In recent months, the Federal Student Aid (FSA) division of the Department of Education (ED) has taken unorthodox steps in sending to colleges and universities compliance letters regarding breach notification and information security reporting, based on unconfirmed reports of student information data breaches. Some letters were sent without prior FSA communication with the designated institutional contacts—as laid out in agreements between FSA and the involved institutions. In some cases, the compliance letters were sent directly to the president or chancellor of an institution in response to media reports of suspected breaches, without FSA first confirming with the institution the alleged breach.
These letters—copies of which have been made available by EDUCAUSE on its website—range in tone from asserting various reporting requirements that institutions must ostensibly comply with (based on actual or suspected data breaches), to reprimanding schools for alleged failures in self-reporting breaches to FSA. Further, Federal Student Aid asserts that institutions also have the responsibility to provide "immediate notification" of any and all suspected or actual breaches, even if the breach has no impact on federal student aid data. This extremely granular approach would require the most basic of incidents, such as a student needing to change a portal password due to incorrectly entering it multiple times, be reported to FSA.
Institutions Struggle to Respond
Federal Student Aid’s authority to regulate in this area is based solely on contractual provisions in its Program Participation and Student Aid Information Gateway agreements; however, such authority is not defined under federal law or regulations. As such, it’s still unclear to schools whether FSA’s authority to regulate in this space, without enacting a firmer legal or regulatory basis, actually exist.
Additionally, what FSA determines to be a "breach," "suspected breach," or "immediate notification" is not defined in any of these agreements, leaving institutions to attempt to define the terms on their own without any further compliance guidance from the Department of Education.
ED’s Previous Actions
As NACUBO reported in April 2017, FSA, at that time, expressed interest in adding an audit objective to the FY18 compliance supplement, issued by the Office of Management and Budget, that would evaluate institutional compliance with the Safeguards Rule of the Gramm-Leach-Bliley Act. While the GLBA primarily regulates financial institutions, colleges and universities are subject to some of its provisions—including the Safeguards Rule—due to their involvement in financial lending activities.
The Safeguards Rule governs the protection of student financial information by requiring institutions to maintain data security and risk management plans to prevent breaches from occurring, but also to ensure quick action to mitigate damage should breaches occur. While schools must comply with the rule, the related proposed audit objective has yet to be officially implemented and no new guidance or documentation was ever issued by ED that would enable compliance with such an objective.
In a January 2018 update from the senior adviser for cybersecurity at Federal Student Aid, ED released a cybersecurity compliance FAQ, which reminded institutions that the Student Aid Internet Gateway Agreement requires that institutions "report actual data breaches, as well as suspected data breaches, on the day that a data breach is detected or even suspected." The document further states, "ED has the authority to fine institutions—up to $54,789 per violation, per 34 C.F.R. § 36.2—that do not comply with the requirement to self-report data breaches." The FAQ also reminds institutions that starting in FY18, they will be audited on effectiveness in securing student information. ED’s guidance, along with the FY18 audit language, is posted on its Cybersecurity Compliance Web page (https://ifap.ed.gov/eannouncements/Cyber.html), where additional resources are also available.
Advocacy in Progress
EDUCAUSE has responded to FSA’s latest compliance letters by sending a letter to newly appointed FSA Chief A. Wayne Johnson. In the letter, EDUCAUSE asserts its support of FSA’s attempts to develop and enforce data security regulations, but urges Federal Student Aid to work with the higher education community to develop a more reasonable and well-documented plan to address concerns about data privacy, and at the same time, be suitable for many different institution types. The letter also asked that FSA consider schools’ individual concerns about the private information that they are being asked to provide the department, without any guarantee of FSA’s own ability to keep this information secure and confidential.
NACUBO is supporting EDUCAUSE’s efforts in this space, and is working with its team to advocate for reasonable and established guidelines to ensure that student information is safeguarded at colleges and universities.
For more information and for compliance resources, visit www.nacubo.org and under the “Topics” tab click on "Other Business Areas" and then “Privacy and Intellectual Property.” EDUCAUSE also has an Information Security Guide that can be accessed on its website at https://tinyurl.com/ydh5xbmj.
NACUBO CONTACT Megan Schneider, assistant director of federal affairs, 202.861.2547.