Security Laboratory

Leadership Lab: Information Technology and the Law

This series of essays explores the many aspects of technology law relating to computer and information security.

View Archives »

Subpoenas for Electronic Records

Sep 15th, 2007
By Benjamin Wright, JD

A distraught mother, Sue Kayton, was forced to wait for legal subpoenas before MIT would allow her to examine the contents of computer data belonging or pertaining to her son. He was missing from the university, and she was searching frantically for clues about his whereabouts. The data held many clues, but the university’s privacy policy impeded her. His body was later found floating off Cape Cod.

The university is subject to the Family Educational Rights and Privacy Act (FERPA), which generally forbids colleges from disclosing student information without the student’s permission. In the interest of protecting the rights of the son, MIT refused to give his mother access to his PC, e-mail and server records - records which could at the time be vital to her tracking him down.

FERPA and MIT recognize that records may be released to parents in a health or safety emergency. But MIT was in a bind. Just because a 22-year-old senior has skipped campus for a few days does not necessarily mean he is in physical danger or that he wants his parents to rifle through his stuff. The university said it would act only if served with a valid subpoena.

What is a subpoena and what difference does it make?
A subpoena is a legal demand that someone possessing records or evidence turn them over. The legal authority behind a subpoena can vary. Sometimes an investigator within a government agency, such as an inspector general, has authority to issue a subpoena. Normally a government prosecutor such as state attorney general or a local district attorney has authority to issue a subpoena, but such an official should not exercise his or her without good reason.

A subpoena may also be issued under the rules of procedure applicable to a pending lawsuit. Often the judge presiding over the lawsuit will approve issuance of the subpoena. But under the rules of some states, such as Texas, a mere attorney in a civil lawsuit can issue a subpoena, without prior approval from the judge.

The recipient of a subpoena cannot ignore it. If the recipient believes the subpoena is unfair or invalidly issued, the recipient can challenge it, often in a hearing before a judge.

In the case of MIT, a valid subpoena would give the university a measure of comfort that it could not be held liable for releasing the student’s records in violation of his privacy. A proper subpoena is subject to court rules that punish anyone (such as an attorney) who abuses subpoena power by issuing a subpoena without justification.

According to the Wall Street Journal,[1] Ms. Kayton’s attorney husband sent MIT a subpoena under California civil law (without prior approval from a judge), but MIT rejected it. Apparently the university was not persuaded the subpoena had been validly issued. This frustrated Ms. Kayton’s quest to locate her son. MIT campus police then took the unusual step of asking the local Massachusetts district attorney to issue a subpoena enabling the campus police to access the student’s records. The district attorney complied, and shortly thereafter the campus police opened the records.

We discuss these and related issues in my legal courses[2] on IT law.

============
Benjamin Wright is the author of several books on technology law, including Business Law and Computer Security published by the SANS Institute.[3] http://hack-igations.blogspot.com

As with all public statements by Mr. Wright, this essay provides general information and not legal advice for any particular situation. If you need legal advice, you should consult your lawyer.

============
1. Elizabeth Bernstein, "A Mother Takes on MIT", Wall Street Journal, Sept. 10, 2007, A1.
2. http://www.sans.org/training/category.php?c=LEG&portal=9f1d4257d6ceae12c4ed03349c314b99
3. http://www.sans.org

Questions?

Email us at info@sans.edu.

SANS 2012 - Orlando

Featured Research

Student Presentations

Expanding Response: Deeper Analysis for Incident Handlers
By Russ McRee | Nov 2011 | 622 KB

Detecting and Responding to Data Link Layer Attacks with Scapy
By TJ O'Connor | Sep 2011 | 2.44 MB

Scoping Security Assessments: A Project Management Approach
By Ahmed Abdel-Aziz | Sep 2011 | 387 KB

View More Student Presentations »

Featured Student/Alumni

TJ O'Connor STI Alumn

TJ O'Connor

TJ O'Connor is a member of the US Department of Defense and a former faculty member at the US Military Academy, where he taught courses on forensics, exploitation, and information assurance.

Click here to read more »

 

Internet Storm Center

View our Site Directory

Contact Us

Phone: (720) 941-4932
Questions: info@sans.edu
Web: webmaster@sans.edu

"After starting the program, I was promoted to Information Security Officer. I believe my involvement in the program was a contributing factor in that happening."
- John Brozycki, Alumni of SANS Technology Institute

"The experiences gained in the SANS Technology Institute program have helped me advance in IBM, taking a more public facing role. "
- Jerome Radcliffe, SANS Technology Institute Student