UNITED STATES DISTRICT COURT
FOR THE DISTRICT OF COLUMBIA
____________________________________
)
ELECTRONIC PRIVACY )
INFORMATION CENTER, et al., )
)
Plaintiffs, )
)
v. ) Civil Action No. 12-0327 (ABJ)
)
U.S. DEPARTMENT OF EDUCATION, )
)
Defendant. )
____________________________________)
MEMORANDUM OPINION
Plaintiffs Electronic Privacy Information Center (“EPIC”) and four individuals – Grayson
Barber, Pablo Garcia Molina, Peter Neumann, and Deborah Peel – have brought this action
challenging a Final Rule issued by defendant, the United States Department of Education
(“Department of Education,” “the Department”), to implement the Family Educational Rights
and Privacy Act of 1974 (“FERPA”), 20 U.S.C. § 1232g. Defendant has moved to dismiss on
standing grounds or, in the alternative, for summary judgment on the merits. Def.’s Mot. to
Dismiss or, in the Alternative, for Summ. J. (“Def.’s Mot.”) [Dkt. # 18]. Plaintiffs have opposed
defendant’s motion and have filed their own cross-motion for summary judgment. Pls.’ Cross-
Mot. for Summ. J. (“Pls.’ Mot.”) [Dkt. # 21]; Pls.’ Mem. Opposing Def.’s Mot. to Dismiss and
Mot. for Summ. J. (“Pls.’ Mem.”) [Dkt. # 20].
Plaintiffs argue that the standing requirement is satisfied in this case because the four
individual plaintiffs each have standing and because EPIC has both organizational standing on its
own behalf and associational standing on behalf of its members. The Court disagrees and finds
that none of the individual plaintiffs nor EPIC have standing to bring the claims asserted in the
complaint. The individual plaintiffs have alleged nothing more than a hypothetical possibility of
some vague harm, and that harm does not even flow from the challenged regulations. So they
have failed to allege or show the injury in fact or causation that are fundamental to standing.
And the organizational plaintiff, EPIC, complains simply that the new rules have prompted it to
engage in the very sort of advocacy that is its raison d’etre. So it has not alleged an injury in fact
either. Accordingly, the Court will dismiss the action for lack of subject matter jurisdiction.
BACKGROUND
I. STATUTORY AND REGULATORY BACKGROUND
This action concerns regulations that were issued by the Department of Education to
implement FERPA. FERPA was first passed in 1974 “to ensure access to educational records for
students and parents and to protect the privacy of those records from the public at large.”
Student Press Law Ctr. v. Alexander, 778 F. Supp. 1227, 1228 (D.D.C. 1991). It conditions the
receipt of federal funds by “any public or private educational agency or institution” on adherence
to certain requirements related to access to and disclosure of student educational records.
Gonzaga Univ. v. Doe, 536 U.S. 273, 278 (2002). One of those requirements is that a student’s
records not be disclosed unless the student’s parents provide consent.1 See 20 U.S.C.
§ 1232g(b).
Generally, this restriction applies even to the disclosure of records by schools or school
districts to the Department of Education or to state educational authorities. There are, however,
several exceptions. The two exceptions relevant to this action are known as the “directory
information exception” and the “program evaluation exception.” Under the directory
1 FERPA generally refers to the rights of parents, but those rights transfer to the student
when the student turns eighteen years old or enrolls in a postsecondary institution. See 20 U.S.C.
§ 1232g(d).
2
information exception, certain basic student information, such as name, address, telephone
number, etc. – referred to as “directory information” – may be released without prior consent.
Id. § 1232g(a)(5), (b)(1). Under the program evaluation exception, an “authorized
representative” of the Comptroller General of the United States, the Secretary of Education, state
educational authorities, or the Attorney General may receive – without prior consent – any
records that “may be necessary in connection with the audit and evaluation of Federally-
supported education programs, or in connection with the enforcement of the legal requirements
that relate to such programs.”2 Id. § 1232g(b)(1)(C), (b)(3).
The definitions of the terms “directory information,” “authorized representative,” and
“education program,” as used in the statutory exceptions to the disclosure restrictions, have long
been the subject of Department of Education regulations. See 53 Fed. Reg. 11942-01, 11943
(Apr. 11, 1988). On April 8, 2011, the Department of Education issued a notice of proposed
rulemaking that sought comments on proposed changes to its FERPA-implementing regulations,
including to the definitions of those three terms. 76 Fed. Reg. 19726, 19731–32 (Apr. 8, 2011)
(codified at 34 C.F.R. pt. 99). The Department received 274 comments on the proposed
regulation, including a comment from plaintiff EPIC challenging the three new definitions. Final
Rule, Admin. R. (“AR”) at 698 [Dkt. # 10]; EPIC Comment, id. at 515–34. On December 2,
2011, the Department issued its Final Rule, 76 Fed. Reg. 75604 (Dec. 2, 2011) (codified at 34
C.F.R. pt. 99) (“Final Rule”).
2 The restrictions on disclosure of educational records are only waived with regard to the
Attorney General when disclosure is “for law enforcement purposes.” 20 U.S.C.
§ 1232(b)(1)(C). In addition, state and local educational officials are exempted from the
disclosure restrictions when disclosure of the records “may be necessary in connection with the
audit and evaluation of any federally or State supported education program or in connection with
the enforcement of the Federal legal requirements which relate to any such program.” Id.
§ 1232g(b)(5) (emphasis added).
3
A. The Directory Information Exception
FERPA expressly provides that:
[T]he term “directory information” relating to a student includes the
following: the student’s name, address, telephone listing, date and place
of birth, major field of study, participation in officially recognized
activities and sports, weight and height of members of athletic teams,
dates of attendance, degrees and awards received, and the most recent
previous educational agency or institution attended by the student.
20 U.S.C. § 1232g(a)(5)(A). While the statute exempts “directory information” found in
education records from the statutory disclosure restrictions, id. § 1232g(b)(1), it leaves each
educational agency or institution free to determine for itself what categories of directory
information it will release and for what purposes. But before the entity releases any information,
it must “give public notice of the categories of information which it has designated” as directory
information, and give parents the opportunity to “inform the institution or agency that any or all
of the information designated should not be released without the parent’s prior consent.” Id.
§ 1232g(a)(5)(B).
Since at least 1988, the Department has interpreted directory information to mean
“information contained in an education record of a student that would not generally be
considered harmful or an invasion of privacy if disclosed,” and it has construed the statutory list
of directory information to be non-exhaustive. See 34 C.F.R. § 99.3 (2013); see also 34 C.F.R.
§ 99.3 (1988). For example, in the year 2000, the Department issued new regulations that
recognized photographs, e-mail addresses, and grade levels as directory information. 65 Fed.
Reg. 41852, 41852–53 (July 6, 2000) (codified at 34 C.F.R. pt. 99).
The 2011 Final Rule at issue in this action adds to the category by recognizing as
directory information:
(1) A student ID number, user ID, or other unique personal identifier used
by a student for purposes of accessing or communicating in electronic
4
systems . . . and (2) [a] student ID number or other unique personal
identifier that is displayed on a student ID badge, but only if the
identifier[s] cannot be used to gain access to education records except
when used in conjunction with one or more factors that authenticate
the user’s identity, such as a PIN [(personal identification number)],
password, or other factor known or possessed only by the authorized
user.
Final Rule, AR at 733.
B. The Authorized Representative Exception
The authorized representative exception permits an “authorized representative” of the
Comptroller General of the United States, the Secretary of Education, state educational
authorities, and the Attorney General to receive – without prior consent – any records which may
be necessary in connection with the audit and evaluation of Federally-supported education
programs, or in connection with the enforcement of the legal requirements which relate to such
programs.” 20 U.S.C. § 1232g(b)(1)(C), (b)(3). It also permits state and local educational
officials to be exempted from the disclosure restrictions when disclosure of the records “may be
necessary in connection with the audit and evaluation of any federally or State supported
education program or in connection with the enforcement of the Federal legal requirements
which relate to any such program.” Id. § 1232g(b)(5) (emphasis added).
The 2011 Final Rule at issue in this action provides definitions for the terms “authorized
representative” and “education program,” as the terms are used in those provisions of FERPA.
