “Secretary”) to adopt national standards to, inter alia, protect the privacy of individually identifiable health information and maintain administrative, technical, and physical safeguards for the security of health information.42 U.S.C. §§ 1320d-2(a)–(d). Health plans, health care clearinghouses, and health care providers who engage in standardized transactions and transmit financial and administrative claims electronically are covered entities under HIPAA and must comply with its standards and regulations. See 42 U.S.C. § 1320d-4(b).

[34] The U.S. Department of Education established a Privacy Technical Assistance Center as a resource to assist institutions with ensuring the protection of data, compliance with privacy laws, and development of confidentiality and security practices associated with technology systems. See U.S. Department of Education Privacy Technical Assistance Center, Home, http://ptac.ed.gov/. PTAC provides timely information and updated guidance on privacy, confidentiality, and security practices through a variety of resources, including training materials and opportunities to receive direct assistance with privacy, security, and confidentiality of student data systems.

[35] FERPA applies to all educational institutions that receive funding under any program administered by the Department of Education, which encompasses virtually all public schools and most private and public postsecondary institutions, including medical and other professional schools. See 20 U.S.C. § 1232g (requires higher education institutions that receive federal funds administered by the Secretary of Education to ensure certain minimum privacy protections for educational records); 34 C.F.R. § 99.1 (FERPA defines an educational institution to include “any public or private agency or institution which is the recipient of funds). See also, Jennifer C. Wasson, FERPA in the Age of Computer Logging: School Discretion at the Cost of Student Privacy?, 81 N.C.L. Rev. 1348, 1353 (2003).

[36] An educational record subject to FERPA is “directly related to a student” and “maintained by an educational agency or institution or by a party acting for such agency or institution.” See 34 C.F.R. § 99.3. Some examples of educational records include student files, student system databases kept in storage devices, or recordings and/or broadcasts. See 20 U.S.C. § 1232g(a)(4)(A).

[37] FERPA does not prohibit the use of cloud computing but requires higher education institutions to use reasonable methods to ensure the security of any information technology solutions, including cloud computing. See U.S. Department of Health & Human Services & U.S. Department of Education, Joint Guidance on the Application of the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to Student Health Records Nov. 2008, available at http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/hipaaferpajointguide.pdf. FERPA does not, however, affirmatively require schools to implement specific procedures for cloud computing or to provide notification in event of a data breach. Notification by the institution in the event of a data breach may nonetheless be required pursuant to state law or even the institution’s own internal policies.

[38] Directory information may include “the student’s name, address, telephone listing, date and place of birth, major field of study, participation in officially recognized activities and sports, weight and height of members of athletic teams, dates of attendance, degrees and awards received, and the most recent previous educational agency or institution attended by the student.” See 20 U.S.C. § 1232g(a)(5)(A).

[39] See, e.g., 34 C.F.R. § 99.3. See also, 20 U.S.C. § 1232g(b). Information disclosed in combination with a student ID number, rather than a student name, is considered PII under FERPA and subject to heightened protection; only when an education institution removes all PII and assigns the records non-personal identifiers are disclosures to outside parties permitted without prior consent. See 20 U.S.C. § 1232g(a)(5).

[40] One exception is pragmatic, permitting disclosures in connection with confidential and anonymous studies undertaken on behalf of the educational institution. See 20 U.S.C. § 1232g(b)(1)(F) (such studies must be “for the purpose of developing, validating, or administering predictive tests, administering student aid programs, and improving instruction”); see also 34 C.F.R. § 99.31(a)(6)). This information must be destroyed when no longer needed for the purposes for which the study was conducted. See 34 C.F.R. § 99.31(a)(6)(iii)(B). The educational institution must enter into an agreement with the organization conducting the study that limits the use of the PII and requires the organization to maintain confidentiality and anonymity and to destroy the PII once it is no longer needed. See 34 C.F.R. § 99.31(a)(6)(iii)(C)(1)–(4). Another exception provided by FERPA is in connection with audits and evaluations of programs conducted by local, federal, or state officials and their authorized representatives. See 20 U.S.C. § 1232g(b)(1)–(5).

