Security Laboratory

Security Laboratory

Leadership Lab: Information Technology and the Law

This series of essays explores the many aspects of technology law relating to computer and information security.

Other Related Articles in Leadership Lab: Information Technology and the Law


Subpoenas for Electronic Records


Benjamin Wright, JD

A distraught mother, Sue Kayton, was forced to wait for legal subpoenas before MIT would allow her to examine the contents of computer data belonging or pertaining to her son. He was missing from the university, and she was searching frantically for clues about his whereabouts. The data held many clues, but the university’s privacy policy impeded her. His body was later found floating off Cape Cod.

The university is subject to the Family Educational Rights and Privacy Act (FERPA), which generally forbids colleges from disclosing student information without the student’s permission. In the interest of protecting the rights of the son, MIT refused to give his mother access to his PC, e-mail and server records - records which could at the time be vital to her tracking him down.

FERPA and MIT recognize that records may be released to parents in a health or safety emergency. But MIT was in a bind. Just because a 22-year-old senior has skipped campus for a few days does not necessarily mean he is in physical danger or that he wants his parents to rifle through his stuff. The university said it would act only if served with a valid subpoena.

What is a subpoena and what difference does it make?
A subpoena is a legal demand that someone possessing records or evidence turn them over. The legal authority behind a subpoena can vary. Sometimes an investigator within a government agency, such as an inspector general, has authority to issue a subpoena. Normally a government prosecutor such as state attorney general or a local district attorney has authority to issue a subpoena, but such an official should not exercise his or her without good reason.

A subpoena may also be issued under the rules of procedure applicable to a pending lawsuit. Often the judge presiding over the lawsuit will approve issuance of the subpoena. But under the rules of some states, such as Texas, a mere attorney in a civil lawsuit can issue a subpoena, without prior approval from the judge.

The recipient of a subpoena cannot ignore it. If the recipient believes the subpoena is unfair or invalidly issued, the recipient can challenge it, often in a hearing before a judge.

In the case of MIT, a valid subpoena would give the university a measure of comfort that it could not be held liable for releasing the student’s records in violation of his privacy. A proper subpoena is subject to court rules that punish anyone (such as an attorney) who abuses subpoena power by issuing a subpoena without justification.

According to the Wall Street Journal,[1] Ms. Kayton’s attorney husband sent MIT a subpoena under California civil law (without prior approval from a judge), but MIT rejected it. Apparently the university was not persuaded the subpoena had been validly issued. This frustrated Ms. Kayton’s quest to locate her son. MIT campus police then took the unusual step of asking the local Massachusetts district attorney to issue a subpoena enabling the campus police to access the student’s records. The district attorney complied, and shortly thereafter the campus police opened the records.

We discuss these and related issues in my legal courses[2] on IT law.

============
Benjamin Wright is the author of several books on technology law, including Business Law and Computer Security published by the SANS Institute.[3] http://hack-igations.blogspot.com

As with all public statements by Mr. Wright, this essay provides general information and not legal advice for any particular situation. If you need legal advice, you should consult your lawyer.

============
1. Elizabeth Bernstein, "A Mother Takes on MIT", Wall Street Journal, Sept. 10, 2007, A1.
2. http://www.sans.org/training/category.php?c=LEG&portal=9f1d4257d6ceae12c4ed03349c314b99
3. http://www.sans.org