The Final Rule defines an “authorized representative” as:
[A]ny entity or individual designated by a State or local educational
authority or an agency headed by an official listed in § 99.31(a)(3) to
conduct – with respect to Federal- or-State supported education programs
– any audit or evaluation, or compliance or enforcement activity in
connection with Federal legal requirements that relate to those programs.
5
Final Rule, AR at 733. It defines an “education program” as “any program that is principally
engaged in the provision of education, including, but not limited to, early childhood education,
elementary and secondary education, postsecondary education, special education, job training,
career and technical education, and adult education, and any program that is administered by an
educational agency or institution.” Id.
II. FACTUAL BACKGROUND
EPIC is a non-profit corporation located in Washington, D.C. Barnes Decl. ¶ 2 [Dkt.
# 20-7]; Rotenberg Decl. ¶ 2 [Dkt. # 20-6]. EPIC is a public interest research center established
“to focus public attention on emerging civil liberties issues and to protect privacy, the First
Amendment, and other constitutional values.” Barnes Decl. ¶ 2; Rotenberg Decl. ¶ 2. It has a
“particular interest in preserving privacy safeguards established by Congress,” including the
FERPA, and it engages in activities “designed to protect privacy and educate the public,
including policy research, public speaking, conferences, media appearances, publications,
litigation, and comments for administrative and legislative bodies regarding the protection of
privacy.” Barnes Decl. ¶ 2; Rotenberg Decl. ¶ 2.
According to a declaration from Khaliah Barnes, Administrative Law Counsel for EPIC,
Barnes engaged in the following activities relating to the issuance of the 2011 Final Rule on
behalf of EPIC:
Participated in phone calls initiated by education activists, media, organizations,
and the public generally concerning a variety of education privacy topics, but
focused primarily on the Final Rule. Barnes Decl. ¶ 12.
Exchanged e-mails concerning a variety of education privacy topics, but focused
primarily on the Final Rule. Id. ¶ 13.
Participated in a one-on-person meeting with education activists who had
previously inquired about the Final Rule and a variety of education privacy topics,
but focused primarily on the Final Rule. Id. ¶ 14.
6
Updated the EPIC website and online newsletter regarding developments with the
promulgation of the Final Rule and subsequent developments, including the EPIC
lawsuit. Id. ¶ 15.
Published an article that discussed various issues related to education privacy,
including the Final Rule. Id. ¶ 16.
According to Barnes, if she had not been engaged with those activities, she would have
redirected her efforts to her other job responsibilities: “researching and submitting
administrative agency comments on proposed federal agency privacy regulations that pertain to
government collection, retention, and dissemination of personal information.” Id. ¶ 17.
Plaintiffs have also submitted a declaration from Marc Rotenberg, EPIC’s President and
Executive Director, which states that, between April 8, 2011 and September 6, 2011, EPIC
expended resources on filing administrative comments to the Notice of Proposed Rulemaking
that was issued before the Final Rule, responding to inquiries from the press and the general
public about the Department of Education’s activities on student privacy, and updating the EPIC
website and newsletter with information about FERPA and the related activities of the
Department of Education. Rotenberg Decl. ¶¶ 9–12. All of these expenditures took place before
December 2011, when the Final Rule was issued. Id. ¶ 9.
EPIC has a fourteen-member Board of Directors and an Advisory Board with over fifty
members. Id. ¶ 14. The members of the Board of Directors manage the organization and
participate in the selection of the Advisory Board. Id. ¶ 15. According to Rotenberg, the
members of the Board of Directors and of the Advisory Board “must formally commit to joining
the organization, and to supporting the mission of the organization.” Id. ¶ 16. They also make
financial contributions to EPIC, assist with EPIC’s substantive work, and recommend potential
clerkship and fellowship applicants. Id. ¶¶ 17–19.
7
The four individual plaintiffs in this case, Barber, Molina, Neumann, and Peel, are all
members of EPIC’s Board of Directors. Barber Decl. ¶ 3 [Dkt. # 20-2]; Molina Decl. ¶ 3 [Dkt.
# 20-3]; Neumann Decl. ¶ 3 [Dkt. # 20-4]; Peel Decl. ¶ 3 [Dkt. # 20-5]. According to
declarations from each of them, all four attended and graduated from one or more universities
that are subject to FERPA. Barber Decl. ¶¶ 4–5; Molina Decl. ¶¶ 4–5; Neumann Decl. ¶¶ 4–5;
Peel Decl. ¶¶ 4–5. The declaration of plaintiff Molina states in addition that he is an adjunct
professor at Georgetown University; he was the university’s associate vice president for
information technology from 2007 until 2012 and campus chief information officer from 2000
until 2012; and he will graduate from the university with a doctorate degree in 2013. Molina
Decl. ¶¶ 2, 4.
III. PROCEDURAL BACKGROUND
Plaintiffs filed the complaint in this action on February 29, 2012. Compl. [Dkt. # 1].
Count I alleges that the Department’s issuance of the Final Rule was not in accordance with the
law, in violation of the Administrative Procedure Act. Id. ¶ 30. Count II alleges that the Final
Rule was promulgated in excess of the Department’s statutory authority, in violation of the
Administrative Procedure Act. Id. ¶ 35. The complaint alleges that the Department’s changes to
the definitions of directory information, authorized representatives, and educational programs
within the directory information and authorized representative exceptions remove “affirmative
legal duties for state and local educational facilities to protect private student data.” Id. ¶ 20
(internal quotation marks omitted). Specifically, it alleges that:
By expanding the definition of directory information to include student ID numbers that
are displayed on individuals’ cards or badges, the Department insufficiently safeguards
students from the risk of re-identification, id. ¶ 24;
8
By designating non-governmental actors as “authorized representatives” of state
educational institutions, the Department would perform an “unauthorized, unlawful sub-
delegation of its own authority,” id. ¶ 22; and
By expanding the definition of educational programs, the Department would “expose
troves of sensitive, non-academic data,” id. ¶ 23.
ANALYSIS
This case begins and ends with plaintiffs’ constitutional standing to bring their claims.
“To state a case or controversy under Article III, a plaintiff must establish standing.” Ariz.
Christian Sch. Tuition Org. v. Winn, 131 S. Ct. 1436, 1442 (2011); accord Lujan v. Defenders of
Wildlife, 504 U.S. 555, 560 (1992) (holding that “standing is an essential and unchanging part of
the case-or-controversy requirement of Article III”). Standing is a necessary predicate to any
exercise of federal jurisdiction; if it is lacking, the dispute is not a proper case or controversy
under Article III, and federal courts have no subject matter jurisdiction to decide the case.
Dominguez v. Ual Corp., 666 F.3d 1359, 1361 (D.C. Cir. 2012). To establish constitutional
standing, a plaintiff must demonstrate: (1) that he has suffered a concrete, particularized, and
actual or imminent “injury in fact”; (2) that the injury is “fairly traceable” to the challenged
action of the defendant; and (3) that it is “likely, as opposed to merely speculative, that the injury
will be redressed by a favorable decision.” Lujan, 504 U.S. at 560–61, quoting Simon v. E. Ky.
Welfare Rights Org., 426 U.S. 26, 28 (1976) (internal quotation marks omitted); see also Friends
of the Earth, Inc. v. Laidlaw Envtl. Servs., 528 U.S. 167, 180–81 (2000).
“The party invoking federal jurisdiction bears the burden of establishing” standing.
Lujan, 504 U.S. at 561. The extent of the plaintiff’s burden varies according to the procedural
stage of the case. Id. “At the pleading stage, general factual allegations of injury resulting from
the defendant’s conduct may suffice . . . . In response to a summary judgment motion, however,
the plaintiff can no longer rest on such ‘mere allegations,’ but must ‘set forth’ by affidavit or
9
other evidence ‘specific facts,’ which for the purposes of the summary judgment motion will be
taken to be true.” Id. (internal citations omitted). Even in an action seeking review of an
administrative action, the parties “must supplement the record to the extent necessary to”
substantiate their claim to standing. Sierra Club v. EPA, 292 F.3d 895, 900 (D.C. Cir. 2002).3
In assessing standing, the Court assumes plaintiffs will prevail on the merits of their claim. NB
ex rel. Peacock v. District of Columbia, 682 F.3d 77, 82 (D.C. Cir. 2012).
