Electronic Privacy Information Center v. U.S. Department of Education

48 F. Supp. 3d 1, 2014 U.S. Dist. LEXIS 13992

• Court: District Court, District of Columbia
• Decided: February 5, 2014
• Docket: Civil Action No. 2012-0327
• Status: Published

Opinion

MEMORANDUM OPINION

AMY BERMAN JACKSON, United States District Judge

Plaintiffs Electronic Privacy Information Center (“EPIC”) and four individuals— Grayson Barber, Pablo Garcia Molina, Peter Neumann, and Deborah Peel — have brought this action challenging a Final Rule issued by defendant, the United States Department of Education (“Department of Education,” “the Department”), to implement the Family Educational Rights and Privacy Act of 1974 (“FERPA”), 20 U.S.C. § 1232g. Defendant has moved to dismiss on standing grounds or, in the alternative, for summary judgment on the merits. Def.’s Mot. to Dismiss or, in the Alternative, for Summ. J. (“Def.’s Mot.”) [Dkt. # 18], Plaintiffs have opposed defendant’s motion and have filed their own cross-motion for summary judgment. Pis.’ Cross-Mot. for Summ. J. (“Pis.’ Mot.”) [Dkt. #21]; Pis.’ Mem. Opposing Def.’s Mot. to Dismiss and Mot. for Summ. J. (“Pis.’ Mem.”) [Dkt. # 20].

Plaintiffs argue that the standing requirement is satisfied in this case because the four individual plaintiffs each have standing and because EPIC has both organizational standing on its own behalf and associational standing on behalf of its members. The Court disagrees and finds that none of the individual plaintiffs nor EPIC have standing to bring the claims asserted in the complaint. The individual plaintiffs have alleged nothing more than a hypothetical possibility of some vague harm, and that harm does not even flow from the challenged regulations. So they have failed to allege or show the injury in fact or causation that are fundamental to standing. And the organizational plaintiff, EPIC, complains simply that the new rules have prompted it to engage in the very sort of advocacy that is its raison d’etre. So it has not alleged an injury in fact either. Accordingly, the Court will dismiss the action for lack of subject matter jurisdiction.

BACKGROUND

I. STATUTORY AND REGULATORY BACKGROUND

This action concerns regulations that were issued by the Department of Education to implement FERPA. FER-PA was first passed in 1974 “to ensure access to educational records for students and parents and to protect the privacy of those records from the public at large.” Student Press Law Ctr. v. Alexander, 778 F.Supp. 1227, 1228 (D.D.C.1991). It conditions the receipt of federal funds by “any public or private educational agency or institution” on adherence to certain requirements related to access to and disclosure of student educational records. Gonzaga Univ. v. Doe, 536 U.S. 273, 278, 122 S.Ct. 2268, 153 L.Ed.2d 309 (2002). One of those requirements is that a student’s records not be disclosed unless the student’s parents provide consent. 1 See 20 U.S.C. § 1232g(b).

Generally, this restriction applies even to the disclosure of records by schools or school districts to the Department of Education or to state educational authorities. There are, however, several exceptions. The two exceptions relevant to this action are known as the “directory information exception” and the “program evaluation exception.” Under the directory information exception, certain basic student information, such as name, address, telephone number, etc. — referred to as “directory information” — may be released without pri- or consent. Id. § 1232g(a)(5), (b)(1). Under the program evaluation exception, an “authorized representative” of the Comptroller General of the United States, the Secretary of Education, state educational authorities, or the Attorney General may receive — without prior consent — any records that “may be necessary in connection with the audit and evaluation of Federally-supported education programs, or in connection with the enforcement of the legal requirements that relate to such programs.” 2 Id. § 1232g(b)(l)(C), (b)(3).

The definitions of the terms “directory information,” “authorized representative,” and “education program,” as used in the statutory exceptions to the disclosure restrictions, have long been the subject of Department of Education regulations. See 53 Fed.Reg. 11942-01, 11943 (Apr. 11, 1988). On April 8, 2011, the Department of Education issued a notice of proposed rulemaking that sought comments on proposed changes to its FERPA-implement-ing regulations, including to the definitions of those three terms. 76 Fed.Reg. 19726, 19731-32 (Apr. 8, 2011) (codified at 34 C.F.R. pt. 99). The Department received 274 comments on the proposed regulation, including a comment from plaintiff EPIC challenging the three new definitions. Final Rule, Admin. R. (“AR”) at 698 [Dkt. # 10]; EPIC Comment, id. at 515-34. On December 2, 2011, the Department issued its Final Rule, 76 Fed.Reg. 75604 (Dec. 2, 2011) (codified at 34 C.F.R. pt. 99) (“Final Rule”).

A. The Directory Information Exception

FERPA expressly provides that:

[T]he term “directory information” relating to a student includes the following: the student’s name, address, telephone listing, date and place of birth, major field of study, participation in officially recognized activities and sports, weight and height of members of athletic teams, dates of attendance, degrees and awards received, and the most recent previous educational agency or institution attended by the student.

20 U.S.C. § 1232g(a)(5)(A). While the statute exempts “directory information” found in education records from the statutory disclosure restrictions, id. § 1232g(b)(l), it leaves each educational agency or institution free to determine for itself what categories of directory information it will release and for what purposes. But before the entity releases any information, it must “give public notice of the categories of information which it has designated” as directory information, and give parents the opportunity to “inform the institution or agency that any or all of the information designated should not be released without the parent’s prior consent.” Id. § 1232g(a)(5)(B).

Since at least 1988, the Department has interpreted directory information to mean “information contained in an education record of a student that would not generally be considered harmful or an invasion of privacy if disclosed,” and it has construed the statutory list of directory information to be non-exhaustive. See 34 C.F.R. § 99.3 (2013); see also 34 C.F.R. § 99.3 (1988). For example, in the year 2000, the Department issued new regulations that recognized photographs, e-mail addresses, and grade levels as directory information. 65 Fed.Reg. 41852, 41852-53 (July 6, 2000) (codified at 34 C.F.R. pt. 99).

The 2011 Final Rule at issue in this action adds to the category by recognizing as directory information:

(1) A student ID number, user ID, or other unique personal identifier used by a student for purposes of accessing or communicating in electronic systems ... and (2) [a] student ID number or other unique personal identifier that is displayed on a student ID badge, but only , if the identifier[s] cannot be used to gain access to education records except when used in conjunction with one or more factors that authenticate the user’s identity, such as a PIN [ (personal identification number) ], password, or other factor known or possessed only by the authorized user.

Final Rule, AR at 733.

B. The Authorized Representative Exception

The authorized representative exception permits an “authorized representative” of the Comptroller General of the United States, the Secretary of Education, state educational authorities, and the Attorney General to receive — -without prior consent — any records which may be necessary in connection with the audit and evaluation of Federally-supported education programs, or in connection with the enforcement of the legal requirements which relate to such programs.” 20 U.S.C. § 1232g(b)(l)(C), (b)(3). It also permits state and local educational officials to be exempted from the disclosure restrictions when disclosure of the records “may be necessary in connection with the audit and evaluation of any federally or State supported education program or in connection with the enforcement of the Federal legal requirements which relate to any such program.” Id. § 1232g(b)(5) (emphasis added).

The 2011 Final Rule at issue in this action provides definitions for the terms “authorized representative” and “education program,” as the terms are used in those provisions of FERPA. The Final Rule defines an “authorized representative” as:

[A]ny entity or individual designated by a State or local educational authority or an agency headed by an official listed in § 99.31(a)(3) to conduct — with respect to Federal- or-State supported education programs — any audit or evaluation, or compliance or enforcement activity in connection with Federal legal requirements that relate to those programs.

Final Rule, AR at 733. It defines an “education program” as “any program that is principally engaged in the provision of education, including, but not limited to, early childhood education, elementary and secondary education, postsecondary education, special education, job training, career and technical education, and adult education, and any program that is administered by an educational agency or institution.” Id.

