Alerts and Updates

Cybersecurity Update: Protecting Student Data Critical to Continued Participation in the Federal Student Aid Programs

March 3, 2020

The cybersecurity team may temporarily or permanently disable access to the Department’s information systems or refer the institution to the Administrative Actions and Appeals Service Group.

On February 28, 2020, the U.S. Department of Education’s Office of Federal Student Aid (FSA) issued an electronic announcement regarding the enforcement of the Gramm-Leach-Bliley Act’s (GLBA) cybersecurity requirements for all institutions of higher education participating in the Title IV, Higher Education Act (HEA) federal student financial aid programs and their third-party servicers. The announcement states that auditors are expected to evaluate three GLBA information safeguard requirements in annual compliance audits of postsecondary institutions and third-party servicers. Any finding of noncompliance will be sent to both the Federal Trade Commission (FTC) and the FSA’s cybersecurity team for further investigation and potential adverse action. All Title IV participating institutions should consult with counsel about the very serious consequences and administrative actions that may be taken if they or their third-party servicers fail to meet the GLBA’s information security requirements.

Background

The requirement to protect student data is not new and the recent announcement reminds all Title IV participating institutions of higher education of these longstanding requirements.   

As part of its Program Participation Agreement with the Department, each institution has agreed to comply with the information security requirements of the GLBA and accompanying regulations (aka the Safeguards Rule) promulgated and enforced by the FTC. Title IV participating institutions also sign the Student Aid Internet Gateway Enrollment Agreement, which states that federal student aid applicant information will be protected from disclosure to unauthorized personnel. In 2015 and 2016, the Department emphasized that schools must develop an information security program and conduct a risk assessment to identify and mitigate potential vulnerabilities in information systems that maintain student data.

More recently, in October 2019, the Department issued a letter to certified public accountants conducting annual compliance audits of certain institutions of higher education as well as all third-party servicers. Through this letter, the Department amended the September 2016 Audit Guide, Guide for Audits of Proprietary Schools and For Compliance Attestation Engagements of Third-Party Servicers Administering Title IV Programs, by adding Section C.8.12 to Chapter 3 to determine whether institutions of higher education have complied with the GLBA and the Safeguards Rule in regards to ensuring the security and confidentiality of student information. Auditors must confirm that institutions and service providers have: (1) designated an individual to coordinate the institution’s information security program; (2) performed a risk assessment that addresses the three required areas set forth in the Safeguards Rule; and (3) documented a safeguard for each identified risk.

What’s New

The announcement clearly sets out for the first time the potential consequences when the Department receives an audit report that includes a GLBA audit finding of noncompliance, a strong signal that the Department is ramping up GLBA enforcement. The Department states that the finding will be sent to both the FTC and to the FSA cybersecurity team. The FTC has the authority to further investigate and determine if any action is needed as a result of the GLBA audit finding. Additionally, the FSA cybersecurity team may request further documentation from the institution to assess the level of risk to student data presented by the institution or servicer’s information security system. Depending on the assessment, the cybersecurity team may temporarily or permanently disable access to the Department’s information systems or refer the institution to the Administrative Actions and Appeals Service Group for consideration of a fine or other administrative action. 

For More Information

If you have any questions related to this Alert, please contact Michelle Hon Donovan, Katherine D. Brodie, Brandi A. Taylor, any of the attorneys in the Higher Education Group or the attorney in the firm with whom you are regularly in contact.

Disclaimer: This Alert has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice. For more information, please see the firm's full disclaimer.