Plaintiffs present three distinct grounds on which they assert they have constitutional
standing to bring their claims: the standing of the individual plaintiffs, the standing of EPIC as
an association on behalf of its members, and the standing of EPIC as an organization. The Court
finds all of them unavailing.
I. THE INDIVIDUAL PLAINTIFFS LACK CONSTITUTIONAL STANDING
To establish their constitutional standing to assert the claims in the complaint, the
individual plaintiffs must demonstrate that they suffered an injury in fact, that was caused by the
conduct of defendant, and that can be redressed by judicial relief. Lujan, 504 U.S. at 560–61.
3 Although plaintiff brings the standing issue as a motion to dismiss under Federal Rule of
Civil Procedure 12(b)(1), the parties are at the summary judgment stage of the litigation:
defendant filed an answer, which listed as the first affirmative defense lack of standing, Answer
at 1 [Dkt. # 7]; the Court entered a scheduling order, consistent with the parties’ meet and confer
statement, that provided time for defendant to file the administrative record and for the parties to
brief dispositive motions, Scheduling Order at 1 [Dkt. # 9]; and, consistent with that scheduling
order, defendant’s motion was styled as a motion to dismiss for lack of subject matter
jurisdiction or, in the alternative, motion for summary judgment, see Def.’s Mot., and plaintiffs’
opposition to the motion doubled as a cross-motion for summary judgment, see Pls.’ Mot.
Nonetheless, the Court finds that plaintiffs have not established standing even under the motion
to dismiss standard because not only have plaintiffs failed to come forward with factual evidence
of injury in fact, causation, and redressability, but they have also failed to allege sufficient
factual allegations to support those three elements of standing in the complaint.
10
A. Injury in fact
The injury in fact test requires a plaintiff to allege that he has suffered “an invasion of a
legally protected interest which is (a) concrete and particularized and (b) actual or imminent, not
conjectural or hypothetical.” Id. at 560 (internal citations omitted), quoting Allen v. Wright, 468
U.S. 737, 755 (1984). An injury is particularized if it affects the plaintiff in a personal and
individual manner. Id. at 561 n.1. “[A] plaintiff raising only a generally available grievance
about government – claiming only harm to his and every citizen’s interest in proper application
of the Constitution and laws, and seeking relief that no more directly and tangibly benefits him
than it does the public at large – does not state an Article III case or controversy.” Id. at 573–74.
Plaintiffs maintain that the injury-in-fact requirement is satisfied in this case because the
Final Rule increases the risk that their personal information will be disclosed to a host of
unregulated third-party entities without their consent, which in turn increases the risk that the
information will be used for illicit purposes, such as to improperly deny them insurance benefits
or for identity fraud. Pls.’ Mem. at 6. They characterize their injury as an “increased-risk-of-
harm,” id., which is governed by the standard set out in Public Citizen, Inc. v. National Highway
Traffic Safety Administration, 489 F.3d 1279 (D.C. Cir. 2007). In Public Citizen, the petitioners
– including a public interest group called Public Citizen – sued the National Highway
Transportation Safety Administration over a regulation that the agency had issued, which set a
minimum performance standard for tire pressure monitors in automobiles. 489 F.3d at 1285–86.
Public Citizen argued that it satisfied the constitutional standing inquiry because the agency’s
rule increased the risk that some of its members would suffer car accidents in the future as
compared to what the risk would have been had the agency adopted an alternative regulation
advanced by Public Citizen. Id. at 1291.
11
The D.C. Circuit began by finding that the proffered injury was (1) concrete because the
physical injuries that result from car accidents are plainly concrete and (2) particularized because
each person who is injured in a car accident is injured personally and distinctly. Id. at 1292; see
also Lujan, 504 U.S. at 560 n.1 (defining “particularized” as affecting the plaintiff in a personal
and individual way). Here, defendant does not dispute that the alleged harm to the individuals in
this case is both concrete and particularized, and the Court agrees. The harm that the individuals
are now allegedly more at risk of suffering is identity fraud or some other misuse of their
identities. See Pls.’ Mem. at 7; Pls.’ Reply in Supp. of their Cross-Mot. for Summ. J. (“Pls.’
Reply”) at 9 [Dkt. # 24]; see also Barber Decl. ¶¶ 10–11 (stating that inappropriate release of his
education records could allow unauthorized individuals to compute his credit score, which
insurers could use to deny coverage or raise rates); Molina Decl. ¶ 10 (same); Neumann Decl. ¶
10 (same); Peel Decl. ¶¶ 9–10 (same and also expressing concern that fingerprint data could be
inappropriately disclosed to law enforcement databases or fusion centers). The unauthorized use
of an individual’s personal information to deny him benefits is certainly a concrete injury that
affects the individual personally and distinctly. See Lambert v. Hartman, 517 F.3d 433, 437
(6th Cir. 2008) (finding that identity theft, which affected the plaintiff’s financial security and
credit rating, was a sufficiently concrete and particularized injury in fact for purposes of
conferring standing).
The more difficult issue in this case, as in Public Citizen, concerns the requirement that
the plaintiffs’ injuries be “actual or imminent.” The Public Citizen court acknowledged that
Public Citizen’s theory of injury rested on evidence that the defendant’s actions would increase
the risk of harm to a class of individuals, which included Public Citizen members. The court
concluded that, in such an “increased-risk-of-harm” case, the constitutional imminence
12
requirement demands that the plaintiff demonstrate “both (i) a substantially increased risk of
harm and (ii) a substantial probability of harm with that increase taken into account.” Public
Citizen, 489 F.3d at 1295. The Court noted that, although there are no numerical rules for the
amount of increase in risk of harm or level of ultimate risk that are high enough to be
“substantial,” the constitutional requirement of imminence “necessarily compels a very strict
understanding” of the term. Id. at 1296. In the end, the court remanded the case to the district
court to further develop the record concerning whether the injury asserted by Public Citizen met
this standard. Id. at 1296–98.
Here, plaintiffs do not satisfy either prong of the increased risk of harm test: they have
not shown a substantially increased risk that they will suffer identity fraud, and they have not
shown that the absolute likelihood of suffering identity fraud is substantial. In fact, plaintiffs
provide no evidence – not even any allegations – about how much more likely they are to be the
victims of identity fraud now than before the passage of the Final Rule, and they provide
absolutely no information about the absolute risk that their information will be used improperly.
Cf. Nat’l Resources Def. Council v. EPA, 464 F.3d 1, 7 (D.C. Cir. 2006) (the plaintiff, an
environmental membership organization, presented statistical evidence showing that two to four
of its members would develop nonfatal skin cancer as a result of the challenged rule); Mountain
States Legal Found. v. Glickman, 92 F.3d 1229, 1235 (D.C. Cir. 1996) (the plaintiffs presented
evidence showing that the regulations they challenged increased the risk of forest fire by about
nine percent).4
4 Moreover, the individual plaintiffs in this case are only four people out of the millions
that are subject to the Final Rule, so it is difficult for plaintiffs to establish that they personally
will have both a substantially increased risk of harm and a substantial probability of harm with
that increase taken into account. See Williams v. District of Columbia, 530 F. Supp. 2d 119,
126–27 (D.D.C. 2008) (distinguishing the instant case brought by one individual who could not
13
In their memorandum, plaintiffs explain that the Final Rule increases the likelihood that
the individual plaintiffs will suffer misuse of their personal information because it permits
educational institutions to disclose student data to “unregulated” third parties under the
“authorized representative” exception to FERPA’s disclosure restrictions. See Pls.’ Mem. at 5–8.
And at the hearing on the motion in this case, plaintiffs also asserted that the Final Rule’s
redefinition of the term “directory information” to include student ID numbers gives rise to a
second possible injury: that by designating student ID numbers as “directory information,” the
Final Rule permits educational institutions to place student ID numbers on student badges
without the students’ consent.5, 6
Plaintiffs have submitted declarations from each of the individual plaintiffs in this case to
support their theory of injury. According to the declarations, all of the plaintiffs attended and
graduated from one or more universities that are subject to FERPA. Barber Decl. ¶¶ 4–5; Molina
Decl. ¶¶ 4–5; Neumann Decl. ¶¶ 4–5; Peel Decl. ¶¶ 4–5. Plaintiffs’ attendance at many of these
universities took place decades ago. See, e.g., Barber Decl. ¶ 4 (stating that he received his B.A.
from Pomona College in 1978, an M.A. from Princeton University in 1980, a J.D. from Rutgers
in 1991, and that he attended at the school of communication at Rutgers for two months in 2010);
Molina Decl. ¶ 4 (stating that he received his B.S. and M.B.A. from Saint Louis University in
1992 and 1995 respectively, and that he attended graduate engineering courses at Washington
demonstrate that he personally would suffer an increased likelihood of harm from cases like
Mountain States and Natural Resources Defense Council, which were brought by large
organizations with many members that could demonstrate a heightened probability of harm by
showing with statistics that at least one of its members would be impacted).
