In the wake of the OPM data breach, it is no wonder that the U.S. Government has begun to think seriously about the implications of data breaches more broadly. For anyone who has had the pleasure of filling out a FAFSA form, the financial aid departments at colleges and universities are a gold-mine of personally identifiable information (“PII”). To that end, on July 29, 2015, the Department of Education issued a Dear Colleague Letter, GEN-15-18, titled “Protecting Student Information.” In this blog post, we break down the key points of this letter and the steps that colleges and universities should be taking now to combat cybersecurity threats.
The directive of the letter is clear. Colleges and Universities are encouraged to quickly:
- “assess and implement strong security policies and controls”
- “undertake ongoing monitoring and management for the systems, databases and processes that support all aspects of the administration of Federal student financial aid programs”
Specifically, these systems, databases, and processes include all processes that collect, process, and distribute information – including PII – in support of applications for and receipt of Title IV funds.
- Assess risk and potential magnitude of harm that could result from a breach;
- Determine and set various levels of security appropriate to protect the information and information systems;
- Implement policies and procedures to cost-effectively reduce risks; and
- Monitor and regularly test information security controls, implementing necessary improvements based on such testing
Ensuring that your data privacy policies are updated with the results of the above action items is critical. A policy is only as good as its implementation, but having a policy with clear processes for risk reduction, information system monitoring, and notification will help in the event of a breach – and is expected by the Department of Education.
The Sources of Obligations
In the letter, the Department of Education underscored that colleges and universities are obligated to protect PII information by virtue of two documents:
- Student Aid Internet Gateway (SAIG) Enrollment Agreement, which states that each Title IV participating institution “[m]ust ensure that all Federal Student Aid applicant information is protected from access by or disclosure to unauthorized personnel.”
- Program Participation Agreement, which incorporates Title V of the Gramm-Leach-Bliley Act, requiring institutions of higher education to ensure the security and confidentiality of customer records and information. This requirement is reflected in the Federal Student Aid Handbook as well.
Sources of Possible Liability
The Dear Colleague Letter notes that an institution may face liability for a data breach under several statutes, but specifically outlines liability under the Family Educational Rights and Privacy Act (“FERPA”) and the Gramm-Leach-Bliley Act.
For example, FERPA prohibits institutions from having policies or practices that permit the disclosure of education records or PII contained therein without the written consent of the student (subject to certain exceptions). We know that failure to take appropriate steps to protect PII may result in the disclosure of education records, but this failure may also be viewed as a policy or practice of permitting the release or disclosure of education records – a violation of FERPA. Under FERPA, no funds shall be made available to an educational agency or institution that has a policy or practice of permitting the release of personally identifiable information in education records except as authorized by statute. 20 U.S.C. §1232g(b).
It is important, therefore, to draft and implement clear policies and procedures regarding the protection of information and your information systems and to ensure regular monitoring of these systems.
Third Party Obligations
Many of the recommendations in the Dear Colleague letter may require an institution to contract with outside vendors to aid in administration of the Title IV student financial assistance programs. Managing these relationships is critical, as the institution will be held liable if a breach occurs due to actions of the third-party provider.
Breach Notification Requirements
While FERPA does not require the institution to notify students of a data breach, the Dear Colleague letter highlights the notification requirement found in the SAIG Agreement. An institution is obligated to notify FSA at CPSSAIG@ed.gov in the event of an unauthorized disclosure or an actual or suspected breach of application information or sensitive PII. This notification piece is perhaps the most difficult to implement. While a good information security system can and should alert you to suspected breaches in as close to real time as possible, sometimes the scope and extent of breach is not immediately known. It is therefore important to ensure that your data security policy and procedures contemplate this notification requirement and what it means for your individual student population and the university setting.
Although styled as a reminder, the Department of Education’s Dear Colleague Letter is a wakeup call to institutions of higher education and their third party providers to get their data houses in order – and quickly.