II. FACTUAL BACKGROUND

EPIC is a non-profit corporation located in Washington, D.C. Barnes Decl. ¶ 2 [Dkt. # 20-7]; Rotenberg Decl. ¶ 2 [Dkt. # 20-6]. EPIC is a public interest research center established “to focus public attention on emerging civil liberties issues and to protect privacy, the First Amendment, and other constitutional values.” Barnes Decl. ¶ 2; Rotenberg Decl. ¶ 2. It has a “particular interest in preserving privacy safeguards established by Congress,” including the FERPA, and it engages in activities “designed to protect privacy and educate the public, including policy research, public speaking, conferences, media appearances, publications, litigation, and comments for administrative and legislative bodies regarding the protection of privacy.” Barnes Decl. ¶ 2; Rotenberg Decl. ¶ 2.

According to a declaration from Khaliah Barnes, Administrative Law Counsel for EPIC, Barnes engaged in the following activities relating to the issuance of the 2011 Final Rule on behalf of EPIC:

• Participated in phone calls initiated by education activists, media, organizations, and the public generally concerning a variety of education privacy topics, but focused primarily on the Final Rule. Barnes Decl. ¶ 12.

• Exchanged e-mails concerning a variety of education privacy topics, but focused primarily on the Final Rule. Id. ¶ 13.

• Participated in one in-person meeting with education activists who had previously inquired about the Final Rule and a variety of education privacy topics, but focused primarily on the Final Rule. Id. ¶ 14.

• Updated the EPIC website and online newsletter regarding developments with the promulgation of the Final Rule and subsequent developments, including the EPIC lawsuit. Id. ¶ 15.

• Published an article that discussed various issues related to education privacy, including the Final Rule. Id. ¶ 16.

According to Barnes, if she had not been engaged with those activities, she would have redirected her efforts to her other job responsibilities: “researching and submitting administrative agency comments on proposed federal agency privacy regulations that pertain to government collection, retention, and dissemination of personal information.” Id. ¶ 17.

Plaintiffs have also submitted a declaration from Marc Rotenberg, EPIC’s President and Executive Director, which states that, between April 8, 2011 and September 6, 2011, EPIC expended resources on filing administrative comments to the Notice of Proposed Rulemaking that was issued before the Final Rule, responding to inquiries from the press and the general public about the Department of Education’s activities on student privacy, and updating the EPIC website and newsletter with information about FERPA and the related activities of the Department of Education. Rotenberg Decl. ¶¶ 9-12. All of these expenditures took place before December 2011, when the Final Rule was issued. Id. ¶ 9.

EPIC has a fourteen-member Board of Directors and an Advisory Board with over fifty members. Id. ¶ 14. The members of the Board of Directors manage the organization and participate in the selection of the Advisory Board. Id. ¶ 15. According to Rotenberg, the members of the Board of Directors and of the Advisory Board “must formally commit to joining the organization, and to supporting the mission of the organization.” Id. ¶ 16. They also make financial contributions to EPIC, assist with EPIC’s substantive work, and recommend potential clerkship and fellowship applicants. Id. ¶¶ 17-19.

The four individual plaintiffs in this case, Barber, Molina, Neumann, and Peel, are all members of EPIC’s Board of Directors. Barber Deck ¶ 3 [Dkt. # 20-2]; Molina Deck ¶ 3 [Dkt. # 20-3]; Neumann Deck ¶ 3 [Dkt. #20-4]; Peel Deck ¶3 [Dkt. #20-5]. According to declarations from each of them, all four attended and graduated from one or more universities that are subject to FERPA. Barber Deck ¶¶ 4-5; Molina Deck ¶¶ 4-5; Neumann Deck ¶¶ 4-5; Peel Deck ¶¶4-5. The declaration of plaintiff Molina states in addition that he is an adjunct professor at Georgetown University; he was the university’s associate vice president for information technology from 2007 until 2012 and campus chief information officer from 2000 until 2012; and he will graduate from the university with a doctorate degree in 2013. Molina Deck ¶¶ 2, 4.

III. PROCEDURAL BACKGROUND

Plaintiffs filed the complaint in this action on, February 29, 2012. Comph [Dkt. # 1]. Count I alleges that the Department’s issuance of the Final Rule was not in accordance with the law, in violation of the Administrative Procedure Act. Id. ¶ 30. Count II alleges that the Final Rule was promulgated in excess of the Department’s statutory authority, in violation of the Administrative Procedure Act. Id. ¶35. The complaint alleges that the Department’s changes to the definitions of directory information, authorized representatives, and educational programs within the directory information and authorized representative exceptions remove “affirmative legal duties for state and lo cal educational facilities to protect private student data.” Id. ¶ 20 (internal quotation marks omitted). Specifically, it alleges that:

• By expanding the definition of directory information to include student ID numbers that are displayed on individuals’ cards or badges, the Department insufficiently safeguards students from the risk of re-identification, id. ¶ 24;

• By designating non-governmental actors as “authorized representatives” of state educational institutions, the Department would perform an “unauthorized, unlawful sub-delegation of its own authority,” id. ¶ 22; and

• By expanding the definition of educational programs, the Department would “expose troves of sensitive, non-academic data,” id. ¶ 23.

ANALYSIS

This ease begins and ends with plaintiffs’ constitutional standing to bring their claims. “To state a case or controversy under Article III, a plaintiff must establish standing.” Ariz. Christian Sch. Tuition Org. v. Winn, — U.S. -, 131 S.Ct. 1436, 179 L.Ed.2d 523 (2011); accord Lujan v. Defenders of Wildlife, 504 U.S. 555, 560, 112 S.Ct. 2130, 119 L.Ed.2d 351 (1992) (holding that “standing is an essential and unchanging part of the ease-or-controversy requirement of Article III”). Standing is a necessary predicate to any exercise of federal jurisdiction; if it is lacking, the dispute is not a proper case or controversy under Article III, and federal courts have no subject matter jurisdiction to decide the case. Dominguez v. UAL Corp., 666 F.3d 1359, 1361 (D.C.Cir.2012). To establish constitutional standing, a plaintiff must demonstrate: (1) that he has suffered a concrete, particularized, and actual or imminent “injury in fact”; (2) that the injury is “fairly traceable” to the challenged action of the defendant; and (3) that it is “likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision.” Lujan, 504 U.S. at 560-61, 112 S.Ct. 2130, quoting Simon v. E. Ky. Welfare Rights Org., 426 U.S. 26, 28, 96 S.Ct. 1917, 48 L.Ed.2d 450 (1976) (internal quotation marks omitted); see also Friends of the Earth, Inc. v. Laidlaw Envtl. Servs., 528 U.S. 167, 180-81, 120 S.Ct. 693, 145 L.Ed.2d 610 (2000).

“The party invoking federal jurisdiction bears the burden of establishing” standing. Lujan, 504 U.S. at 561, 112 S.Ct. 2130. The extent of the plaintiffs burden varies according to the procedural stage of the case. Id. “At the pleading stage, general factual allegations of injury resulting from the defendant’s conduct may suffice.... In response to a summary judgment motion, however, the plaintiff can no longer rest on such ‘mere allegations,’ but must ‘set forth’ by affidavit or other evidence ‘specific facts,’ which for the purposes of the summary judgment motion will be taken to be true.” Id. (internal citations omitted). Even in an action seeking review of an administrative action, the parties “must supplement the record to the extent necessary to” substantiate their claim to standing. Sierra Club v. EPA, 292 F.3d 895, 900 (D.C.Cir.2002). 3 In assessing standing, the Court assumes plaintiffs will prevail on the merits of their claim. NB ex rel. Peacock v. District of Columbia, 682 F.3d 77, 82 (D.C.Cir.2012).

Plaintiffs present three distinct grounds on which they assert they have constitutional standing to bring their claims: the standing of the individual plaintiffs, the standing of EPIC as an association on behalf of its members, and the standing of EPIC as an organization. The Court finds all of them unavailing.

I. THE INDIVIDUAL PLAINTIFFS LACK CONSTITUTIONAL STANDING

To establish their constitutional standing to assert the claims in the complaint, the individual plaintiffs must demonstrate that, they suffered an injury in fact, that was caused by the conduct of defendant, and that can be redressed by judicial relief. Lujan, 504 U.S. at 560-61, 112 S.Ct. 2130.

