New York University’s Data Breach Exposes The SHIELD Act and FERPA’s Illusion of Protection
On the morning of Saturday, March 22nd, 2025, New York University’s (NYU) homepage was compromised. Hackers cruised through the confidential admissions data for two hours, taking control of data from over three million applicants, all available at the touch of their fingertips. Amongst this data lay test scores, financial aid records, zip codes, and academic credentials, which the hackers worked to make accessible to the public. Students received a brief letter from NYU confirming that their personal data had been exposed, offering them a one-year subscription to an identity protection service. Further restitution was minimal, the explanations were insufficient, and the opportunity for redress was entirely obsolete.
Two laws intended to protect student data, specifically the Family Educational Rights and Privacy Act (FERPA) and New York State’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act, were proven inadequate during this breach in several ways when applied to the modern cyber threats that press up against the higher education institutions of New York. FERPA and the SHIELD Act, despite having been designed to operate in unison, ultimately left university applicants unprotected during such moments. These existing laws, supposedly meant to protect student data, revealed imperfections such as limited enforceability and vague compliance standards. The victims, as a result, are left lacking meaningful recourse. NYU’s breach and the absence of any meaningful legal remedy for those affected reveal a gaping hole in education data law that demands clearer statutory obligations, as well as enforceable mechanisms for redress. FERPA’s lack of a private right of action and the SHIELD Act’s vague “reasonable” barrier standard leave victims without a direct path to judicial relief. This statutory gap demands clearer legal duties and enforceable disciplinary actions to hold institutions accountable for their negligence in data protection.
Hacker Motives
The attacker in the NYU breach redirected the university's homepage and published CSV files containing private data dating all the way back to 1989. The files included admissions test scores, demographic data, financial aid details, sibling and parent information, and even Common Application materials –information ranging from sexual orientations to family income. The breach occurred with the intent to make political commentary, as the hacker acted with purpose. The hacker’s actions were fueled by a motivation to accuse NYU of violating the Supreme Court’s 2023 ban on race-conscious admissions. What the hacker revealed are insecure systems hosting extremely sensitive data for one of the most prestigious universities in the country. [1]
NYU’s response to the matter was formulaically perfunctory, lacking effort and depth. The university issued a public statement acknowledging the unauthorized access, noted it had hired external investigators, and stated that it had notified law enforcement. [2] While the university claimed it had complied with all the legal notification obligations, what remained was a modicum of structural accountability towards itself. NYU’s response satisfied the minimal legal requirements for breach notification, but failed to create any enforceable accountability to those affected. The lack of consequences reveals how current laws permit institutions to meet mere procedural obligations while evading substantive liability.
Weak Federal Protection in FERPA
FERPA was enacted in 1974 to protect students’ educational records. The law gives students control over who can access their educational information, requiring schools to maintain their confidentiality to the best of their ability, given the legal standards set in it. However, the statute’s reach is more limited than the average student should be comfortable with. Its enforcement power rests entirely with the Department of Education. The Supreme Court has made it clear that FERPA creates no private right of action, which means that students cannot sue educational institutions directly under the statute, even when privacy violations are evident.
One case in particular that demonstrates this interpretation of the FERPA statute is Gonzaga Univ. v. Doe, in which the Court rejected a student's claim under §1983 that his FERPA rights had been violated, holding that FERPA’s provisions were too vague to warrant individual enforcement. [3] The case arose when a student, whose alleged sexual misconduct records were disclosed by a university official, sued. He claimed a violation of his FERPA rights, and the Court found in his case that the disclosure did not give rise to an enforceable individual right because FERPA's language was too focused on federal funding conditions as opposed to creating personal legal entitlements. In its effect, applicants cannot sue a university directly under FERPA, even if their data has been exposed recklessly, revealing FERPA as a law lacking permanence and stability. Chief Justice Rehnquist, writing for the majority, emphasized that FERPA’s statutory language spoke only in terms of institutional obligations, not individual rights, and therefore did not create the sort of “unambiguous” personal entitlement necessary to sustain a private right of action under §1983. This textual analysis narrowed FERPA’s scope in its practicality, effectively insulating universities from liability as individual entities.
The decision has since shaped a line of lower court rulings that treat FERPA violations as matters for bureaucratic review, not judicial remedy. For NYU’s applicants, this precedent transforms their exposure into a legal dead end. Despite blatantly egregious mismanagement of highly sensitive personal data, Gonzaga bars them from asserting their injury through federal litigation, reinforcing a regime where procedural technicalities override supposed substantive harm. In NYU’s case, it is unclear whether the Department of Education will act at all. Even if it does, students will have no role in that process and no ability to demand damages or injunctive relief. The law, supposed to protect educational data, offers no mechanism for the students behind those numbers to hold institutions accountable. This not only disregards affected individuals but also signals to universities that compliance failures will likely go unpunished unless the federal government chooses to intervene. There is no mechanism for the students behind the leaked numbers to hold institutions accountable, as well as no incentive for those institutions to proactively protect the data in the first place. Students possess a constitutional and privacy-based interest in controlling their educational records, which warrants protection beyond FERPA’s narrow framework. Interpreting these interests to support an implied private right of action would align with precedent in other privacy contexts, which would create precedent that ensures universities remain legally accountable for reckless data exposure.