5 Plaintiffs have argued that not only does the Final Rule improperly characterize student
ID numbers as “directory information,” (which is information not generally considered to be
harmful or an invasion of privacy if disclosed), but the Final Rule also disregards the FERPA
requirement that educational institutions must provide students an opportunity to request that the
institution obtain their consent before disclosing directory information. Pls.’ Mem. at 18–19.
6 At the time this opinion was issued, the trial transcript was not available.
14
University in 1998); Neumann Decl. ¶ 4 (stating that he received his A.B., S.M., and Ph.D. from
Harvard University in 1954, 1955, and 1961 respectively); Peel Decl. ¶ 4 (stating that she
attended the University of Texas at Austin from 1968 to 1970, received her M.D. from and
completed her residency at University of Texas Medical Branch in 1974 and 1977 respectively,
and completed post-graduate training at the Dallas Psychoanalytic Institute in 1999). Plaintiff
Molina has a more recent connection to higher education: he adds that he will graduate from
Georgetown University – an educational institution subject to FERPA – with a doctorate degree
in 2013. Molina Decl. ¶ 4. Molina’s declaration also states that he is an adjunct professor at
Georgetown University and was the university’s associate vice president for information
technology from 2007 until 2012, and campus chief information officer from 2000 until 2012.
Id. ¶ 2.
At the oral argument in this case, both plaintiffs and defendant focused their attention
primarily on Molina’s standing to bring this action. He is the only plaintiff who was still
enrolled at an educational institution at the time the complaint in this case was filed, and so the
disclosure requirements are more likely to affect him than any of the other plaintiffs who
graduated earlier. See Molina Decl. ¶ 4 (stating that Molina will graduate from Georgetown
University with a doctorate degree in 2013); see also Lujan, 504 U.S. at 569 n.4 (“‘The existence
of federal jurisdiction . . . depends on the facts as they exist when the complaint is filed.’”),
quoting Newman-Green, Inc. v. Alfonzo-Larrain, 490 U.S. 826, 830 (1989). Certainly Molina is
the only plaintiff who might be affected by any display of student ID numbers on student badges,
and his personal information is the most likely to still be maintained and disclosed by an entity
subject to the Final Rule.
15
1. Expansion of the directory information exception theory of injury
At the hearing, plaintiffs argued that Molina is injured by the Final Rule because it
permits Georgetown University – the educational institution where Molina is currently enrolled –
to place Molina’s university ID number on his student badge, which would make the ID number
more susceptible to identity theft.
There are two major problems with this argument. First, plaintiffs have not shown that
disclosure of Molina’s Georgetown University ID number on a badge makes it substantially
more probable that he will be the victim of identity theft. In fact, the Rule expressly provides
that students’ ID numbers may be classified as disclosable directory information only if the
number “cannot be used to gain access to education records except when used in conjunction
with one or more factors that authenticate the user’s identity, such as a PIN [(personal
identification number)], password, or other factor known or possessed only by the authorized
user.” Final Rule, AR at 733. So even if the display of Molina’s university ID number on his
badge makes it more likely that the ID number will be seen by someone who wants to misuse
Molina’s personal information, that individual would still need Molina’s PIN or password to
access the information. Neither the PIN nor the password would be present on the badge or
otherwise easily accessible. Accordingly, plaintiffs lack a crucial element of establishing that
disclosure of Molina’s student ID number on his student badge increases the likelihood his
personal information will be accessed by an unauthorized individual and misused, let alone that
such likelihood is substantial as an absolute matter.
In addition, Molina cannot establish that he will suffer a greater likelihood of injury as a
result of the Final Rule because Georgetown University ID cards already contain the individual’s
university ID number. See Georgetown One Card: Your Georgetown ID, Georgetown
16
University, http://gocard.georgetown.edu/what/id/ (last visited Sept. 16, 2013) (explaining that
the GOCard is the Georgetown ID card); Georgetown One Card: GOCard About to Expire?,
Georgetown University, http://gocard.georgetown.edu/page/1242701316531.html (last visited
Sept. 16, 2013) (“The GOCard was brought to you nearly 5 years ago.”); Georgetown One Card:
What are the components of the GOCard?, Georgetown University,
http://gocard.georgetown.edu/page/1242701316765.html (last visited Sept. 16, 2013) (stating
that the University ID Number is a component of the GOCard); Georgetown One Card: What is
the University ID Number?, Georgetown University,
http://gocard.georgetown.edu/page/1242701316906.html (last visited Sept. 16, 2013) (explaining
that the university ID Number is a random number assigned to all individuals affiliated with the
university for purposes of identification, and that the ID number stays with an individual for the
entire duration of his or her affiliation with Georgetown).
Since Molina is a faculty member at Georgetown University, any university ID card he
already possesses necessarily contains his university ID number – the same number that stays
with him for the entire duration of his affiliation with Georgetown. Id. This defeats any attempt
by plaintiffs to show that the chance that Molina’s personal information will be stolen and
misused is substantially likely to increase due to the Final Rule’s inclusion of university ID
numbers in the definition of “directory information.” In addition, plaintiffs’ failure to provide
any evidence, or even allegations, that any person affiliated with Georgetown has suffered harm
from the inclusion of university ID numbers on Georgetown GOCards up until this point
undermines their attempt to show an absolute likelihood of harm.
17
2. Expansion of the authorized representative exception theory of injury
Plaintiffs have also argued that by expanding the definitions of “authorized
representative” and “educational program,” the Final Rule permits educational institutions to
disclose plaintiffs’ educational records to unregulated third parties and therefore increases the
risk that their personal information will used to harm them.7 But this theory of injury is also
marred by several fatal deficiencies. For plaintiffs to be the victims of identity theft due to the
disclosure of their information pursuant to the Final Rule, all of the following must occur: (1)
institutions governed by the Final Rule must still maintain personal information about plaintiffs
that, if stolen, could be used in injurious ways; (2) the institutions that maintain plaintiffs’
7 Although plaintiffs object to the definition of “education program” in the Final Rule, their
theory of the way that this definition injures them is linked to their theory of how the Final
Rule’s definition of the term “authorized representative” injures them, so the Court need only
address whether plaintiffs demonstrate injury in fact from the change that the Final Rule makes
to the definition of “authorized representative.” Plaintiffs appear to protest that the Final Rule
expands the number of entities that are considered “education programs” and therefore increases
the number of sources of personal information that may now be disclosed to “authorized
representatives.” See Pls.’ Reply at 8 (explaining that “authorized representatives” are any
designated entity or individual that will audit or evaluate a federal- or state-supported education
program). But since the definition of “authorized representative” has also been expanded,
plaintiffs argue, the personal information from all of these sources is now disclosable to more
entities, including “unregulated” third parties. Id. So, plaintiffs’ theory of injury that arises from
the new definition of “educational institution” appears to rely on the risk of harm that the agency
has allegedly created by broadly defining the term “authorized representative.” Accordingly, the
Court’s conclusion that plaintiffs have not shown any imminent injury from the redefinition of
“authorized representative” closes off any theory of injury caused by the new definition of
“educational institutions.”
18
personal information must provide that information to unregulated third-party entities8; and (3)
once plaintiffs’ personal information is provided to those third-party entities, those parties must
use it improperly or disclose it to others who use it improperly. This is an attenuated chain of
events to begin with, and plaintiffs have not presented evidence, or even factual allegations, to
demonstrate that any of the steps has occurred or is likely to occur, let alone that it is imminent.
See Grand Lodge of Fraternal Order of Police v. Ashcroft, 185 F. Supp. 2d 9, 16 (D.D.C. 2001) (
“[T]he chain of events that would need to occur for the defendants to commit these alleged
wrongs . . . is simply too attenuated to be a real and immediate threat.”), citing Lujan, 504 U.S. at
564 n.2.