[41] 20 U.S.C. § 1232g(b)(1)(A). See also, 34 C.F.R. § 99.31(a)(1).

[42] 34 C.F.R. § 99.31(a)(1)(i)(B) (third party must (i) “perform an institutional service or function for which the…institution would otherwise use employees”; (ii) “[be] under the direct control of the…institution with respect to the use and maintenance of education records”; and (iii) be subject to certain FERPA requirements governing the use and re-disclosure of PII in educational records.

[43] 34 C.F.R. § 99.33(a)(1).

[44] 34 C.F.R. § 99.33(a)(2).

[45] HIPAA established a national health information privacy rule, which required the Secretary to issue final Standards for Privacy of Individually Identifiable Health Information, known as the Privacy Rule. See 45 C.F.R. Part 164 Subpart E. The Privacy Rule applies to health plans, health care clearinghouses, and health care providers who transmit financial and administrative transactions electronically to third parties for reimbursement of medical expenses, including medical universities that offer health care to individuals in the normal course of business or the fulfillment of academic credentials (i.e., through a university medical hospital or faculty/physician practice). See U.S. Department of Health and Human Services and U.S. Department of Education, supra note 35.

[46] “The term ‘individually identifiable health information’ means any information, including demographic information collected from an individual, that – (A) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (B) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and – (i) identifies the individual; or (ii) with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.” 42 U.S.C. §1320d(6).

[47] 45 C.F.R. §160.103.

[48] 45 C.F.R. § 164.530(c). This regulation also provides specific requirements regarding the structure around such safeguards, including designating a privacy official, training the workforce, providing a mechanism for documentation of complaints, avoiding retaliation and sanctions, and other important structural components.

[49] Pursuant to the Privacy Rule, a covered entity must receive satisfactory assurances from its business associate that the business associate will appropriately safeguard the protected health information before sending PHI to the third party or having it create PHI on behalf of the covered entity. The satisfactory assurances must be in writing, whether in the form of a contract or other agreement between the covered entity and the business associate. See 45 C.F.R. §§ 164.502(e), 164.504(e), 164.532(d) and (e). For further information about business associates in the HIPAA context, visit the HHS website. Business Associates, U.S. Dep’t. of Health and Human Services, available at

http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/businessassociates.html.

[50] 45 C.F.R. § 164.506.

[51] 45 C.F.R. § 164.508. Among these exceptions, PHI may be used or disclosed without patient authorization or prior agreement for public health, judicial, law enforcement, and other specifically enumerated purposes. See 45 C.F.R. § 164.512(a)-(l). “When the covered entity is required by this section to inform the individual of, or when the individual may agree to, a use or disclosure permitted by this section, the covered entity’s information and the individual’s agreement may be given orally.” See 45 C.F.R. § 164.512. For some situations that might otherwise require authorization, a covered entity may use or disclose PHI without authorization so long as the individual was given the prior opportunity to object or agree. See 45 C.F.R. § 164.510 (e.g., for use in a directory, under emergency circumstances, for use in the care of the individual, for disaster relief, or for when the person is dead).

[52] 42 U.S.C. §§ 1320d-2 and (d)(4). HHS issued the these standards in 2003.

[53] 45 C.F.R. § 164.306(a). See also, 42 U.S.C. §§ 1320d-2(d) (requiring covered entities to protect the electronic PHI against any reasonably anticipated threats or hazards to the security or integrity of such information, as well as any reasonably anticipated uses or disclosures of such information that are not permitted or required under the Privacy Rule). See also, 42 U.S.C. §§ 1320d-2(d)(2)(C) (covered entities are also responsible for ensuring compliance by their employees).