The Burden of Broadness of NY’s SHIELD Act
New York’s SHIELD Act attempts to address the same vulnerabilities presented in FERPA, yet presents its own set of flaws. New York’s SHIELD Act was designed to fill the absence of a legal remedy for individuals under FERPA. Passed in 2019, the law expanded the definition of “private information,” requiring businesses, like universities, to adopt “reasonable” administrative, technical, and physical safeguards to protect such data. [4] Additionally, SHIELD even includes civil penalties, which include up to $250,000 for failure to notify and $5,000 per safeguard violation. [5]
The statute provides a series of recommendations ranging from employee training, risk assessments, and secure disposal protocols, yet it stops short of setting strict benchmarks. While the SHIELD Act purports to require “reasonable” safeguards for private information, it is legally inadequate because of its lack of explicit, enforceable standards. In Sackin v. TransPerfect Global, Inc., a case involving a data breach in which hackers accessed employee W-2 information due to a phishing email that exploited inadequate internal safeguards. The court, in its 2017 decision, found that the company’s failure to adopt basic cybersecurity protocols, such as firewalls and employee training, could constitute negligence under New York law, even absent a specific regulatory violation. The Southern District of New York ruled that a company’s failure to implement basic security measures, notably ones such as firewall protection or staff training, could be a breach of duty under New York law. [6] Although Sackin involved a for-profit employer, the reasoning suggests that any entity, nonprofits like NYU or otherwise, that collects and stores personally identifiable information may be subject to similar negligence claims under New York’s common law standards, provided the harm is foreseeable and the safeguards are demonstrably lacking. Courts applying New York common law have not limited negligence claims strictly to the corporate defendants that come through court doors. Given the scale of the breach, the foreseeability of harm, and NYU’s role as a sophisticated data custodian, the university owed a comparable duty of care to its applicants, a duty that exists regardless of its technical status as a non-profit. Courts can impose liability for negligent data practices, even if specific regulatory violations aren’t immediately evident. Due to the law’s current vagueness, NYU’s breach squarely falls into the kind of negligence described in Sackin. The university collected and stored decades-old data, deciding against encrypting sensitive files, and failed to prevent an outsider from gaining administrative access to its homepage. [7] Yet as of now, there is no indication to date that shows that the SHIELD Act will be used to hold the university accountable. Vague enforcement standards make it unlikely that the statute will be applied to hold NYU accountable, leaving applicants without a viable statutory remedy despite clear evidence of negligence.
Injury in Fact — Potential Class Action?
To sue in federal court, a plaintiff must show that they suffered an “injury in fact.” This usually means harm that we can see, which could be stolen identity, fraudulent charges, or financial loss. However, this is a standard that is difficult to meet in cases relating to data breaches, as the harm is often speculative. The Seventh Circuit addressed this problem directly in Remijas v. Neiman Marcus Group, LLC, where the court held that the risk of identity theft alone was enough to establish legal standing. [8] Decided in 2015, Remijas arose after hackers accessed the credit card information of approximately 350,000 Neiman Marcus customers. The Seventh Circuit held that the substantial risk of future identity theft constituted a concrete injury, sufficient to confer Article III standing even before any actual misuse had occurred. The judges reasoned that data breaches are, indeed, inherently malicious. However, not all malicious intrusions are financial in nature. In the NYU data breach, the hacker’s actions were rooted in political critique, yet the consequences extended far beyond commentary. Making private, highly sensitive admissions data public, from sexual orientation to immigration statuses, constituted a profound, unconstitutional invasion of privacy. Even without evidence of financial fraud, the act of exposing such data stripped applicants of control over their personal information and subjected them to an imminent risk of identity theft and unlawful use of personal data, a harm recognized by courts as sufficient to establish standing even if actual misuse evidence is still absent.
Reaffirmed in In re Equifax Inc., the principle that the imminent risk of identity theft from the exposure of inherently sensitive data constitutes a concrete injury was applied when the court approved a $1.5 billion settlement for a breach that affected over 147 million people. [9] The case stemmed from a 2017 data breach in which hackers accessed names, Social Security numbers, birth dates, and other sensitive data of over 147 million individuals. In 2021, the Eleventh Circuit upheld a $1.5 billion class action settlement, finding that the imminent risk of identity theft from such a large-scale exposure was sufficient to support standing and justify significant monetary relief. Plaintiffs argued that the exposure of Social Security numbers, dates of birth, and credit records created an “imminent and certainly impending” risk of identity theft, as this is information that, if leaked, can almost certainly ruin lives. The court agreed and emphasized that consumers should not have to wait until their identities are stolen to demand legal remedy. Marking a shift from earlier rulings that demanded proof of actual misuse, this acknowledged instead that the exposure of inherently sensitive data can itself constitute injury. The decision expanded the scope of actionable harm in data breach cases, which is an approach directly relevant to NYU’s applicants, who now face similar risks tied to the loss of control over personal information.
