The Department of Education has taken several actions that make it abundantly clear that Title IV schools must comply with cybersecurity regulations, including the GLBA and Safeguards Rule.
The Equifax data breach has many lawmakers demanding stronger protections and regulations for consumer data. But did you know that schools are already required to comply with strict cybersecurity regulations? Not because of the Family Educational Rights and Privacy Act (FERPA), but because of the Gramm-Leach-Bliley Act (GLBA). If you have never heard of this act, you are not alone. However, failure to comply with the GLBA could result in the loss of Title IV eligibility.
Department of Education Cybersecurity Actions
The Department of Education (Department) has taken several actions that make it abundantly clear that Title IV schools must comply with cybersecurity regulations, including the GLBA and Safeguards Rule. The Department has also explicitly stated that it considers a breach to the security of student records as a demonstration of a potential lack of administrative capability, which can lead to restrictions on a school’s Title IV funding, including a complete loss of eligibility.
Here is a brief summary of the Department’s activities regarding cybersecurity:
- Issued two “Dear Colleague” letters (GEN 15-18; GEN 16-12);
- Amended the Student Aid Internet Gateway (SAIG) Enrollment Agreements to require compliance with federal cybersecurity laws and reporting requirements in the event of a breach or suspected breach;
- Amended the 2016-2017 FSA Handbook to address the cybersecurity compliance and reporting requirements set forth in the SAIG Enrollment Agreement;
- Amended the Audit Guide to include cybersecurity measures;
- The FSA’s chief information security officer gave a presentation entitled “Cyber Security Requirements for Institutions of Higher Education” at the July 2016 National Association of Student Financial Aid Administrators (NASFAA) Conference;
- FSA reminded financial aid administrators at the July 2017 NASFAA Conference of the cybersecurity obligations and indicated that a new “Dear Colleague” letter is expected shortly; and
- Actively investigating data breaches to confirm compliance with the federal cybersecurity laws and to ensure that there is no lack of administrative capability.
The GLBA places an affirmative obligation on financial institutions to implement reasonable security measures sufficient to safeguard sensitive consumer information. In order to comply with legal and regulatory requirements, schools must:
- Perform an initial assessment identifying what sensitive information the school possesses, how is it stored, how is it accessed, who has access, who needs access to the information for valid business purposes, and how and to whom the data is transmitted;
- Develop written policies and procedures to protect sensitive information, including policies for managing access to the data, physical and technical security measures, and employee training on the policies at all levels of the organization;
- Implement physical and technical security measures to protect sensitive information;
- Test and monitor security measures to confirm efficacy;
- Adjust security measures as needed, based on the results of testing and/or changes to business practices;
- Designate an employee(s) to manage its cybersecurity program; and
- Oversee service providers who have access to sensitive information.
Developing a Cybersecurity Program
There is no one-size-fits-all cybersecurity program. You should work with your legal counsel and information security professionals to determine which options are right for your school. However, the Department has strongly suggested that schools comply with the security standards set forth by the National Institute of Standards and Technology (NIST) in Special Publication 800-171. Below are a few key features:
- Develop an Information Security Program
- Designate a program coordinator or team
- Conduct risk assessment of each system component to identify risks
- Establish a system security plan describing how safeguards are used to control the identified risks
- Select service providers that will maintain safety standard
- Employee Management and Training
- Background and reference checks
- Confidentiality agreements
- Limit access to authorized employees
- Complex passwords (changed at set intervals)
- Screen savers
- Limit unsuccessful log-on attempts
- Control remote access sessions (i.e. authentication, passwords)
- Implement use and protection policies for all electronic devices
- Encrypt communications containing sensitive data
- Train employees to take steps to maintain security and confidentiality
- Establish disciplinary measures
- Information Systems
- Know where sensitive customer information is stored
- Store the information securely
- Encrypt stored data
- Regularly update software and applications
- Allow only authorized employees to have access
- Dispose of student data when no longer needed
- Dispose of information securely
- Detecting and Managing System Failures
- Maintain updated and appropriate programs and system controls
- Establish oversight procedures to detect security breaches or theft
- Develop self-auditing procedure to regularly test security
- Monitor relevant industry materials to learn about emerging threats
- Preserve security and confidentiality of information in the event of breach
- Consider notifying law enforcement and/or consumers if a breach occurs
To protect against costly data breaches and minimize risk of non-compliance with the GLBA, schools should consult with legal counsel and information security professionals to develop and implement a robust cybersecurity policy.
For Further Information
If you have any questions concerning this Alert, please contact Michelle Hon Donovan, any member of the Higher Education Practice Group or the attorney in the firm with whom you are regularly in contact.
Disclaimer: This Alert has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice. For more information, please see the firm's full disclaimer.