[54] Under such agreements, the third party must: implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the covered entity’s electronic PHI; ensure that its agents and subcontractors to whom it provides the PHI do the same; and report to the covered entity any security incident of which it becomes aware. See 45 C.F.R. § 164.504 (e)(2). The contract must also authorize termination if the covered entity determines that the third party has violated a material term. See 45 C.F.R. § 164.504 (e)(2)(iii). Additionally, if a covered entity’s third party business partner violates the Security Rule, the covered entity is not liable unless it knew that the third party was engaged in a practice or pattern of activity that violated HIPAA and failed to take corrective action. See 45 C.F.R. § 164.504 (e)(1). The HITECH Act extended application of some provisions of the HIPAA Privacy and Security Rules to the business associates of HIPAA-covered entities, in particular, making those business associates subject to civil and criminal liability for improper disclosure of PHI; establishing new limits on the use of PHI for marketing and fundraising purposes; providing new enforcement authority for state attorneys general to bring suit in federal district court to enforce HIPAA violations; increasing civil and criminal penalties for HIPAA violations; requiring covered entities and business associates to notify the public and HHS of data breaches; changing certain use and disclosure rules for protected health information; and creating additional individual rights. See 78 Fed. Reg. 5566–5702.

[55] Covered entities and business associates may use any security measures that allow them to reasonably and appropriately implement the standards and implementation specifications as specified in this subpart.” See 45 C.F.R. § 164.306 (b)(1).

[56] 45 C.F.R. § 164.306 (b)(2)(i)–(iv).

[57] The Office of Civil Rights in HHS enforces compliance with the Privacy Rule. 65 Fed. Reg. 82381. The Secretary of HHS must assess a civil monetary penalty on any covered entity or person failing to comply with the national standards and regulations. See 42 U.S.C. § 1320d-5(a). The minimum fine for a violation is $100 per violation, but can be up to $25,000 for all violations of an identical requirement or prohibition during a calendar year. 42 U.S.C. § 1320d-5(a)(1). The maximum fine for a violation is $50,000 per violation and up to $1.5 million for all violations of an identical requirement or prohibition during a calendar year. See 42 U.S.C. § 1320d-5(a)(1). Criminal penalties may imposed if a person knowingly and in violation of HIPAA’s Administrative Simplification provisions uses a unique health identifier or obtains or discloses individually identifiable health information. See 42 U.S.C. § 1320d-6. Criminal penalties can be enhanced if the offense was committed under false pretenses, with intent to sell the information or reap other personal gain. The criminal penalties include a fine of not more than $50,000 and/or imprisonment of not more than one year for a violation. 42 U.S.C. § 1320d-6(b). If the offense was committed under false pretenses, the penalty will be a fine of not more than $100,000 and/or imprisonment of not more than five years. If the offense was committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, then the violation will incur a fine of not more than $250,000 and/or imprisonment of not more than 10 years. See also Luis J. Diaz & David N. Crapo, The Cost of a Data Breach: The Health Care Perspective, The Metropolitan Corporate Counsel, Nov. 18, 2013, http://www.metrocorpcounsel.com/articles/26260/cost-data-breach-health-care-perspective.

[58] Ieuan Jolly, US Privacy and Data Security Law 27 (2014), available at Thomson Reuters Practical Law.

[59] Id.

[60] Nancy J. King & V.T. Raja, What Do They Really Know About Me in the Cloud? A Comparative Law Perspective on Protecting Privacy and Sensitive Consumer Data, 50 Am. Bus. L.J. 413, 445-446 (2013).

[61] Id.

[62] Id.

[63] These attempts included the Cybersecurity Act of 2009, S. 773, 111th Cong. (as introduced, Apr. 1, 2009); the Cybersecurity Act of 2010, S. 773, 111th Cong. (as reported by S. Comm. on Commerce, Sci., & Transp., Mar. 24, 2010); the Protecting Cybersecurity as a National Asset Act of 2010, S. 3480, 111th Cong. (as reported by S. Comm. on Homeland Sec. & Governmental Affairs, Dec. 15, 2010); the Cybersecurity and Internet Freedom Act of 2011, S. 413, 112th Cong. (2011); the Cybersecurity Act of 2012, S. 2105, 112th Cong. (as introduced, Feb. 14, 2012); the Cybersecurity Enhancement Act of 2014, S. 1353 (as introduced July 24, 2013); and the Data Security Act of 2015, S. 961 (as introduced April 15, 2015), among others. For a description of various proposals, see David W. Opderbeck, Cybersecurity and Executive Power, 89 Wash. L. Rev. 795 (2012).