To address the first condition – that institutions governed by the Final Rule maintain
personal information about plaintiffs that, if stolen, could be used in injurious ways – plaintiffs
rely on their own declarations, in which all four plaintiffs state that the universities they attended
continue to maintain education records about them. Barber Decl. ¶ 6; Molina Decl. ¶ 6;
Neumann Decl. ¶ 6; Peel Decl. ¶ 6. Importantly, none of the plaintiffs articulate any basis for
their personal knowledge of what information the universities maintain, despite the requirement
under Federal Rule of Civil Procedure 56(c)(4) that a declaration “must be made on personal
knowledge . . . and show that the . . . declarant is competent to testify on the matters stated.”
8 Although plaintiffs do not define precisely what they mean by “unregulated third-
parties,” the Court construes this phrase to mean entities that are not under the “direct control” of
an entity to which FERPA expressly extends authorization to access student records in order to
conduct an audit or evaluation or for enforcement or compliance activity under 20 U.S.C. §
1232g(b)(3). The Court adopts this construction because the Final Rule changes the
Department’s definition of “authorized representative” by omitting the “direct control”
requirement. See 76 Fed. Reg. 75604, 75617 (Dec. 2, 2011) (codified at 34 C.F.R. pt. 99)
(stating that, under the 2008 rule, outside parties were included under the definition of
“authorized representative” so long as they were under the direct control of a state education
agency, but that in the 2011 Final Rule, the Department has decided to eliminate the direct
control requirement).
19
Moreover, since plaintiffs provide no information about what particular personal information is
contained in the maintained education records, they fail to show that the institutions maintain the
type of valuable personal information about them that could be used for identity fraud or to
improperly alter their insurance rates.9
But even if the Court were to assume that plaintiffs’ alma maters maintain records about
them that contain valuable personal information, such as social security numbers, plaintiffs have
failed to make any showing that it is likely the schools will disclose the information to
unregulated third parties. Rather, plaintiffs conclusorily maintain that their personal information
is being, or will be, disclosed to statewide longitudinal data systems (“SLDS”) – which are
compilations of student information from educational institutions located within the certain states
– and that the Final Rule permits unregulated third parties to access the information in those data
systems. Pls.’ Mem. at 6–7. To show that plaintiffs’ educational records are maintained in those
states, plaintiffs point the Court to the website of the National Center for Education Statistics,
which contains information about federal grants that have been provided to states in order to
maintain SLDSs. Id. at 6. The website shows that each of the plaintiffs attend or attended at
least one educational institution in a state that receives federal funding to maintain SLDSs:
Missouri, Massachusetts, Texas, and the District of Columbia. See Statewide Longitudinal Data
Systems Grant Program: Grantee State – Missouri, National Center for Education Statistics,
9 The Peel Declaration states that the University of Texas Medical Branch (“UTMB”)
collected a full set of fingerprints as a requirement to matriculate. Peel Decl. ¶ 6. However, the
declaration does not state that those fingerprints are still being maintained in her education
records at UTMB, and the Court declines to assume that they are as Peel received her M.D. and
completed her residency at that institution nearly four decades ago, in 1974 and 1977
respectively. Id. ¶ 4.
20
http://nces.ed.gov/programs/slds/state.asp?stateabbr=MO (last visited Sept. 16, 2013); Statewide
Longitudinal Data Systems Grant Program: Grantee State – Massachusetts, National Center for
Education Statistics, http://nces.ed.gov/programs/slds/state.asp?stateabbr=MA (last visited Sept.
16, 2013); Statewide Longitudinal Data Systems Grant Program: Grantee State – Texas,
National Center for Education Statistics,
http://nces.ed.gov/programs/slds/state.asp?stateabbr=TX (last visited Sept. 16, 2013); Statewide
Longitudinal Data Systems Grant Program: Grantee State – District of Columbia, National
Center for Education Statistics, http://nces.ed.gov/programs/slds/state.asp?stateabbr=DC (last
visited Sept. 16, 2013).
Just because the states maintain SLDSs, however, does not mean that the particular
information that the colleges and universities maintain about the plaintiffs will be included in
those SLDSs.10 First, all of the SLDS grant applications for Massachusetts, Missouri, Texas and
the District of Columbia were submitted within the past seven years, which is long after nearly
all of these plaintiffs had already left those institutions. And plaintiffs have not alleged or
provided any evidence that any of these SLDSs collect data retroactively. Cf. Buckley Decl. ¶ 27
[Dkt. # 18-9] (“No information provided to the Department suggests that DC’s [SLDS program]
will be backfilled with advanced degree data from Georgetown University or other institutions
for years prior to the one in which postsecondary information begins to be linked to the
system.”). In fact, comparing the information in plaintiffs’ declarations about when they
attended educational institutions to the information on the National Center for Education
10 In addition, because plaintiffs have not identified the type of personal information that is
currently being maintained about them, plaintiffs cannot even show that the personal information
their educational institutions maintain about them is of the same type as the information that has
been or will be disclosed to SLDS entities.
21
Statistics website about when the states filed SLDS grant applications reveals that the only
plaintiff who actually attended an educational institution during the time when that institution’s
state was receiving federal SLDS funds is Molina, who is currently attending Georgetown
University in the District of Columbia.11
And even with regards to the District of Columbia’s SLDS program, Molina does not fit
the description of the subjects whom the program is geared to monitor. According to the
declaration of Jack Buckley, the Commissioner of the National Center for Education Statistics
(which is part of the Institute of Education Sciences of the U.S. Department of Education), the
District of Columbia submitted an application for an SLDS grant on December 15, 2011.
Buckley Decl. ¶ 20, citing Ex. 2 to Buckley Decl. (excerpts from the SLDS application). The
application explained that its Statewide Longitudinal Education Data System (“SLED”) currently
included only data from pre-kindergarten through twelfth grade. Id. ¶ 21, citing Ex. 2 to Buckley
Decl. at e14. The application proposed linking SLED to three existing post-secondary databases:
(1) “DC OneApp, which includes information from DC residents who apply for DC’s three
higher education grant programs”; (2) “AspirePath, which includes information on adult literacy
students at DC’s community college”; and (3) the Banner student database, which is “used by
DC’s community college, public university, and other postsecondary institutions.” Id. ¶¶ 22–23,
citing Ex. 2 to Buckley Decl. at e21–e22. Of the three databases, the Banner student database is
the only one that might contain data from Georgetown University; however, the Buckley
declaration goes on to state that, “[a]ccording to information provided to the Department,
11 Although Barber attended the School of Communication at Rutgers in New Jersey for
two months in 2010, the National Center for Education Statistics website reveals that New
Jersey’s only application for SLDS funding was filed in 2012. Statewide Longitudinal Data
Systems Grant Program: Grantee State – New Jersey, National Center for Education Statistics,
http://nces.ed.gov/programs/slds/state.asp?stateabbr=NJ (last visited Sept. 11, 2013).
22
Georgetown University’s only agreement to provide student information to DC concerns the
undergraduate students from DC who receive financial assistance through DC’s Higher
Education Financial Services office.” Id. ¶ 26. Plaintiffs do not allege that Molina receives that
type of financial assistance.
Plaintiffs do not present any evidence that disputes that statement. Rather, they cite what
they call a “prominent report,” which found that most states collect information in excess of what
is needed for SLDS compliance. Pls.’ Mem. at 7. That study, however, concerns only
elementary and secondary school state reporting systems, and all of the institutions that allegedly
maintain educational information about plaintiffs are post-secondary institutions. Barber Decl. ¶
6; Molina Decl. ¶ 6; Neumann Decl. ¶ 6; Peel Decl. ¶ 6. Plaintiffs make no showing that states
collect excessive personal information about post-graduate students, let alone that the District of
Columbia collects such excessive information about post-graduate students from Georgetown
University. So they present no factual foundation for their sweeping conclusion that, “[b]ecause
states collect excessive information, there is a substantial probability that pursuant to the Final
Rule, plaintiffs’ personally identifiable information will be disclosed to unregulated SLDS
entities.” Pls.’ Mem. at 7.