NYU applicants had their names, test scores, citizenship status, and financial aid records publicly accessible, and while the data may not yet have been used for fraud, the risk is undeniable. The precedent set in Remijas and Equifax suggests that they should, without a doubt, be able to sue. Many have. As of early April 2025, NYU is facing ten class action lawsuits filed by individual applicants, each alleging that the university failed to protect their personal data and violated the most basic cybersecurity standards, ones that should be common in any university. [10] These lawsuits claim NYU did not follow national guidelines for data retention and encryption, and that the exposed information was detailed enough to pose a serious risk of identity theft. However, despite the litigation now underway, the SHIELD Act’s vague standards and FERPA’s lack of individual enforcement mechanisms continue to limit the redress available within its scope.
What Is Needed
FERPA largely assumes institutional goodwill in handling student data. In contrast, the SHIELD Act, which governs data protection in New York State, presumes that institutions will act reasonably and ethically in securing personal information. While FERPA is a federal statute that applies broadly across the country, the SHIELD Act is specific to New York State and reflects the state’s legislative approach to data protection. NYU’s situation is shaped not only by national legal standards but also by the specific requirements and limitations of New York law, including mandates on “reasonable” safeguards and breach notifications. These mandates lack enforcement clarity, limiting their potential impact. Comparisons to similar breaches at institutions outside New York must account for this distinct regulatory framework, as neither FERPA nor the SHIELD Act fully addresses the legal implications of data breaches.
The inadequacies in both frameworks call for reform at the state and federal levels. Two reforms are the bare minimum, starting with Congress amending FERPA to include a narrow private right of action. Such would allow students and applicants to sue institutions for reckless data management, especially in cases of a confirmed breach like this one. The threshold could be high, requiring proof of negligence or willful disregard, but it would provide the accountability to prevent such hacks from the upward popularity trend. Second, the SHIELD Act should be clarified through regulation. The New York Attorney General’s office should issue guidance on what constitutes “reasonable” safeguards for educational institutions. Initiatives like encryption requirements, data minimization rules, and mandatory breach simulations would prevent the current state of this flexibility from shifting into abdication.
Conclusion
NYU’s data breach was a heartbreaking moment for applicants, another layer upon the many stressors preexisting within the college admissions process as a whole. However, many victims and onlookers can attest to not being surprised. FERPA’s lack of a private right of action and the SHIELD Act’s vague enforcement standards leave victims without a direct statutory remedy, even in the face of clear negligence. Precedent from Remijas and In re Equifax Inc. demonstrates that the imminent risk of identity theft can constitute a concrete injury, supporting standing for class actions. Given NYU’s role as a sophisticated data custodian, its decision to store decades-old unencrypted data and failure to prevent unauthorized administrative access create examples of the negligence the SHIELD Act was intended to repel. FERPA and the SHIELD Act leave shaken victims of educational data breaches in legal limbo. If higher education can expose millions of records and face no legal consequence, then it is safe to say the law has failed to protect the people it claims to serve. Failure does not have to be permanent, but as long as it exists, it is a civic duty to scrutinize, exposing injustice and working towards formal reform.
Edited by Alicia Lopez-Guerra
[1] “Over 3 Million Applicants’ Data Leaked on NYU’s Website,” Washington Square News, March 22, 2025, https://nyunews.com/news/2025/03/22/nyu-website-hacked-data-leak/.
[2] John Beckman, “Statement by NYU Spokesperson on March 2025 Cybersecurity Incident,” NYU News, June 10, 2025, https://www.nyu.edu/about/news-publications/news/2025/june/statement-by-nyu-spokesperson-john-beckman-on-march-2025-cyberse.html.
[3] Gonzaga Univ. v. Doe, 536 U.S. 273 (2002).
[4] SHIELD Act, New York State Office of the Attorney General, July 25, 2019, https://ag.ny.gov/resources/organizations/data-breach-reporting/shield-act.
[5] Ibid.
[6] Sackin v. TransPerfect Global, Inc., 278 F. Supp. 3d 739 (S.D.N.Y. 2017).
[7] Cotchett, Pitre & McCarthy LLP, “CPM Investigating NYU Data Breach,” March 2025, https://www.cpmlegal.com/cases-CPM-Investigating-New-York-University-Data-Breach.
[8] Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015).
[9] In re Equifax Inc. Customer Data Security Breach Litig., 999 F.3d 1247 (11th Cir. 2021).
[10] “NYU Hit with 10 Class Action Lawsuits Following Data Breach,” Washington Square News, April 1, 2025, https://nyunews.com/news/2025/04/01/nyu-data-breach-lawsuits/.