A. Injury in fact

The injury in fact test requires a plaintiff to allege that he has suffered “an invasion of a legally protected interest which is (a) concrete and particularized and (b) actual or imminent, not conjectural or hypothetical.” Id. at 560, 112 S.Ct. 2130 (internal citations omitted), quoting Allen v. Wright, 468 U.S. 737, 755, 104 S.Ct. 3315, 82 L.Ed.2d 556 (1984). An injury is particularized if it affects the plaintiff in a personal and individual manner. Id. at 561 n.1, 112 S.Ct. 2130. “[A] plaintiff raising only a generally available grievance about government — claiming only harm to his and every citizen’s interest in proper application of the Constitution and laws, and seeking relief that no more directly and tangibly benefits him than it does the public at large — does not state an Article III case or controversy.” Id. at 573-74, 112 S.Ct. 2130.

Plaintiffs maintain that the injury-in-fact requirement is satisfied in this case because the Final Rule increases the risk that their personal information will be disclosed to a host of unregulated third-party entities without their consent, which in turn increases the risk that the information will be used for illicit purposes, such as to improperly deny them insurance benefits or for identity fraud. Pis.’ Mem. at 6. They characterize their injury as an “increased-risk-of-harm,” id. which is governed by the standard set out in Public Citizen, Inc. v. National Highway Traffic Safety Administration, 489 F.3d 1279 (D.C.Cir.2007). In Public Citizen, the petitioners — -including a public interest group called Public Citizen — sued the National Highway Transportation Safety Administration over a regulation that the agency had issued, which set a minimum performance standard for tire pressure monitors in automobiles. 489 F.3d at 1285-86. Public Citizen argued that it satisfied the constitutional standing inquiry because the agency’s rule increased the risk that some of its members would suffer car accidents in the future as compared to what the risk would have been had the agency adopted an alternative regulation advanced by Public Citizen. Id. at 1291.

The D.C. Circuit began by finding that the proffered injury was (1) concrete be cause the physical injuries that result from car accidents are plainly concrete and (2) particularized because each person who is injured in a car accident is injured personally and distinctly. Id. at 1292; see also Lujan, 504 U.S. at 560 n.1, 112 S.Ct. 2130 (defining “particularized” as affecting the plaintiff in a personal and individual way). Here, defendant does not dispute that the alleged harm to the individuals in this case is both concrete and particularized, and the Court agrees. The harm that the individuals are now allegedly more at risk of suffering is identity fraud or some other misuse of their identities. See Pis.’ Mem. at 7; Pis.’ Reply in Supp. of their Cross-Mot. for Summ. J. (“Pis.’ Reply”) at 9 [Dkt. # 24]; see also Barber Deck ¶¶ 10-11 (stating that inappropriate release of her education records could allow unauthorized individuals to compute her credit score, which insurers could use to deny coverage or raise rates); Molina Deck ¶ 10 (same); Neumann Deck ¶ 10 (same); Peel Deck ¶¶ 9-10 (same and also expressing concern that fingerprint data could be inappropriately disclosed to law enforcement databases or fusion centers). The unauthorized use of an individual’s personal information to deny him benefits is certainly a concrete injury that affects the individual personally and distinctly. See Lambert v. Hartman, 517 F.3d 433, 437 (6th Cir.2008) (finding that identity theft, which affected the plaintiffs financial security and credit rating, was a sufficiently concrete and particularized injury in fact for purposes of conferring standing).

The more difficult issue in this case, as in Public Citizen, concerns the requirement that the plaintiffs’ injuries be “actual or imminent.” The Public Citizen court acknowledged that Public Citizen’s theory of injury rested on evidence that the defendant’s actions would increase the risk of harm to a class of individuals, which included Public Citizen members. The court concluded that, in such an “increased-risk-of-harm” case, the constitutional imminence requirement demands that the plaintiff demonstrate “both (i) a substantially increased risk of harm and (ii) a substantial probability of harm with that increase taken into account.” Public Citizen, 489 F.3d at 1295. The Court noted that, although there are no numerical rules for the amount of increase in risk of harm or level of ultimate risk that are high enough- to be “substantial,” the constitutional requirement of imminence “necessarily compels a very strict understanding” of the term. Id. at 1296. In the end, the court remanded the case to the district court to further develop the record concerning whether the injury asserted by Public Citizen met this standard. Id. at 1296-98.

Here, plaintiffs do not satisfy either prong of the increased risk of harm test: they have not shown a substantially increased risk that they will suffer identity fraud, and they have not shown that the absolute likelihood of suffering identity fraud is substantial. In fact, plaintiffs provide no evidence — not even any allegations — about how much more likely they are to be the victims of identity fraud now than before the passage of the Final Rule, and they provide absolutely no information about the absolute risk that their information will be used improperly. Cf. Nat’l Resources Def. Council v. EPA, 464 F.3d 1, 7 (D.C.Cir.2006) (the plaintiff, an environmental membership organization, presented statistical evidence showing that two to four of its members would develop nonfatal skin cancer as a result of the challenged rule); Mountain States Legal Found. v. Glickman, 92 F.3d 1228, 1235 (D.C.Cir.1996) (the plaintiffs presented evidence showing that the regulations they challenged increased the risk of forest fire by about nine percent). 4

In their memorandum, plaintiffs explain that the Final Rule increases the likelihood that the individual plaintiffs will suffer misuse of their personal information because it permits educational institutions to disclose student data to “unregulated” third parties under the “authorized representative” exception to FERPA’s disclosure restrictions. See Pis.’ Mem. at 5-8. And at the hearing on the motion in this case, plaintiffs also asserted that the Final Rule’s redefinition of the term “directory information” to include student ID numbers gives rise to a second possible injury: that by designating student ID numbers as “directory information,” the Final Rule permits educational institutions to place student ID numbers on student badges without the students’ consent. 5 , 6

Plaintiffs have submitted declarations from each of the individual plaintiffs in this case to support their theory of injury. According to the declarations, all of the plaintiffs attended and graduated from one or more universities that are subject to FER-PA. Barber Decl. ¶¶ 4-5; Molina Deck ¶¶ 4-5; Neumann Deck ¶¶ 4-5; Peel Deck ¶¶ 4-5. Plaintiffs’ attendance at many of these universities took place decades ago. See, e.g., Barber Deck ¶ 4 (stating that she received her B.A. from Pomona College in 1978, an M.A. from Princeton University in 1980, a J.D. from Rutgers in 1991, and that she attended at the school of communication at Rutgers for two months in 2010); Molina Deck ¶ 4 (stating that he received his B.S. and M.B.A. from Saint Louis University in 1992 and 1995 respectively, and that he attended graduate engineering courses at Washington University in 1998); Neumann Deck ¶4 (stating that he received his A.B., S.M., and Ph.D. from Harvard University in 1954, 1955, and 1961 respectively); Peel Deck ¶ 4 (stating that she attended the University of Texas at Austin from 1968 to 1970, received her M.D. from and completed her residency at University of Texas Medical Branch in 1974 and 1977 respectively, and completed post-graduate training at the Dallas Psychoanalytic Institute in 1999). Plaintiff Molina has a more recent connection to higher education: he adds that he will graduate from Georgetown University — an educational institution subject to FER-PA — with a doctorate degree in 2013. Molina Deck ¶ 4. Molina’s declaration also states that he is an adjunct professor at Georgetown University and was the university’s associate vice president for information technology from 2007 until 2012, and campus chief information officer from 2000 uatfl 2012. Id. ¶2.

At the oral argument in this case, both plaintiffs and defendant focused their attention primarily on Molina’s standing to bring this action. He is the only plaintiff who was still enrolled at an educational institution at the time the complaint in this case was filed, and so the disclosure requirements are more likely to affect him than any of the other plaintiffs who graduated earlier. See Molina Decl. ¶ 4 (stating that Molina will graduate from Georgetown University with a doctorate degree in 2013); see also Lujan, 504 U.S. at 569 n.4, 112 S.Ct. 2130 (“ ‘The existence of federal jurisdiction ... depends on the facts as they exist when the complaint is filed.’”), quoting Newman-Green, Inc. v. Alfonzo-Larrain, 490 U.S. 826, 830, 109 S.Ct. 2218, 104 L.Ed.2d 893 (1989). Certainly Molina is the only plaintiff who might be affected by any display of student ID numbers on student badges, and his personal information is the most likely to still be maintained and disclosed by an entity subject to the Final Rule.