Finally, plaintiffs fail to present factual allegations or adduce evidence to demonstrate
any likelihood that plaintiffs’ personal information will be disclosed to unregulated third-party
entities or to show any likelihood that plaintiffs’ information will be used in a way that injures
them even if their information is disclosed to such entities. To begin with, the Final Rule does
not require educational agencies or institutions to disclose student information to new entities or
individuals, including what plaintiffs call “unregulated” third-party entities. The Final Rule only
authorizes disclosure to new entities by redefining who is an “authorized representative” that
23
may have access to student records “in connection with the audit and evaluation of Federally-
supported education programs.” See 20 U.S.C. § 1232g(b)(3); accord 34 C.F.R. § 99.3. And
plaintiffs make no showing – either with factual allegations or evidence – that the particular
universities that they attended will choose to disclose information to new entities. See Chlorine
Inst. Inc. v. Fed. R.R. Admin., 718 F.3d 922, 927–28 (D.C. Cir. 2013) (finding that the plaintiffs’
assertion that a final rule issued by the Federal Railroad Administration would harm chlorine
shippers because it gave railroads the opportunity to restrict or eliminate chlorine shipments by
mail was too speculative to constitute injury in fact).
In addition, plaintiffs have presented no data on the likelihood that identity fraud would
result from any of the newly authorized activities. Plaintiffs assert generally that “[t]here is a
strong presumption that each plaintiff’s non-directory information will be included in the SLDS
without sufficient privacy safeguards,” Pls.’ Reply at 8–9, but they do not explain why the Court
should presume that the SLDS will not have sufficient privacy safeguards for their personal
information. On the contrary, FERPA requires that any data that is disclosed “shall be protected
in a manner which will not permit the personal identification of students and their parents by
other than those officials, and such personally identifiable data shall be destroyed when no
longer needed for such audit, evaluation, and enforcement of Federal legal requirements.” 20
U.S.C. § 1232g(b)(3); see also 34 C.F.R. § 99.35(a)(2)(i) (requiring the state or local educational
authority or authorized agency to be responsible for “using reasonable methods to ensure to the
greatest extent practicable” that any entity or individual designated as its authorized
representative uses personal information only for purposes of evaluation or audit, “or for the
enforcement of or compliance with federal legal requirements related to the programs”); 34
C.F.R. § 99.35(a)(2)(ii)–(iii) (holding state or local educational authority or authorized agency
24
responsible for ensuring the protection of personal information and the destruction of the
information when no longer needed). The preamble to the Final Rule confirms that these
requirements apply to any entity that receives student data under the provision that plaintiffs
challenge. See 76 Fed. Reg. 75604, 75618 (Dec. 2, 2011), (codified at 34 C.F.R. pt. 99); see also
Final Rule, AR at 710. Moreover, the penalties for failure to adequately protect data that are
contemplated by the regulatory scheme weigh toward a presumption that there will be adequate
safeguards. See 34 C.F.R. § 99.66 (describing enforcement mechanisms).
In sum, plaintiffs’ fears are wholly speculative. Plaintiffs have failed to meet their
burden under Public Citizen to demonstrate that there is a greater risk of personal injury to the
plaintiffs that flows from the new Rule or that the harm they posit is actual or imminent. This
finding does not rely on what plaintiffs claim would be an unduly restrictive interpretation of the
injury-in-fact requirement, which would require plaintiffs to show that the consequential harms
of the privacy violation have already occurred. See Pl.’s Reply at 9. The Court’s conclusion is
merely the result of plaintiffs’ failure to come forward with evidence – or even factual
allegations – that the Final Rule makes any consequential harms substantially more likely to
occur than before its enactment, and that as an absolute matter, the consequential harms are
substantially likely to occur.
In that way, this case is distinguishable from the two cases from other jurisdictions that
plaintiffs cite: Pisciotta v. Old National Bancorp, 499 F.3d 629, 634 (7th Cir. 2007), and
Krottner v. Starbucks Corp., 628 F.3d 1139, 1142–43 (9th Cir. 2010). The Courts of Appeals for
the Seventh and Ninth Circuits concluded that plaintiffs need not come forward with evidence
that their data has actually been misused in order to establish injury in fact. And although they
articulated a slightly different standard than the one articulated by the court of appeals in this
25
jurisdiction, they still acknowledged that the plaintiff must show “a threat of future harm or . . .
an act which harms the plaintiff only by increasing the risk of future harm that the plaintiff
would have otherwise faced.” Pisciotta, 499 F.3d at 634; see also Krottner, 628 F.3d at 1143
(holding that a plaintiff meets the injury-in-fact requirement for standing if he “faces a credible
threat of harm, and that harm is both real and immediate, not conjectural or hypothetical”)
(citations and internal quotation marks omitted).
In Pisciotta, the plaintiffs demonstrated that the website held by the defendant – a
marketing website that helps individuals obtain banking services, which contained the plaintiffs’
personal identifying information, social security numbers, credit card numbers, and banking
information – had been accessed by a sophisticated and malicious intruder. Pisciotta, 499 F.3d
at 631–32. Based on those facts, the court found that there was a real and imminent threat of
future harm to the plaintiffs. Id. at 634. And in Krottner, the plaintiffs – a class of Starbucks
employees – established that a corporate laptop containing encrypted personal data of about
97,000 Starbucks employees had been stolen. 628 F.3d at 1140–41. Based on that showing, the
court found that the plaintiffs had alleged “a credible threat of real and immediate harm
stemming from the theft.” Id. at 1143. The court acknowledged, however, that were the
plaintiffs’ “allegations more conjectural or hypothetical – for example, if no laptop had been
stolen, and Plaintiffs had sued based on the risk that it would be stolen at some point in the future
– we would find the threat far less credible.” Id.
Plaintiffs here are asking the Court to find an injury in fact based on allegations and
evidence showing only a vague possibility that their personal information might be stolen at
some point in the future. That is not sufficient to demonstrate the imminence that constitutional
26
standing requires. Accordingly, the Court finds that the individual plaintiffs have not satisfied
the injury in fact prong of the constitutional standing requirement.
B. Causation and Redressability
Moreover, plaintiffs have failed to establish that any injury they will suffer would be
caused by the provisions of the Final Rule that they challenge. “It is well established that
‘[c]ausation, or traceability, examines whether it is substantially probable that the challenged acts
of the defendant, not of some absent third party, will cause the particularized injury of the
plaintiff.’” Grocery Mfrs. Ass’n v. EPA, 693 F.3d 169, 176 (D.C. Cir. 2012) (alteration in
original), quoting Fla. Audobon Soc’y v. Bentsen, 94 F.3d 658, 663 (D.C. Cir. 1996); see also
Freedom Republicans, Inc. v. FEC, 13 F.3d 412, 418 (D.C. Cir. 1994) (stating that “fair
traceability turns on the causal nexus between the agency action and the asserted injury”). In
addition, the individual plaintiffs must demonstrate that it is “‘likely,’ as opposed to merely
‘speculative,’ that their injuries will be ‘redressed by a favorable decision.’” Lujan, 504 U.S. at
561, quoting Simon, 426 U.S. at 38.
Importantly, the Final Rule that plaintiffs are challenging here does not directly regulate
plaintiffs or defendant, but instead regulates education institutions, which plaintiffs allege might
take actions that affect them. As the Supreme Court in Lujan stated very clearly:
The existence of one or more of the essential elements of standing
“depends on the unfettered choices made by independent actors not before
the courts and whose exercise of broad and legitimate discretion the courts
cannot presume either to control or to predict,” and it becomes the burden
of the plaintiff to adduce facts showing that those choices have been or
will be made in such manner as to produce causation and permit
redressability of injury. Thus, when the plaintiff is not himself the object
of the government action or inaction he challenges, standing is not
precluded, but it is ordinarily “substantially more difficult” to establish.
27
Id. at 562, quoting ASARCO Inc. v. Kadish, 490 U.S. 605, 615 (1989). So, even if the Court
assumes that plaintiffs have demonstrated that they face an imminent threat of identity theft,
which they have not, plaintiffs must still show that it is the promulgation of the Final Rule that
causes the injury: that the Final Rule itself causes educational institutions to disclose plaintiffs’
personal information to risky third parties, and that if the Court overturns the Final Rule, the
educational institutions will stop disclosing plaintiffs’ personal information to those risky third
parties. They have not made these showings either.