[64] See Opderbeck, supra, note 61, at 801-12.

[65] Id.

[66] Id.

[67] Exec. Order No. 13,636, 78 Fed. Reg. 649 (February 19, 2013).

[68] Id. at § 7.

[69]See NIST Cybersecurity Framework website, available at http://www.nist.gov/cyberframework/; PWC, “Why You Should Adopt the NIST Cybersecurity Framework” (May 2014), available at http://www.pwc.com/us/en/increasing-it-effectiveness/publications/assets/adopt-the-nist.pdf (stating that “the Framework comprises leading practices from various standards bodies that have proved to be successful when implemented, and it also may deliver regulatory and legal advantages that extend well beyond improved cybersecurity for organizations that adopt it early”).

[70] See NIST Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0 (February 12, 2014), § 1.1, available at http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf.

[71] Id. at § 2.1.

[72] Id.

[73] Id.

[74] Id.

[75] Id.

[76] Id.

[77] Id.

[78] Id.

[79] Id. at § 2.2.

[80] Id. at § 2.4.

[81] Id. at Appendix A.

[82] Id.

[83] Id.

[84] Id. NIST also makes the core framework and coding tool available on its website in Excel and FileMaker formats. See http://www.nist.gov/cyberframework/csf_reference_tool.cfm and http://www.nist.gov/cyberframework/upload/framework-for-improving-critical-infrastructure-cybersecurity-core.xlsx.

[85] See HEIS Information Security Guide, Introduction, available at https://spaces.internet2.edu/display/2014infosecurityguide/Welcome+to+the+Guide.

[86] Id.

[87] See Ohio State University Information Risk Management Program website, available at https://ocio.osu.edu/itsecurity/riskmgmt.

[88] Id.

[89] For a similar list, see Joanna Lyn Grama, Understanding IT GRC in Higher Education: IT Compliance, Educause Review, February 23, 2015, available at http://er.educause.edu/articles/2015/2/understanding-it-grc-in-higher-education-it-compliance.

[90] Protecting Cyber Networks Act, H.R. 1560 (passed by House as amended April 22, 2015); Cybersecurity Act of 2015 (passed into law on December 18, 2015), available at https://www.congress.gov/114/bills/hr2029/BILLS-114hr2029enr.pdf.

[91] See, e.g., Cybersecurity Act of 2015, § 104(c)(1) (stating that, with certain exceptions, “notwithstanding any other provision of law, a non-Federal entity may, for a cybersecurity purpose . . . share with, or receive from, any non-Federal entity or the Federal Government a cyber threat indicator or defensive measure.”).

[92] See, e.g., id. § 102(14)(A) (stating that “ ‘non-Federal entity’ means any private entity, non-Federal government agency or department, or State, tribal, or local government (including a political subdivision, department, or component thereof)).”; id. § 102(15)(A) (stating that “ ‘private entity’ means any person or private group, organization, proprietorship, partnership, trust, cooperative, corporation, or other commercial or nonprofit entity, including an officer, employee, or agent thereof.”).

[93] See, e.g., Andy Greenberg, Privacy Critics Go 0-2 With Congress’ Cybersecurity Bills, Wired, March 26, 2015, available at http://www.wired.com/2015/03/privacy-critics-go-0-2-congress-cybersecurity-bills/.