1. Expansion of the directory information exception theory of injury

At the hearing, plaintiffs argued that Molina is injured by the Final Rule because it permits Georgetown University— the educational institution where Molina is currently enrolled — to place Molina’s university ID number on his student badge, which would make the ID number more susceptible to identity theft.

There are two major problems with this argument. First, plaintiffs have not shown that disclosure of Molina’s Georgetown University ID number on a badge makes it substantially more probable that he will be the victim of identity theft. In fact, the Rule expressly provides that students’ ID numbers may be classified as disclosable directory information only if the number “cannot be used to gain access to education records except when used in conjunction with one or more factors that authenticate the user’s identity, such as a PIN [(personal identification number) ], password, or other factor known or possessed only by the authorized user.” Final Rule, AR at 733. So even if the display of Molina’s university ID number on his badge makes it more likely that the ID number will be seen by someone who wants to misuse Molina’s personal information, that individual would still need Molina’s PIN • or password to access the information. Neither the PIN nor the password would be present on the badge or otherwise easily accessible. Accordingly, plaintiffs lack a crucial element of establishing that disclosure of Molina’s student ID number on his student badge increases the likelihood his personal information will be accessed by an unauthorized individual and misused, let alone that such likelihood is substantial as an absolute matter.

In addition, Molina cannot establish that he will suffer a greater likelihood of injury as a result of the Final Rule because Georgetown University ID cards already contain the individual’s university ID number. See Georgetown One Card: Your Georgetown ID, Georgetown University, http://gocard.georgetown.edu/what/id/ (last visited Sept. 16, 2013) (explaining that the GOCard is the Georgetown ID card); Georgetown One Card: GOCard About to Expire?, Georgetown University, http:// gocard.georgetown.edu/page/ 1242701316531.html (last visited Sept. 16, 2013) (“The GOCard was brought to you nearly 5 years ago.”); Georgetown One Card: What are the components of the GOCard?, Georgetown University, http:// gocard.georgetown.edu/page/ 1242701316765.html (last visited Sept. 16, 2013) (stating that the University ID Number is a component of the GOCard); Georgetoum One Card: What is the University ID Number?, Georgetown University, http://gocard.georgetown.edu/page/ 1242701316906.html (last visited Sept. 16, 2013) (explaining that the university ID Number is a random number assigned to all individuals affiliated with the university for purposes of identification, and that the ID number stays with an individual for the entire duration of his or her affiliation with Georgetown).

Since Molina is a faculty member at Georgetown University, any university ID card he already possesses necessarily contains his university ID number — the same number that stays with him for the entire duration of his affiliation with Georgetown. Id. This defeats any attempt by plaintiffs to show that the chance that Molina’s personal information will be stolen and misused is substantially likely to increase due to the Final Rule’s inclusion of university ID numbers in the definition of “directory information.” In addition, plaintiffs’ failure to provide any evidence, or even allegations, that any person affiliated with Georgetown has suffered harm from the inclusion of university ID numbers on Georgetown GOCards up until this point undermines their attempt to show an absolute likelihood of harm.

2. Expansion of the authorized representative exception theory of injury

Plaintiffs have also argued that by expanding the definitions of “authorized representative” and “education program,” the Final Rule permits educational institutions to disclose plaintiffs’educational records to unregulated third parties and therefore increases the risk that their personal information will used to harm them. 7 But this theory of injury is also marred by several fatal deficiencies. For plaintiffs to be the victims of identity theft due to the disclosure of their Information pursuant to the Final Rule, all of the following must occur: (1) institutions -governed by the Final Rule must still maintain personal information about plaintiffs that, if stolen, could be used in injurious ways; (2) the institutions that maintain plaintiffs’ personal information must provide that information to unregulated third-party entities 8 ; and (3) once plaintiffs’ personal information is provided to those third-party entities, those parties must use it improperly or disclose it to others who use it improperly. This is an attenuated chain of events to begin with, and- plaintiffs have not presented evidence, or even factual allegations, to demonstrate that any of the steps has occurred or is likely to occur, let alone that it is imminent. See Grand Lodge of Fraternal Order of Police v. Ashcroft, 185 F.Supp.2d 9, 16 (D.D.C.2001) (“[T]he chain of events that would need to occur for the defendants to commit these alleged wrongs ... is simply too attenuated to be a real and immediate threat.”), citing Lujan, 504 U.S. at 564 n.2, 112 S.Ct. 2130.

To address the first condition — that institutions governed by the Final Rule maintain personal information about plaintiffs that, if stolen, could be used in injurious ways' — plaintiffs rely on their own declarations, in which all four plaintiffs state that the universities they attended continue to maintain education records about them. Barber Decl. ¶ 6; Molina Decl. ¶ 6; Neumann Decl. ¶ 6; Peel Decl. ¶ 6. Importantly, none of the plaintiffs articulate any basis for their personal knowledge of what information the universities maintain, despite the requirement under Federal Rule of Civil Procedure 56(c)(4) that a declaration “must be made on personal knowledge ... and show that the ... de-clarant is competent to testify on the matters stated.” Moreover, since plaintiffs provide no information about what particular personal information is contained in the maintained education records, they fail to show that the institutions maintain the type of valuable personal information about them that could be used for identity fraud or to improperly alter their insurance rates. 9

But even if the Court were to assume that plaintiffs’ alma maters maintain records about them that contain valuable personal information, such as social security numbers, plaintiffs have failed to make any showing that it is likely the schools will disclose the information to unregulated third parties. Rather, plaintiffs conclusor-ily maintain that their personal information is being, or will be, disclosed to statewide longitudinal data systems (“SLDS”) — which are compilations of student information from educational institutions located within the certain states— and that the Final Rule permits unregulated third parties to access the information in those data systems. Pis.’ Mem. at 6-7. To show that plaintiffs’ educational records are maintained in those states, plaintiffs point the Court to the website of the National Center for Education Statistics, which contains information about federal grants that have been provided to states in order to maintain SLDSs. Id. at 6. The website shows that each of the plaintiffs attend or attended at least one educational institution in a state that receives federal funding to maintain SLDSs: Missouri, Massachusetts, Texas, and the District of Columbia. See Statewide Longitudinal Data Systems Grant Program: Grantee State — Missouri, National Center for Education Statistics, http://nces.ed.gov/ programs/slds/state.asp?stateabbr=MO (last visited Sept. 16, 2013); Statewide Longitudinal Data Systems Grant Program: Grantee State — Massachusetts, National Center for Education Statistics, http://nces.ed.gov/programs/slds/state.asp? stateabbr=MA (last visited Sept. 16, 2013); Statewide Longitudinal Data Systems Grant Program: Grantee State— Texas, National Center for Education Statistics, http://nces.ed.gov/programs/slds/ state.asp?stateabbr=TX (last visited Sept. 16, 2013); Statewide Longitudinal Data Systems Grant Program: Grantee State— District of Columbia, National Center for Education Statistics, http://nces.ed.gov/ programs/slds/state.asp?stateabbr=DC (last visited Sept. 16, 2013).

