Institutions Subject to Reporting Obligation Should Consider Ways to Adequately Protect Student Data Once Compiled.

The end of this month marks the first significant deadline for Title IV (federal student financial aid program) participating institutions of higher education under the U.S. Department of Education's Gainful Employment (GE) rule that went into effect on July 1, 2015. Institutions offering one or more GE programs are required to report, no later than July 31, 2015, student-specific information from the 2008–2009 award year through the 2013–2014 award year. Most educational programs less than two years in length offered by private nonprofit and public postsecondary institutions and nearly all educational programs offered by proprietary postsecondary institutions are considered GE programs under the new rule. These programs are subject to a new regime of student debt/earnings metrics to determine their continued federal student aid eligibility. The first set of metrics will be developed with the data reported this month, and this reported set of data reaches back at least six award years, as noted above, to collect data on all students previously enrolled in a GE program. 

The purpose of this Alert is to serve as a reminder for institutions subject to this reporting obligation that the data being compiled by institutions and reported to the U.S. Department of Education this month contain personally identifiable information (PII), as defined by the Family Educational Rights and Privacy Act (FERPA). PII includes the following: student names, Social Security numbers and dates of birth, as well as private student information, including institutional and private loan amounts. The compiled data are likely to be of "high risk" for institutions in that if the information is inadvertently disclosed, it is a potential violation of federal and state laws. In addition, it may pose reputational harm to institutions from consumers affected or potentially affected by a breach. The Department has stated that institutions are required to maintain the data in a "secure format" and in a "secure location."

These and other laws apply to the protection of the personal information in the GE data:

  • FERPA: This Act prohibits the improper disclosure of PII without consent. Third-party servicers assisting institutions with GE reporting and receiving GE data containing PII should fall within an exception to FERPA that allows the school to share this data provided the vendor is under the direct control of the school, disclosure of information to vendor employees is limited on a need-to-know basis, and there is no unauthorized disclosure of the information by the vendor. These requirements should be addressed in the vendor contract.
  • Gramm-Leach-Bliley Act / Safeguards Rule: The Safeguards Rule requires institutions to develop, implement and maintain a written, comprehensive information security program that contains administrative, technical and physical safeguards that are appropriate to the size and complexity of the company, the nature and scope of its activities and the sensitivity of any customer information at issue. The program has to meet the following three objectives: (i) insure the security and confidentiality of consumer information; (ii) protect against any anticipated threats or hazards to the security or integrity of such information; and (iii) protect against unauthorized access to or use of such information. 
  • State Laws: Some state laws require companies that collect PII, such as what is found in student records and GE data, to take reasonable security measures to protect that information from unauthorized disclosures. Many states have laws specific to the use and protection of Social Security numbers. 

Institutions should consider taking the following steps: 

  • Designate an information security officer.
  • Inventory the types of PII and other student-level data the school possesses, the locations of that data, and how it is stored, accessed, transmitted and protected from unauthorized use or tampering.
  • Have a comprehensive data security policy in place, including for maintenance of GE data and including data destruction protocols.
  • Include necessary provisions in contracts with vendors related to data security (i.e., GE reporting vendors).
  • Test data security protocols regularly.
  • Have a plan in place for responding to a data breach.