First, the expansion of the directory information exception does not cause the plaintiffs to
face imminent identity fraud. As the Court already recounted, plaintiff Molina is the only
plaintiff who can possibly be affected by the Final Rule’s expansion of the directory information
exception since he is the only plaintiff who was still a student at the time this action was
initiated. But, importantly, the Final Rule does not require Georgetown University – where
Molina is a student – to disclose university ID numbers. Rather, the Final Rule provides that
“directory information includes” an ID number used by a student for purposes of accessing or
communicating in electronic systems, and an ID number that is displayed on a student ID badge.
34 C.F.R. § 99.3 (emphasis added). Under FERPA, each educational institution can choose
whether to make the various categories of directory information public or not. 20 U.S.C. §
1232g(a)(5)(B). So it is within Georgetown University’s discretion to decide whether it will
publicize student ID numbers by requiring that they be placed on a student badge. Plaintiffs
have not come forward with any facts – or even factual allegations – to show that the
promulgation of the Final Rule has caused or will cause Georgetown to make that choice.
Indeed, as the Court has already described in its discussion of the injury-in-fact requirement, the
Georgetown University website appears to show that the university already requires university
28
ID numbers to appear on student and faculty ID cards. Accordingly, the Court cannot find that
any injury the new definition of “directory information” might cause would be redressable with
the relief sought in this case – the invalidation of the Final Rule. Compl. ¶¶ 32, 37 & p. 7.
The Court similarly cannot find that the Final Rule’s expansion of the authorized
representative exception has caused any individual plaintiff to face an imminent risk of identity
fraud. As already discussed, the realization of plaintiffs’ identified injury requires a long chain
of events to occur. Two of those events require the exercise of discretion by third parties: first,
plaintiffs’ educational institutions must choose to disclose their personal information to
“unregulated” third-party entities, and then those entities must use plaintiffs’ information in a
fraudulent or injurious way or disclose it to even another party who uses it in a way that injures
plaintiffs. Such a chain of events is too attenuated for the Court to find that defendant’s issuance
of the Final Rule is the cause of any resulting injury to plaintiffs. See Ctr. for Biological
Diversity v. U.S. Dep’t of Interior, 563 F.3d 466, 478 (D.C. Cir. 2009) (“The more attenuated or
indirect the chain of causation between the government’s conduct and the plaintiff’s injury, the
less likely the plaintiff will be able to establish a causal link sufficient for standing.”).
Moreover, as defendant points out, even before the definition of “authorized
representative” was changed by the Final Rule, the Department defined that term to permit the
disclosure of student data to a wide variety of individuals who were not employees of state or
local education agencies. See 73 Fed. Reg. 74806, 74825 (Dec. 9, 2008) (codified at 34 C.F.R.
29
pt. 99) (preamble to 2008 regulations)12; Final Rule, AR at 709 (listing some examples of entities
that have received student data under FERPA’s authorized representative exception that are not
employees or contractors of state or local education agencies). And the individuals who receive
student data under the 2011 Final Rule are subject to privacy protection requirements and
penalties for violations, just as the individuals that were permitted to receive student data were
before the enactment of the Final Rule. 4 C.F.R. §§ 99.35(a)(2)(i)–(iii), 99.66; see also Final
Rule, AR at 710, 734–35. In fact, the requirements in the 2011 Final Rule are more restrictive
than the restrictions in the prior rule. Compare 34 C.F.R. § 99.35(a)(3) (2011) (requiring a
written agreement between the educational authority or agency and the authorized representative,
delineating, for example, the time period in which the personal information must be destroyed
and the privacy policies and procedures that will be followed), with 34 C.F.R. § 99.35(a) (2008)
12 The preamble of the 2008 rule stated:
In general, the Department has interpreted FERPA and implementing
regulations to permit the disclosure of personally identifiable information
from education records, without consent, in connection with the
outsourcing of institutional services and functions. Accordingly, the term
‘authorized representative’ in [34 C.F.R.] § 99.31(a)(3) includes
contractors, consultants, volunteers, and other outside parties (i.e., non-
employees) used to conduct an audit, evaluation, or compliance or
enforcement activities specified in § 99.35, or other institutional services
or functions for which the official or agency would otherwise use its own
employees. For example, a State educational authority may disclose
personally identifiable information from education records, without
consent, to an outside attorney retained to provide legal services or an
outside computer consultant hired to develop and manage a data system
for education records.
73 Fed. Reg. 74806, 74825 (Dec. 9, 2008) (codified at 34 C.F.R. pt. 99).
30
(containing no such requirement).13 Accordingly, plaintiffs cannot establish that any risk of their
personal information being compromised would be redressed by the invalidation of the 2011
Final Rule.
Because plaintiffs have failed to establish that the individual plaintiffs satisfy the
elements of constitutional standing, the Court finds that it lacks subject matter jurisdiction over
their claims.
II. EPIC LACKS STANDING AS AN ASSOCIATION
An association has standing to sue on behalf of its members if it can demonstrate that:
“(1) at least one of its members would have standing to sue in his own right, (2) the interests the
association seeks to protect are germane to its purpose, and (3) neither the claim asserted nor the
relief requested requires that an individual member of the association participate in the lawsuit.”
Sierra Club v. EPA, 292 F.3d 895, 898 (D.C. Cir. 2002), citing Hunt v. Wash. State Apple Adver.
Comm’n, 432 U.S. 333, 342–43 (1977). Although EPIC argues that the members of its Board of
Directors and Advisory Board act as members of the organization for purposes of standing, Pls.’
Mem. at 11–13, defendant raises serious questions about whether EPIC is an association made up
of members that may avail itself of the associational standing doctrine, Mem. in Support of
Def.’s Mot. to Dismiss or, in the Alternative, for Summ. J. (“Def.’s Mem.”) at 14–15 [Dkt. # 18];
Def.’s Opp. to Pls.’ Cross-Mot. for Summ. J. (“Def.’s Opp.”) at 12 n.12 [Dkt. # 22]. But
regardless of the outcome of that dispute, plaintiff EPIC cannot satisfy associational standing
because it has not established that any of the individuals that it identifies as EPIC’s “members”
13 Defendant even argues – and plaintiff does not expressly dispute – that “the only
meaningful effect of abandoning the direct control standard was to permit other government
entities who were not educational authorities to receive information from educational agencies
and institutions.” Def.’s Opp. to Pls.’ Cross-Mot. for Summ. J. (“Def.’s Opp.”) at 10 [Dkt. # 22];
see also Mem. in Support of Def.’s Mot. to Mot. to Dismiss or, in the Alternative, For Summ. J.
(“Def.’s Mem.”) at 33–34 [Dkt. # 18].
31
have standing to sue in their own right. The only “members” that plaintiffs identify as
possessing individual standing are the same four individuals who are named as plaintiffs in this
action. Pls.’ Mem. at 12–13. Since this Court has already found that those plaintiffs have not
established constitutional standing to bring their claims, the Court must find that EPIC lacks
constitutional standing on their behalf as well. See Wilderness Soc’y v. Norton, 434 F.3d 584,
590 (D.C. Cir. 2006) (“In order to establish standing, [the association] must demonstrate, as to
each of its claims, that at least one member meets the requirement of Lujan.”).
III. EPIC LACKS STANDING AS AN ORGANIZATION
To sue on its own behalf, an organization must meet the standing requirements applicable
to individuals: (1) injury in fact, (2) causation, and (3) redressability. Havens Realty Corp. v.
Coleman, 455 U.S. 363, 378 (1982); Nat’l Taxpayers Union, Inc. v. United States, 68 F.3d 1428,
1433 (D.C. Cir. 1995). EPIC asserts that its alleged harm caused by the Final Rule – making
EPIC’s activities less effective and causing EPIC to expend resources in an effort to counteract
the Department of Education’s “unlawful FERPA revision” – constitutes a cognizable injury in
fact under Havens and this circuit’s precedent applying that decision. Pls.’ Mem. at 8–11; Pls.’
Reply at 2–7.