Just because the states maintain SLDSs, however, does not mean that the particular information that the colleges and universities maintain about the plaintiffs will be included in those SLDSs. 10 First, all of the SLDS grant applications for Massachusetts, Missouri, Texas and the District of Columbia were submitted within the past seven years, which is long after nearly all of these plaintiffs had already left those institutions. And plaintiffs have not alleged or provided any evidence that any of these SLDSs collect data retroactively. Cf. Buckley Decl. ¶ 27 [Dkt. # 18-9] (“No information provided to the Department suggests that DC’s [SLDS program] will be backfilled with advanced degree data from Georgetown University or other institutions for years prior to the one in which postsecondary information begins to be linked to the system.”). In fact, comparing the information in plaintiffs’ declarations about when they attended educational institutions to the information on the National Center for Education Statistics website about when the states filed SLDS grant applications reveals that the only plaintiff who actually attended an educational institution during the time when that institution’s state was receiving federal SLDS funds is Molina, who is currently attending Georgetown University in the District of Columbia. 11

And even with regards to the District of Columbia’s SLDS program, Molina does not fit the description of the subjects whom the program is geared to monitor. According to the declaration of Jack Buckley, the Commissioner of the National Center for Education Statistics (which is part of the Institute of Education Sciences of the U.S. Department of Education), the District of Columbia submitted an application for an SLDS grant on December 15, 2011. Buckley Deck ¶ 20, citing Ex. 2 to Buckley Decl. (excerpts from the SLDS application). The application explained that its Statewide Longitudinal Education Data System (“SLED”) currently included only data from pre-kindergarten through twelfth grade. Id. ¶ 21, citing Ex. 2 to Buckley Decl. at el4. The application proposed linking SLED to three existing post-secondary databases: (1) “DC OneApp, which includes information from DC residents who apply for DC’s three higher education grant programs”; (2) “AspirePath, which includes information on adult literacy students at DC’s community college”; and (3) the Banner student database, which is “used by DC’s community college, public university, and other postsecondary institutions.” Id. ¶¶ 22-23, citing Ex. 2 to Buckley Decl. at e21-e22. Of the three databases, the Banner student database is the only one that might contain data from Georgetown University; however, the Buckley declaration goes on to state that, “[a]ceording to information provided to the Department, Georgetown University’s only agreement to provide student information to DC concerns the undergraduate students from DC who receive financial assistance through DC’s Higher Education Financial Services office.” Id. ¶26. Plaintiffs do not allege that Molina receives that type of financial assistance.

Plaintiffs do not present any evidence that disputes that statement. Rather, they cite what they call a “prominent report,” which found that most states collect information in excess of what is needed for SLDS compliance. Pis.’ Mem. at 7. That study, however, concerns only elementary and secondary school state reporting systems, and all of the institutions that allegedly maintain educational information about plaintiffs are post-secondary institutions. Barber Decl. ¶ 6; Molina Decl. ¶ 6; Neumann Decl. ¶ 6; Peel Decl. ¶ 6. Plaintiffs make no showing that states collect excessive personal information about postgraduate students, let alone that the District of Columbia collects such excessive information about post-graduate students from Georgetown University. So they present no factual foundation for their sweeping conclusion that, “[bjecause states collect excessive information, there is a substantial probability that pursuant to the Final Rule, plaintiffs’ personally identifiable information will be disclosed to unregulated SLDS entities.” Pis.’ Mem. at 7.

Finally, plaintiffs fail to present factual allegations or adduce evidence to demonstrate any likelihood that plaintiffs’ personal information will be disclosed to unregulated third-party entities or to show any likelihood that plaintiffs’ information wül be used in a way that injures them even if their information is disclosed to such entities. To begin with, the Final Rule does not require educational agencies or institutions to disclose student information to new entities or individuals, including what plaintiffs call “unregulated” third-party entities. The Final Rule only authorizes disclosure to new entities by redefining who is an “authorized representative” that may have access to student records “in connection with the audit and evaluation of Federally-supported education programs.” See 20 U.S.C. § 1232g(b)(3); accord 34 C.F.R. § 99.3. And plaintiffs make no showing — either with factual allegations or evidence — that the particular universities that they attended will choose to disclose information to new entities. See Chlorine Inst. Inc. v. Fed. R.R. Admin., 718 F.3d 922, 927-28 (D.C.Cir.2013) (finding that the plaintiffs’ assertion that a final rule issued by the Federal Railroad Administration would harm chlorine shippers because it gave railroads the opportunity to restrict or eliminate chlorine shipments by mail was too speculative to constitute injury in fact).

In addition, plaintiffs have presented no data on the likelihood that identity fraud would result from any of the newly authorized activities. Plaintiffs assert generally that “[tjhere is a strong presumption that each plaintiffs non-directory information will be included in the SLDS without sufficient privacy safeguards,” Pis.’ Reply at 8-9, but they do not explain why the Court should presume that the SLDS will not have sufficient privacy safeguards for their personal information. On the contrary, FERPA requires that any data that is disclosed “shall be protected in a manner which will not permit the personal identification of students and their parents by other than those officials, and such personally identifiable data shall be destroyed when no longer needed for such audit, evaluation, and enforcement of Federal legal requirements.” 20 U.S.C. § 12S2g(b)(3); see ' also 34 C.F.R. § 99.35(a)(2)® (requiring the state or local educational authority or authorized agency to be responsible for “using reasonable methods to ensure to the greatest extent practicable” that any entity or individual designated as its authorized representative uses personal information only for purposes of evaluation or audit, “or for the enforcement of or compliance with federal legal requirements related to the programs”); 34 C.F.R. § 99.35(a)(2)(ii)-(iii) (holding state or local educational authority or authorized agency responsible for ensuring the protection of personal information and the destruction of the information when no longer needed). The preamble to the Final Rule confirms that these requirements apply to any entity that receives student data under the provision that plaintiffs challenge. See 76 Fed.Reg. 75604, 75618 (Dec. 2, 2011), (codified at 34 C.F.R. pt. 99); see also Final Rule, AR at 710. Moreover, the penalties for failure to adequately protect data that are contemplated by the regulatory scheme weigh toward a presumption that there will be adequate safeguards. See 34 C.F.R. § 99.66 (describing enforcement mechanisms).

In sum, plaintiffs’ fears are wholly speculative. Plaintiffs have failed to meet their burden under Public Citizen to demonstrate that there is a greater risk of personal injury to the plaintiffs that flows from the new Rule or that the harm they posit is actual or imminent. This finding does not rely on what plaintiffs claim would be an unduly restrictive interpretation of the injury-in-fact requirement, which would require plaintiffs to show that the consequential harms of the privacy violation have already occurred. See Pl.’s Reply at 9. The Court’s conclusion is merely the result of plaintiffs’ failure to come forward with evidence — or even factual allegations — that the Final Rule makes any consequential harms substantially more likely to occur than before its enactment, and that as an absolute matter, the consequential harms are substantially likely to occur.

In that way, this case is distinguishable from the two cases from other jurisdictions that plaintiffs cite: Pisciotta v. Old National Bancorp, 499 F.3d 629, 634 (7th Cir.2007), and Krottner v. Starbucks Corp., 628 F.3d 1139, 1142-43 (9th Cir.2010). The Courts of Appeals for the Seventh and Ninth Circuits concluded that plaintiffs need not come forward with evidence that their data has actually been misused in order to establish injury in fact. And although they articulated a slightly different standard than the one articulated by the court of appeals in this jurisdiction, they still acknowledged that the plaintiff must show “a threat of future harm or ... an act which harms the plaintiff only by increasing the risk of future harm that the plaintiff would have otherwise faced.” Pisciotta, 499 F.3d at 634; see also Krott ner, 628 F.3d at 1143 (holding that a plaintiff meets the injury-in-fact requirement for standing if he “faces a credible threat of harm, and that harm is both real and immediate, not conjectural or hypothetical”) (citations and internal quotation marks omitted).

In Pisciotta, the plaintiffs demonstrated that the website held by the defendant — a marketing website that helps individuals obtain banking services, which contained the plaintiffs’ personal identifying information, social security numbers, credit card numbers, and banking information — had been accessed by a sophisticated and malicious intruder. Pisciotta, 499 F.3d at 631—32. Based on those facts, the court found that there was a real and imminent threat of future harm to the plaintiffs. Id. at 634. And in Krottner, the plaintiffs' — a class of Starbucks employees — established that a corporate laptop containing encrypted personal data of about 97,000 Starbucks employees had been stolen. 628 F.3d at 1140-41. Based on that showing, the court found that the plaintiffs had alleged “a credible threat of real and immediate harm stemming from the theft.” Id. at 1143. The court acknowledged, however, that were the plaintiffs’ “allegations more conjectural or hypothetical — for example, if no laptop had been stolen, and Plaintiffs had sued based on the risk that it would be stolen at some point in the future — we would find the threat far less credible.” Id.

Plaintiffs here are asking the Court to find an injury in fact based on allegations and evidence showing only a vague possibility that their personal information might be stolen at some point in the future. That is not sufficient to demonstrate the imminence that constitutional standing requires. Accordingly, the Court finds that the individual plaintiffs have not satisfied the injury in fact prong of the constitutional standing requirement.

