In a Dear Colleague letter issued on July 29, 2015 the Department of Education’s Federal Student Aid Office (FSA) indicated a renewed interest in protecting student personally identifiable information (PII) from unauthorized access. According to FSA, recent instances of data breaches at organizations entrusted with PII “continue to proliferate and reinforce the need for focused action” by the U.S. Government, institutions of higher education, and other entities including state grant agencies, lenders, contractors and third-party servicers.

The Dear Colleague letter reminds institutions that they may be responsible for losses, fines and penalties (including criminal penalties) caused by data breaches or any other unauthorized access under Title IV of the Higher Education Act of 1965 (HEA), the Family Educational Rights and Privacy Act (FERPA), the Privacy Act of 1974, the Gramm-Leach-Bliley Act, as well as state data breach and privacy laws. Institutions that use third-party servicers to fulfill institutional obligations under Title IV of the HEA are also reminded that the institution remains liable for the actions of its servicer, pursuant to 34 CFR § 668.25.

Accordingly, FSA strongly encourages institutions to follow industry standards and best practices in managing information and securing PII, and recommends utilizing the resources of US-CERT and other organizations dedicated to the protection of information systems. Finally, institutions are reminded that in the event of an unauthorized disclosure or an actual or suspected breach of PII, the institution must immediately notify FSA at CPSSAIG@ed.gov, as required in the Student Aid Internet Gateway (SAIG) Enrollment Agreement entered into by all Title IV participating institutions.

Client Tip:Institutions should assess and implement strong security policies and controls for the management of all systems, databases, and processes that involve any student information, including PII, in support of applications for and receipt of Title IV student assistance.