[94] Data Breaches Hit the Board Room: How to Address Claims Against Directors and Officers, Hogan Lovells Chronicle of Data Protection, Jan. 23, 2015, available at http://www.hldataprotection.com/2015/01/articles/cybersecurity-data-breaches/data-breaches-hit-the-board-room/. See also, In re Heartland Payment Systems, Inc. Security Litigation, Case No. 09-1043. 2009 WL 4798148 (D.N.J. Dec. 7, 2009)

[95] Supra note 2.

[96] Cloud computing allows organizations to purchase and use technology services through the internet on an as-needed basis and is a cost-effective alternative to buying and maintaining expensive hardware or software. See Timothy D. Martin, Hey! You! Get Off of My Cloud: Defining and Protecting the Metes and Bounds of Privacy, Security and Property in Cloud Computing, 92 J. Pat. & Trademark Off. Soc’y, 283, 285 (2010).

[97] Id.

[98] Organizations can reduce or eliminate IT capital expenditures and decrease ongoing operating expenses by paying only for the services they use, which can result in reducing or redeploying IT staff. See Cisco, Cloud Computing in Higher Education: A Guide to Evaluation and Adoption 2 (2011). See also Steve Mutkoski, Cloud Computing, Regulatory Compliance, and Student Privacy: A Guide for School Administrators and Legal Counsel, 30 J. Marshall J. Computer & Info. L. 511, at 512 (2014).

[99] Melanie J. Teplinsky, Fiddling On The Roof: Recent Developments in Cybersecurity, 2 Am. U. Bus. L. Rev. 225, 238 (2013).

[100] Cisco, supra note 96, at 2.

[101] Martin, supra note 94, at 294.

[102] The complex nature of cloud computing services creates a “level of abstraction between the physical infrastructure and the owner of the information being stored and processed.” The organization that contracts with a cloud computing vendor no longer has any visibility into the operations of the physical infrastructure where the data is being stored, and it is argued that more transparency should be provided regarding service providers’ cybersecurity measures. See J. Nicholas Hoover, Compliance in the Ether: Cloud Computing, Data Security, And Business Regulation, 8 J. Bus. & Tech. L. 255, 260-261. See also Zacharis Enslin, Cloud Computing Adoption: Control Objectives for Information and Related Technology (COBIT) – Mapped Risks and Risk Mitigating Controls, Afr. J. Bus. Mgmt. Vol.6 (37), 10185-94 (2012).

[103] Teplinsky, supra note 97, at 238 (“characteristics of cloud computing – including system complexity, the multi-tenant environment, and loss of control – pose significant challenges to corporate cybersecurity”).

[104] Significant concerns by cloud users about shifting liability from the cloud users to the cloud vendors are not adequately addressed in the standard contract terms offered by most cloud computing vendors. These contracts typically heavily favor the cloud vendor, and, unfortunately, most cloud users lack the leverage to sufficiently bargain for a more balanced agreement. See T. Noble Foster, Navigating Through The Fog of Cloud Computing Contracts, 30 J. Info. Tech. & Privacy L. 13, 24-25 (2013).

[105] Aside from state laws, there are nine applicable sets of regulations, at least six industry-specific guidelines and requirements, and a wide array of international laws in the data security space. See James Ryan, The Uncertain Future: Privacy And Security In Cloud Computing, 54 Santa Clara L. Rev. 497, 506 (2014).

[106] In a “private cloud,” an organization develops or purchases its own cloud-computing environment, rather than using a multi-tenant platform that is available to the general public or a large industry group. See Cisco, supra note 96, at 3.

[107] Cisco, supra note 96, at 3. By contracting with a cloud computing vendor (that may even be another, larger university), smaller colleges can adopt state-of-the-art applications and services, thereby bypassing many of the costly challenges such as lack of high levels of computerization, recruitment of qualified IT personnel, and the ability to secure and protect PII and other sensitive data.

[108] U.S. Department of Education PTAC, supra note 11, at 2.

[109] Cisco, supra note 96, at 4.

[110] See Association of Governing Boards of Universities and Colleges, supra note 9, at 1 (“While institutional focus on risk has grown[,] . . . risk appetite and tolerance are less likely to be considered in decision making. In 2013, 31 percent ‘strongly agreed’ that risk appetite and tolerance are part of the institution’s culture, down from 47 percent in 2008.”).