The Havens line of cases requires an organization to satisfy the injury-in-fact requirement
by asserting that it has suffered a “concrete and demonstrable injury to the organization’s
activities – with a consequent drain on the organization’s resources – constitut[ing] . . . more
than simply a setback to the organization’s abstract social interests.” Nat’l Ass’n of Home
Builders v. EPA, 667 F.3d 6, 11 (D.C. Cir. 2011) (alterations in original), quoting Havens, 455
U.S. at 378–79 (internal quotation marks omitted). Specifically, the “‘organization must allege
that discrete programmatic concerns are being directly and adversely affected’ by the challenged
32
action.” Nat’l Taxpayers, 68 F.3d at 1433, quoting Am. Legal Found. v. FCC, 808 F.2d 84, 92
(D.C. Cir. 1987); see also Havens, 455 U.S. at 379 (finding that the organizational plaintiff
alleged an injury in fact where it asserted that the defendant’s racial steering practices
“perceptibly impaired” its ability to provide counseling and referral services to low- and
moderate-income home seekers); Abigail Alliance for Better Access to Developmental Drugs v.
Eschenbach, 469 F.3d 129, 132–33 (D.C. Cir. 2006) (finding an injury in fact where the
organizational plaintiff alleged that it had to divert significant time and resources from its
activities – including assisting its members and the public in accessing potentially life-saving
drugs, counseling, referral, advocacy, and educational services – in order to help its members and
the public address new FDA requirements).
But the D.C. Circuit has not found standing when “the only ‘service’ impaired is pure
issue-advocacy.” Ctr. for Law and Educ. v. Dept. of Educ., 396 F.3d 1152, 1162 (D.C. Cir.
2005). In Center for Law and Education, the organizational plaintiffs alleged that the challenged
federal regulations had injured them because they “force[d] them to change their lobbying
strategies [to] a more costly form of lobbying.” Id. at 1161. In rejecting this alleged harm, the
court observed: “This Court has not found standing when the only ‘injury’ arises from the effect
of the regulations on the organizations’ lobbying activities (as opposed to the effect on non-
lobbying activities).” Id.; see also Nat'l Treasury Emps. Union v. United States, 101 F.3d 1423,
1429 (D.C. Cir. 1996) (“[C]onflict between a defendant’s conduct and an organization’s mission
is alone insufficient to establish Article III standing. Frustration of an organization’s objectives
‘is the type of abstract concern that does not impart standing.’”), quoting Nat’l Taxpayers Union,
68 F.3d at 1433.
33
Similarly in Nat’l Taxpayers Union, the National Taxpayers Union (“NTU”) – a
nonprofit organization formed to promote fair, responsible, and legal revenue-raising practices
by the U.S. government – sought to enjoin the enforcement of Section 13208 of the Omnibus
Budget Reconciliation Act of 1993 (“Section 13208”), Pub. L. No. 103-66, 107 Stat. 312, which
set the maximum federal estate and gift tax rates. 68 F.3d at 1430. The organization argued that
its injuries included “the drying up of its donations, the costs of NTU’s anti-Section 13028 [sic]
education and lobbying efforts, and NTU’s moral despair at seeing its goals frustrated.” Id. at
1432. The court held that these alleged injuries were insufficient for Article III purposes. Id.
Specifically, the court explained that the impact of Section 13208 upon NTU’s educational and
legislative initiatives did not constitute an injury in fact because an organization cannot
“manufacture the injury necessary to maintain a suit from its expenditure of resources on that
very suit.” Id. at 1434, quoting Spann v. Colonial Vill., Inc., 899 F.2d 24, 27 (D.C. Cir. 1990)
(internal quotation marks omitted); see also Ass’n for Retarded Citizens v. Dall. Cnty Mental
Health & Mental Retardation Ctr. Bd. of Trs., 19 F.3d 241, 244 (5th Cir. 1994) (“The mere fact
that an organization redirects some of its resources to litigation and legal counseling in response
to actions or inactions of another party is insufficient to impart standing upon the organization.”).
The court explained that, unlike in Havens where the defendant’s practices perceptibly impaired
the organization’s ability to provide services to its clients, Section 13208 did not force NTU to
spend resources in a way that kept it from pursuing its true purpose of monitoring the
government’s revenue practices. Nat’l Taxpayers Union, 68 F.3d at 1434 (“NTU cannot convert
its ordinary program costs into an injury in fact from Section 13208.”).
Here, the Final Rule has not impeded EPIC’s programmatic concerns and activities, but
fueled them. And the expenditures that EPIC has made in response to the Final Rule have not
34
kept it from pursuing its true purpose as an organization but have contributed to its pursuit of its
purpose. Like the advocacy and lobbying organizations in National Taxpayers Union and Center
for Law and Education, EPIC’s expenditure of funds to promote its legislative agenda through
research, education, outreach to the public and the media, submission of administrative
comments, and litigation is a normal and critical part of its mission and operations. See
Rotenberg Decl. ¶ 2; Barnes Decl. ¶ 2. Indeed, in her declaration, Barnes explains that the time
and resources she expended on activities related to the Final Rule would otherwise have been
spent on research and advocacy related to other proposed federal agency privacy regulations.
Barnes Decl. ¶ 17.14 But the fact that EPIC has had to redirect some of its resources from one
legislative agenda to another is insufficient to give it standing. See Nat’l Taxpayers Union, 68
F.3d at 1434. EPIC cannot convert an ordinary program cost – advocating for and educating
about its interests – into an injury in fact.
In Fair Employment Council of Greater Washington, Inc. v. BMC Marketing Corp., 28
F.3d 1268 (D.C. Cir. 1994), the D.C. Circuit explicitly rejected a fair-housing organization’s
argument that it had standing because the mere expense of sending racially diverse “testers” to
an employment agency that was allegedly discriminating on the basis of race was an injury in
fact fairly traceable to the agency’s conduct. Id. at 1276. The court explained:
14 The Rotenberg Declaration also explains that the resources that EPIC expended on
advocacy and education about the Department of Education’s FERPA rulemaking during the
time before the Final Rule was issued would have been redirected to EPIC’s amicus project,
Freedom of Information Act requests litigation, publications, other administrative rulemakings,
or press and public outreach. However, since these expenditures were not caused by the issuance
of the Final Rule that plaintiffs challenge, the Court will not consider them in its injury-in-fact
analysis. See Rotenberg Decl. ¶¶ 9–13. In addition, the parties agree that resources spent in
preparation for the litigation of this case cannot form the basis for injury in fact. See Pls.’ Mem.
at 8 (“The expenditure of resources must have been undertaken ‘in response to, and to
counteract, the effects of the defendants’ alleged [violations] rather than in anticipation of
litigation.’”) (alterations in original), quoting Equal Rights Ctr. v. Post Properties, Inc., 633
1136, 1140 (D.C. Cir. 2011).
35
The diversion of resources to testing might well harm the [plaintiff’s]
other programs, for money spent on testing is money that is not spent on
other things. But this particular harm is self-inflicted; it results not from
any actions taken by [the defendant], but rather from the [plaintiff’s] own
budgetary choices.
Id. The court explained that to meet the injury-in-fact requirement, the organization had to show
that the agency’s discriminatory actions “perceptibly impaired” its programs. Id. Similarly here,
nothing about the Final Rule impaired EPIC’s ability to provide its programs or carry out its
activities. Like the resources spent on testing in Fair Employment Council, the resources that
EPIC expended on advocacy and education about preserving privacy safeguards were expended
by choice because such activities are at the core of EPIC’s mission. See Barnes Decl. ¶ 2 (stating
that EPIC was established “to focus public attention on emerging civil liberties issues and to
protect privacy, the First Amendment, and other constitutional values” and that “EPIC has a
particular interest in preserving privacy safeguards established by Congress” through activities
“designed to protect privacy and educate the public, including policy research, public speaking,
conferences, media appearances, publications, litigation, and comments for administrative and
legislative bodies regarding the protection of privacy”). The diversion of EPIC’s resources to
educate the public about and advocate against the Department of Education’s Final Rule is not a
sufficient injury in fact.
Therefore, EPIC has not demonstrated an injury in fact sufficient for Article III purposes.
36
CONCLUSION
Because none of the plaintiffs in this action have satisfied the constitutional standing
requirements, the Court will grant defendant’s motion to dismiss this case for lack of subject
matter jurisdiction and will deny plaintiffs’ cross-motion for summary judgment. A separate
order will issue.
AMY BERMAN JACKSON
United States District Judge
DATE: September 26, 2013
37