B. Causation and Redressability

Moreover, plaintiffs have failed to establish that any injury they will suffer would be caused by the provisions of the Final Rule that they challenge. “It is well established that ‘[cjausation, or traceability, examines whether it is substantially probable that the challenged acts of the defendant, not of some absent third party, will cause the particularized injury of the plaintiff.’ ” Grocery Mfrs. Ass’n v. EPA, 693 F.3d 169, 176 (D.C.Cir.2012) (alteration in original), quoting Fla. Audubon Soc’y v. Bentsen, 94 F.3d 658, 663 (D.C.Cir.1996); see also Freedom Republicans, Inc. v. FEC, 13 F.3d 412, 418 (D.C.Cir.1994) (stating that “fair traceability turns on the causal nexus between the agency action and the asserted injury”). In addition, the individual plaintiffs must demonstrate that it is “ ‘likely,’ as opposed to merely ‘speculative,’ that their injuries will be ‘redressed by a favorable decision.’ ” Lujan, 504 U.S. at 561, 112 S.Ct. 2130, quoting Simon, 426 U.S. at 38, 96 S.Ct. 1917.

Importantly, the Final Rule that plaintiffs are challenging here does not directly regulate plaintiffs or defendant, but instead regulates education institutions, which plaintiffs allege might take actions that affect them. As the Supreme Court in Lujan stated very clearly:

The existence of one or more of the essential elements of standing “depends on the unfettered choices made by independent actors not before the courts and whose exercise of broad and legitimate discretion the courts cannot presume either to control or to predict,” and it becomes the burden of the plaintiff to adduce facts showing that those choices have been or will be made in such manner as to produce causation and permit redressability of injury. Thus, when the plaintiff is not himself the object of the government action or inaction he challenges, standing is not precluded, but it is ordinarily “substantially more difficult” to establish.

Id. at 562, 112 S.Ct. 2130, quoting ASARCO Inc. v. Kadish, 490 U.S. 605, 615, 109 S.Ct. 2037, 104 L.Ed.2d 696 (1989). So, even if the Court assumes that plaintiffs have demonstrated that they face an imminent threat of identity theft, which they have not, plaintiffs must still show that it is the promulgation of the Final Rule that causes the injury: that the Final Rule itself causes educational institutions to disclose plaintiffs’ personal information to risky third parties, and that if the Court overturns the Final Rule, the educational institutions will stop disclosing plaintiffs’ personal information to those risky third parties. They have not made these showings either.

First, the expansion of the directory information exception does not cause the plaintiffs to face imminent identity fraud. As the Court already recounted, plaintiff Molina is the only plaintiff who can possibly be affected by the Final Rule’s expansion of the directory information exception since he is the only plaintiff who was still a student at the time this action was initiated. But, importantly, the Final Rule does not require Georgetown University— where Molina is a student — to disclose university ID numbers. ' Rather, the Final Rule provides that “directory information includes ” an ID number used by a student for purposes of accessing or communicating in electronic systems, and an ID number that is displayed on a student ID badge. 34 C.F.R. § 99.3 (emphasis added). Under FERPA, each educational institution can choose whether to make the various categories of directory information public or not. 20 U.S.C. .§ 1232g(a)(5)(B). So it is within Georgetown University’s discretion to decide whether it will publicize student ID numbers by requiring that they be placed on a student badge. Plaintiffs have not come forward with any facts — or even factual allegations — to show that the promulgation of the Final Rule has caused or will cause Georgetown to make that choice. Indeed, as the Court has already described in its discussion of the injury-in-fact requirement, the Georgetown University website appears to show that the university already requires university ID numbers to appear on student and faculty ID cards. Accordingly, the Court cannot find that any injury the new definition of “directory information” might cause would be redressable with the relief sought in this case' — the invalidation of the Final Rule. Compl. ¶¶ 32, 37 & p. 7.

The Court similarly cannot find that the Final Rule’s expansion of the authorized representative exception has caused any individual plaintiff to face an imminent risk of identity fraud. As already discussed, the realization of plaintiffs’ identified injury requires a long chain of events to occur. Two of those events require the exercise of discretion by third parties: first, plaintiffs’ educational institutions must choose to disclose their personal information to “unregulated” third-party entities, and then those entities must use plaintiffs’ information in a fraudulent or injurious way or disclose it to even another party who uses it in a way that injures plaintiffs. Such a chain of events is too attenuated for the Court to find that defendant’s issuance of the Final Rule is the cause of any resulting injury to plaintiffs. See Ctr. for Biological Diversity v. U.S. Dep’t of Interior, 563 F.3d 466, 478 (D.C.Cir.2009) (“The more attenuated or indirect the chain of causation between the government’s conduct and the plaintiffs injury, the less likely the plaintiff will be able to establish a causal link sufficient for standing.”).

Moreover, as defendant points out, even before the definition of “authorized representative” was changed by the Final Rule, the Department defined that term to permit the disclosure of student data to a wide variety of individuals who were not employees of state or local education agencies. See 73 Fed.Reg. 74806, 74825 (Dec. 9, 2008) (codified at 34 C.F.R. pt. 99) (preamble to 2008 regulations) 12 ; Final Rule, AR at 709 (listing some examples of entities that have received student data under FERPA’s authorized representative exception that are not employees or contractors of state or local education agencies). And the individuals who receive student data under the 2011 Final Rule are subject to privacy protection requirements and penalties for violations, just as the individuals that were permitted to receive student data were before the enactment of the Final Rule.. 34 C.F.R. §§ 99.35(a)(2)(i)-(iii), 99.66; see also Final Rule, AR at 710, 734-35. In fact, the requirements in the 2011 Final Rule are more restrictive than the restrictions in the prior rule. Compare 34 C.F.R. § 99.35(a)(3) (2011) (requiring a written agreement between the educational authority or agency and the authorized representative, delineating, for example, the time period in which the personal information must be destroyed and the privacy policies and procedures that will be followed), with 34 C.F.R. § 99.35(a) (2008) (containing no such requirement). 13 Accordingly, plaintiffs cannot establish that any risk of their personal information being compromised would be redressed by the invalidation of the 2011 Final Rule.

Because plaintiffs have failed to establish that the individual plaintiffs satisfy the elements of constitutional standing, the Court finds that it lacks subject matter jurisdiction over their claims.

II. EPIC LACKS STANDING AS AN ASSOCIATION

An association has standing to sue on behalf of its members if it can demonstrate that: “(1) at least one of its members would have standing to sue in his own right, (2) the interests the association seeks to protect are germane to its purpose, and (3) neither the claim asserted nor the relief requested requires that an individual member of the association par ticipate in the lawsuit.” Sierra Club v. EPA, 292 F.3d 895, 898 (D.C.Cir.2002), citing Hunt v. Wash. State Apple Adver. Comm’n, 432 U.S. 333, 342-43, 97 S.Ct. 2434, 53 L.Ed.2d 383 (1977). Although EPIC argues that the members of its Board of Directors and Advisory Board act as members of the organization for purposes of standing, Pis.’ Mem. at 11-13, defendant raises serious questions about whether EPIC is an association made up of members that may avail itself of the associational standing doctrine, Mem. in Support of Def.’s Mot. to Dismiss or, in the Alternative, for Summ. J. (“Def.’s Mem.”) at 14-15 [Dkt. # 18]; Def.’s Opp. to Pis.’ Cross-Mot. for Summ. J. (“Def.’s Opp.”) at 12 n.12 [Dkt. # 22]. But regardless of the outcome of that dispute, plaintiff EPIC cannot satisfy associational standing because it has not established that any of the individuals that it identifies as EPIC’s “members” have standing to sue in their own right. The only “members” that plaintiffs identify as possessing individual standing are the same four individuals who are named as plaintiffs in this action. Pis.’ Mem. at 12-13. Since this Court has already found that those plaintiffs have not established constitutional standing to bring their claims, the Court must find that EPIC lacks constitutional standing on their behalf as well. See Wilderness Soc’y v. Norton, 434 F.3d 584, 590 (D.C.Cir.2006) (“In order to establish standing, [the association] must demonstrate, as to each of its claims, that at least one member meets the requirement of Lujan.’’).