[111] International students attending a U.S. educational institution may pose unique jurisdictional implications, especially as more and more countries adopt increasingly sophisticated data privacy laws intended to protect its citizens. See Cynthia Rich, Privacy Laws in Asia, A Special Report for Privacy & Data Security Professionals, Bloomberg BNA Vol. 13, No. 16 (2014).

[112] Public cloud services are delivered online, and the internet-based nature provides hackers with a larger “attack surface” to attack in comparison to private networks. See J. Nicholas Hoover, Compliance in the Ether: Cloud Computing, Data Security and Business Regulation, 8 J. Bus. & Tech. L. 255, 261 (2013).

[113] Cloud vendors typically exclude or restrict liability as much as possible, and it is generally difficult for large or global users to negotiate successfully for vendor liability, particularly for outages and data loss. See W. Kuan Hon, Christopher Millard & Ian Walden, Negotiating Cloud Contracts: Looking at Clouds From Both Sides Now, 16 Stan. Tech. L. Rev. 81, at 94 (2012).

[114] Id. at 103. Cloud vendors may provide round-the-clock “follow the sun services” and use support staff or sub-contractors outside the U.S. who have or are given access to data or metadata.

[115] Hon, supra note 111, at 94.

[116] John Soma, Maury Nichols, Melodi Mosley Gates & Ana Gutierrez, Chasing The Clouds Without Getting Drenched: A Call For Fair Practices In Cloud Computing Services, 16 J. Tech. L. & Pol’y 193, 211 (2011). Given their size and commensurate bargaining power, cloud vendors are able to dictate terms that are favorable for themselves, but risky for the purchaser.

[117] Congress recently created a compilation of citations that provide many available resources to assist in the development of appropriate due diligence in order to assess the apparent risks of cloud providers. See Cybersecurity Authoritative Reports and Resources, Congressional Research Service (June 10, 2015).

[118] See Privacy Laws in Asia: A Special Report for Privacy and Data Security Professionals, Bloomberg BNA, Apr. 21, 2014, available at http://www.bna.com/uploadedFiles/Content/Web_Forms/Real_Magnet_Form/Legal/Privacy_Law/11759-iapp-whitepaper.pdf (providing a comprehensive summary of privacy laws in major regions outside of the United States).

[119] In response to the number of cyberattacks suffered within the United States in 2014, Congress commissioned a study of the issues and challenges with cybersecurity, and the report can serve as resource to the stakeholders and institution’s governing body in assessing, understanding, and appreciating the current risks to data within the United States. See Cybersecurity Issues and Challenges: In Brief, Congressional Research Service (April 14, 2015).

[120] The U.S. Department of Education’s Privacy Technical Assistance Center issued guidance to education institutions to assess the use of cloud computing and develop standard contract terms. See “Frequently Asked Questions – Cloud Computing,” USDOE Privacy Technical Assistance Center (June 2012). See also “Protecting Student Privacy While Using On-Line Educational Services: Requirements and Best Practices,” USDOE Privacy Technical Assistance Center (February 2014). In addition, guidance and contract templates issued by the United States federal government can also serve as useful resources for public education institutions. See Creating Effective Cloud Computing Contracts for the Federal Government – Best Practices for Acquiring IT as a Service, CIO Council/Chief Acquisition Officers Council (February 24, 2012) (standard contract clauses can be found at: www.gsa.gov/graphics/staffoffices/FedRAMP_Standard_Contractual_Clauses_062712.pdf) .

