Most institutions of higher education are very familiar with the Family Educational Rights Protection Act (FERPA), which applies to all state and local, public and private educational institutions that receive federal funds through programs administered by the U.S. Department of Education (ED). Unless at least one of FERPA’s exceptions applies, institutions risk sanctions from ED – including the potential loss of all federal funding – if they disclose a student’s personally identifiable information (PII) from an education record without the student’s express prior written consent. Beyond FERPA, higher education institutions have additional legal responsibilities to assiduously secure and protect student data from inadvertent disclosure, particularly financial information maintained by an institution regarding students or their families.
ED has repeatedly emphasized these broad obligations, including in Dear Colleague Letters GEN-15-18 (July 29, 2015) and GEN-16-12 (July 1, 2016), which outline institutional obligations under the Gramm-Leach-Bliley Act (GLBA). The GLBA applies to financial services organizations, which include postsecondary educational institutions. For institutions of higher education that participate in the federal student financial aid programs, which includes the vast majority of postsecondary institutions in the United States and certain eligible foreign institutions, the applicability of GLBA requirements is expressly referenced in the institution’s Program Participation Agreement (PPA) with ED. The GLBA mandates multiple precautions from each institution, including:
- Developing written information security protocols;
- Designating at least one information security program coordinator;
- Identifying and assessing risks to student information; and
- Choosing third-party servicers who maintain appropriate safeguards.
To monitor a postsecondary institution’s incorporation of these requirements into its operations, ED includes these requirements among the areas that must be reviewed as part of an institution’s annual compliance audit for continued participation in the federal student financial aid programs. The responsibility to safeguard student data is further reflected in the Student Aid Internet Gateway (SAIG) Enrollment Agreement between an institution and ED, under which the institution must ensure that “all users are aware of and comply with” requirements to protect and secure data received from ED sources (which inherently includes significant student financial data). The SAIG Enrollment Agreement thereby requires institutions to engage in meaningful education, training, and access management among its personnel who deal with student data.
Recognizing that many institutions are less familiar with GLBA requirements than they are with FERPA, the Dear Colleague Letters from ED “strongly encourage” schools to review a key document from the National Institute of Standards and Technology (NIST), Special Publication 800-171, which cites specific ways to handle controlled, unclassified information such as students’ PII. By following the recommendations set forth in NIST SP 800-171, institutions can take a substantial step toward eliminating gaps in their information security program. ED also has indicated that these NIST standards are a key model of cybersecurity compliance, and that institutions should design their information security programs around its requirements.
ED has stated publicly, including at its annual FSA Training Conference for Financial Aid Professionals, that it will increase its oversight of postsecondary institutions for compliance with GLBA requirements. All institutions of higher education should review their student information management systems to ensure that adequate security protocols and training are both presently in place and continuously monitored for ongoing effectiveness.
The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.