III. EPIC LACKS STANDING AS AN ORGANIZATION

To sue on its own behalf, an organization must meet the standing requirements applicable to individuals: (1) injury in fact, (2) causation, and (3) redressability. Havens Realty Corp. v. Coleman, 455 U.S. 363, 378, 102 S.Ct. 1114, 71 L.Ed.2d 214 (1982); Nat’l Taxpayers Union, Inc. v. United States, 68 F.3d 1428, 1433 (D.C.Cir.1995). EPIC asserts that its alleged harm caused by the Final Rule — making EPIC’s activities less effective and causing EPIC to expend resources in an effort to counteract the Department of Education’s “unlawful FERPA revision” — constitutes a cognizable injury in fact under Havens and this circuit’s precedent applying that decision. Pls.’ Mem. at 8-11; Pis.’ Reply at 2-7.

The Havens line of cases requires an organization to satisfy the injury-in-fact requirement by asserting that it has suffered a “concrete and demonstrable injury to the organization’s activities — with a consequent drain on the organization’s resources — constituting] ... more than simply a setback to the organization’s abstract social interests.” Nat’l Ass’n of Home Builders v. EPA, 667 F.3d 6, 11 (D.C.Cir.2011) (alterations in original), quoting Havens, 455 U.S. at 378-79, 102 S.Ct. 1114 (internal quotation marks omitted). Specifically, the “ ‘organization must allege that discrete programmatic concerns are being directly and adversely affected’ by the challenged action.” Nat’l Taxpayers, 68 F.3d at 1433, quoting Am. Legal Found. v. FCC, 808 F.2d 84, 92 (D.C.Cir.1987); see also Havens, 455 U.S. at 379, 102 S.Ct. 1114 (finding that the organizational plaintiff alleged an injury in fact where it asserted that the defendant’s racial steering practices “perceptibly impaired” its ability to provide counseling and referral services to low- and moderate-income home seekers); Abigail Alliance for Better Access to Developmental Drugs v. Eschenbach, 469 F.3d 129, 132-33 (D.C.Cir.2006) (finding an injury in fact where the organizational plaintiff alleged that it had to divert significant time and resources from its activities — including assisting its members and the public in accessing potentially life-sav ing drugs, counseling, referral, advocacy, and educational services — in order to help its members and the public address new FDA requirements).

But the D.C. Circuit has not found standing when “the only ‘service’ impaired is pure issue-advocacy.” Ctr. for Law and Educ. v. Dept. of Educ., 396 F.3d 1152, 1162 (D.C.Cir.2005). In Center for Law and Education, the organizational plaintiffs alleged that the challenged federal regulations had injured them because they “force[d] them to change their lobbying strategies [to] a more costly form of lobbying.” Id. at 1161. In rejecting this alleged harm, the court observed: “This Court has not found standing when the only ‘injury’ arises from the effect of the regulations on the organizations’ lobbying activities (as opposed to the effect on non-lobbying activities).” Id.; see also Nat’l Treasury Emps. Union v. United States, 101 F.3d 1423, 1429 (D.C.Cir.1996) (“[Conflict between a defendant’s conduct and an organization’s mission is alone insufficient to establish Article III standing. Frustration of an organization’s objectives ‘is the type of abstract concern that does not impart standing.’ ”), quoting Nat’l Taxpayers Union, 68 F.3d at 1433.

Similarly in Nat’l Taxpayers Union, the National Taxpayers Union (“NTU”) — a nonprofit organization formed to promote fair, responsible, and legal revenue-raising practices by the U.S. government — sought to enjoin the enforcement of Section 13208 of the Omnibus Budget Reconciliation Act of 1993 (“Section 13208”), Pub.L. No. 103-66, 107 Stat. 312, which set the maximum federal estate and gift tax rates. 68 F.3d at 1430. The organization argued that its injuries included “the drying up of its donations, the costs of NTU’s anti-Section 13028 [sic] education and lobbying efforts, and NTU’s moral despair at seeing its goals frustrated.” Id. at 1432. The court held that these alleged injuries were insufficient for Article III purposes. Id. Specifically, the court explained that the impact of Section 13208 upon NTU’s educational and legislative initiatives did not constitute an injury in fact because an organization cannot “manufacture the injury necessary to maintain a suit from its expenditure of resources on that very suit.” Id. at 1434, quoting Spann v. Colonial Vill., Inc., 899 F.2d 24, 27 (D.C.Cir.1990) (internal quotation marks omitted); see also Ass’n for Retarded Citizens v. Dall. Cnty Mental Health & Mental Retardation Ctr. Bd. of Trs., 19 F.3d 241, 244 (5th Cir.1994) (“The mere fact that an organization redirects some of its resources to litigation and legal counseling in response to actions or inactions of another party is insufficient to impart standing upon the organization.”). The court explained that, unlike in Havens where the defendant’s practices perceptibly impaired the organization’s ability to provide services to its clients, Section 13208 did not force NTU to spend resources in a way that kept it from pursuing its true purpose of monitoring the government’s revenue practices. Nat’l Taxpayers Union, 68 F.3d at 1434 (“NTU cannot convert its ordinary program costs into an injury in fact from Section 13208.”).

Here, the Final Rule has not impeded EPIC’s programmatic concerns and activities, but fueled them. And the expenditures that EPIC has made in response to the Final Rule have not kept it from pursuing its true purpose as an organization but have contributed to its pursuit of its purpose. Like the advocacy and lobbying organizations in National Taxpayers Union and Center for Law and Education, EPIC’s expenditure of funds to promote its legislative agenda through research, education, outreach to the public and the media, submission of administrative comments, and litigation'is a normal and criti cal part of its mission and operations. See Rotenberg Decl. ¶ 2; Barnes Decl. ¶ 2. Indeed, in her declaration, Barnes explains that the time and resources she expended on activities related to the Final Rule would otherwise have been spent on research and advocacy related to other proposed federal agency privacy regulations. Barnes Decl. ¶ 17. 14 But the fact that EPIC has had to redirect some of its resources from one legislative agenda to another is insufficient to give it standing. See Nat’l Taxpayers Union, 68 F.3d at 1434. EPIC cannot convert an ordinary program cost — advocating for and educating about its interests — into an injury in fact.

In Fair Employment Council of Greater Washington, Inc. v. BMC Marketing Corp., 28 F.3d 1268 (D.C.Cir.1994), the D.C. Circuit explicitly rejected a fair-housing organization’s argument that it had standing because the mere expense of sending racially diverse “testers” to an employment agency that was allegedly discriminating on the basis of race was an injury in fact fairly traceable to the agency’s conduct. Id. at 1276. The court explained:

The diversion of resources to testing might well harm the [plaintiffs] other programs, for money spent on testing is money that is not spent on other things. But this particular harm is self-inflicted; it results not from any actions taken by [the defendant], but rather from the [plaintiffs] own budgetary choices.

Id. The court explained that to meet the injury-in-fact requirement, the organization had to show that the agency’s discriminatory actions “perceptibly impaired” its programs. Id. Similarly here, nothing about the Final Rule impaired EPIC’s ability to provide its programs or carry out its activities. Like the resources spent on testing in Fair Employment Council, the resources that EPIC expended on advocacy and education about preserving privacy safeguards were expended by choice because such activities are at the core of EPIC’s mission. See Barnes Decl. ¶2 (stating that EPIC was established “to focus public attention on emerging civil liberties issues and to protect privacy, the First Amendment, and other constitutional values” and that “EPIC has a particular interest in preserving privacy safeguards established by Congress” through activities “designed to protect privacy and educate the public, including, policy research, public speaking, conferences, media appearances, publications, litigation, and comments for administrative and legislative bodies regarding the protection of privacy”). The diversion of EPIC’s resources to educate the public about and advocate against the Department of Education’s Final Rule is not a sufficient injury in fact.

Therefore, EPIC has not demonstrated an injury in fact sufficient for Article III purposes.