[121] In 2015, Verizon commissioned a study with contributions from 70 entities around the world, and its findings are summarized in a report entitled the “Data Breach Investigation Report,” Verizon Risk Team (2015). In 2014, Verizon commissioned a similar global study with 17 partners from the audit, law enforcement, and security fields, and its findings were summarized in a report entitled “Data Breach Investigation Report,” Verizon Risk Team (2013). Verizon’s reports are located at: www.verizonenterprise.com/DBIR. Studies with similar findings were undertaken by Zurich Insurance and The Ponemon Institute. See Data Breach: The Cloud Multiplier Effect, Ponemon Institute (June, 2014); see also Diaz and Crapo, supra note 33; Data Breach Cost: Risks, Costs, and Mitigation Strategies for Data Breaches, Zurich General Insurance (2012).

[122] See discussion infra Section III.C.

[123] Gallardo and Kaplan, supra note 3.

[124] Ellen Wexler, Another Network Outage at Rutgers Leads to Frustration Among Professors and Students, The Chronicle of Higher Education, Sept. 30, 2015, http://chronicle.com/article/Another-Network-Outage-at/233483/. See also, David Gialanella, Universities Help Drive Need for Data-Security Advice, New Jersey Law Journal, October 3, 2014.

[125] Universities ‘Peculiar Creatures’ in Cybersecurity World, Cyber Security Caucus, May 22, 2015, http://cybersecuritycaucus.com/universities-peculiar-creatures-in-cybersecurity-world/.

[126] The U.S. Department of Commerce’s National Institute of Standards and Technology issued comprehensive recommendations to identifying confidential data, implementing safeguards to prevent breaches, and developing breach response protocol in a report entitled Guide to Protecting the Confidentiality of Personally Identifiable Information, Special Publication 800-122 (April 2010).

[127] Foster, supra note 102, at 27. Cyber insurance has been available for an extended period and has evolved to become suitable for both cloud users and cloud providers. Ideally, both the institution and the vendor will have completed appropriate due diligence and implemented comprehensive risk mitigation strategies that include cyber insurance coverage.

[128] See Recall Total Info. Mgmt. v. Federal Ins. Co., 83 A.3d 664 (Conn App. 2014), aff’d, 115 A.3d 458 (Conn. 2015).

[129] See Zurich American Insurance Co. v. Sony Corp. of America et al., 2014 N.Y.LEXIS 5141 (N.Y. Sup. Ct. 2014).

[130] See Travelers Indem. Co. v. Portal Healthcare, 35 F.Supp 3d 765 (E.D. Va. 2014); Hartford Cas. Inc. Co. v. Corcino & Assocs., No. 13-1328, 2013 U.S. Dist LEXIS 152836 (D. Calif. Oct. 7, 2013); see also Eyeblaster, Inc. v. Federal Ins. Co., 613 F.3d 797 (8th Cir. 2010) (coverage under CGL policy was available because insurer failed to establish that the policy terms applied to preclude coverage).

[131] See ISO Form Nos. CG 21 06 05 14 (Exclusion for Access or Disclosure of Confidential or Personal Information and Data-Related Liability – With Bodily Injury Exception); CG 21 07 05 14 (Exclusion for Access or Disclosure of Confidential or Personal Information and Data-Related Liability – Limited Bodily Injury Exception Not Included); CG 21 08 05 14 (Exclusion for Access or Disclosure of Confidential or Personal Information (Coverage B Only)).

 

[132] Ponemon Institute LLC, 2015 Costs of Data Breach Study: Global Analysis, 1 (2015). The Ponemon Institute’s study involved 350 companies from eleven different countries, and, while the global average per record costs of a data breach were estimated at $154, U.S. companies had the most costly per record costs at $217 per compromised record.

[133] For example, under Amazon’s standard contract for cloud computing services, it states that “Neither we nor any of our affiliates or licensors will be responsible for any compensation, reimbursement or damages arising in connection with…any authorized access to, alteration of, or the deletion, destruction, damage, loss or failure to store any of your content or other data.” See Foster, supra note 102 at 13.

[134] Warwick Ashford, Cyber Insurance Complements Security Controls, Says Aon, ComputerWeekly.com, Jul. 14, 2014, http://www.computerweekly.com/news/2240224437/Cyber-insurance-complements-security-controls-says-Aon.