. CONCLUSION

Because none of the plaintiffs in this action have satisfied the constitutional standing requirements, the Court will grant defendant’s motion to dismiss this case for lack of subject matter jurisdiction and will deny plaintiffs’ cross-motion for summary judgment. A separate order will issue.

1 . FERPA generally refers to the rights of parents, but those rights transfer to the student when the student turns eighteen years old or enrolls in a postsecondary institution. See 20 U.S.C. § 1232g(d).

2 . The restrictions on disclosure of educational records are only waived with regard to the Attorney General when disclosure is "for law enforcement purposes.” 20 U.S.C. § 1232(b)(1)(C). In addition, state and local educational officials are exempted from the disclosure restrictions when disclosure of the records "may be necessary in connection with the audit and evaluation of any federally or State supported education program or in connection with the enforcement of the Federal legal requirements which relate to any such program.” Id. § 1232g(b)(5) (emphasis added).

3 . Although plaintiff brings the standing issue - as a motion to dismiss under Federal Rule of Civil Procedure 12(b)(1), the parties are at the summary judgment stage of the litigation: defendant filed an answer, which listed as the first affirmative defense lack of standing, Answer at 1 [Dkt. # 7]; the Court entered a scheduling order, consistent with the parties' meet and confer statement, that provided time for defendant to file the administrative record and for the parties to brief dispositive motions, Scheduling Order at 1 [Dkt. # 9]; and, consistent with that scheduling order, defendant's motion was styled as a motion to dismiss for lack of subject matter jurisdiction or, in the alternative, motion for summary judgment, see Def.'s Mot., and plaintiffs' opposition to the motion doubled as a cross-motion for summary judgment, see Pis.' Mot. Nonetheless, the Court finds that plaintiffs have not established standing even under the motion to dismiss standard because not only have plaintiffs failed to come forward with factual evidence of injury in fact, causation, and redressability, but they have also failed to allege sufficient factual allegations to support those three elements of standing in the complaint.

4 .Moreover, the individual plaintiffs in this case are only four people out of the millions that are subject to the Final Rulé, so it is difficult for plaintiffs to establish that they personally will have both a substantially increased risk of harm and a substantial probability of harm with that increase taken into account. See Williams v. District of Columbia, 530 F.Supp.2d 119, 126-27 (D.D.C.2008) (distinguishing the instant case brought by one individual who could not demonstrate that he personally would suffer an increased likelihood of harm from cases like Mountain States and Natural Resources Defense Council, which were brought by large organizations with many members that could demonstrate a heightened probability of harm by showing with statistics that at least one of its members would be impacted).

5 . Plaintiffs have argued that not only does the Final Rule improperly characterize student ID numbers as "directory information,” (which is information not generally considered to be harmful or an invasion of privacy if •disclosed), but the Final Rule also disregards the FERPA requirement that educational institutions must provide students an opportunity to request that the institution obtain their consent before disclosing directory information. Pis.’ Mem. at 18-19.

6 . At the time this opinion was issued, the trial transcript was not available.

7 . Although plaintiffs object to the definition of "education program” in the Final Rule, their theory of the way that this definition injures them is linked to their theory of how the Final Rule’s definition of the term “authorized representative” injures them, so the Court need only address whether plaintiffs ' demonstrate injury in fact from the change that the Final Rule makes to the definition of "authorized representative.” Plaintiffs appear to protest that the Final Rule expands the number of entities that are considered “education programs” and therefore increas- ' es the number of sources of personal information that may now be disclosed to "authorized representatives.” See Pis.’ Reply at 8 (explaining that “authorized representatives” are any designated entity or individual that will audit or evaluate a federal- or state-supported education program). But since the definition of "authorized representative” has also been expanded, plaintiffs argue, the personal information from all of these sources is now disclosable to more entities, including "unregulated” third parties. Id. So, plaintiffs’ theory of injury that arises from the new definition of "education program” appears to rely on the risk of harm that the agency has allegedly created by broadly defining the term "authorized representative.” Accordingly, the Court's conclusion that plaintiffs have not shown any imminent injury from the redefinition of "authorized representative” closes off any theory of injury caused by the new definition of “education program.”

8 . Although plaintiffs do not define precisely what they mean by "unregulated third-parties,” the Court construes this phrase to mean entities that are not under the “direct control” of an entity to which FERPA expressly extends authorization to access' student records in order to conduct an audit or evalúa tion or for enforcement or compliance activity under 20 U.S.C. § 1232g(b)(3). The Court adopts this construction because the Final Rule changes the Department’s definition of "authorized representative” by omitting the “direct control” requirement. See 76 Fed. Reg. 75604, 75616-17 (Dec. 2, 2011) (codified at 34 C.F.R. pt. 99) (stating that, under the policy guidance issued in 2003, outside parties were included under the definition of "authorized representative” so long as they were under the direct control of a state educational authority, but that in the 2011 Final Rule, the Department has decided to eliminate the direct control requirement).

9 . The Peel Declaration states that the University of Texas Medical Branch ("UTMB”) collected a full set of fingerprints as a requirement to matriculate. Peel Decl. ¶ 6. However, the declaration does not state that those fingerprints are still being maintained in her education records at UTMB, and the Court declines to assume that they are as Peel received her M.D. and completed her residency at that institution nearly four decades ago, in 1974 and 1977 respectively. Id. ¶ 4.

10 . In addition, because plaintiffs have not identified the type of personal information that is currently being maintained about them, plaintiffs cannot even show that the personal information their educational institutions maintain about them is of the same type as the information that has been or will be disclosed to SLDS entities.

11 . Although Barber attended the School of Communication at Rutgers in New Jersey for two months in 2010, the National Center for Education Statistics website reveals that New Jersey's only application for SLDS funding was filed in 2012. Statewide Longitudinal Data Systems Grant Program: Grantee State— New Jersey, National Center for Education Statistics, http://nces.ed.gov/programs/slds/ state.asp?stateabbr=NJ (last visited Sept. 11, 2013).

12 . The preamble of the 2008 rule stated:

In general, the Department has interpreted FERPA and implementing regulations to permit the disclosure of personally identifiable information from education records, without consent, in connection with the outsourcing of institutional services and functions. Accordingly, the term ‘authorized representative' in [34 C.F.R.] § 99.31(a)(3) includes contractors, consultants, volunteers, and other outside parties (i.e., non-employees) used to conduct an audit, evaluation, or compliance or enforcement activities specified in § 99.35, or other institutional services or functions for which the official or agency would otherwise use its own employees. For example, a State educational authority may disclose personally identifiable information from education records, without consent, to an outside attorney retained to provide legal services or an outside computer consultant hired to develop and manage a data system for education records.

73 Fed.Reg. 74806, 74825 (Dec. 9, 2008) (codified at 34 C.F.R. pt. 99).

13 . Defendant even argues — and plaintiff does not expressly dispute — that “the only meaningful effect of abandoning the direct control standard was to permit other government entities who were not educational authorities to receive information from educational agencies and institutions.” Def.’s Opp. to Pis.’ Cross-Mot. for Summ. J. ("Def.’s Opp.”) at 10 [Dkt. # 22]; see also Mem. in Support of Def.’s Mot. to Mot. to Dismiss or, in the Alternative, For Summ. J. ("Def.’s Mem.”) at 33-34 [Dkt. # 18].

14 . The Rotenberg Declaration also explains that the resources that EPIC expended on advocacy and education about the Department of Education’s FERPA rulemaking during the time before the Final Rule was issued would have been redirected to EPIC’s amicus project, Freedom of Information Act requests litigation, publications," other administrative rulemakings, or press and public outreach. However, since these expenditures were not caused by the issuance of the Final Rule that plaintiffs challenge, the Court will not consider them in its injury-in-fact analysis. See Ro-tenberg Decl. ¶¶ 9-13. In addition, the parties agree that resources spent in preparation for the litigation of this case cannot form the basis for injury in fact. See Pis.' Mem. at 8 ("The expenditure of resources must have been undertaken 'in response to, and to counteract, the effects of the defendants’ alleged [violations] rather than in anticipation of litigation.’ ”) (alterations in original), quoting Equal Rights Ctr. v. Post Properties, Inc., 633 F.3d 1136, 1140 (D.C.Cir.2011).