On December 9, 2021, the FTC published a final rule amending the requirements for safeguarding customer information under the Gramm-Leach-Bliley Act (GLBA). The Safeguards Rule has long established cybersecurity standards under which customer information must be maintained by financial institutions, which include all higher education institution that participate in the federal student financial aid programs authorized by Title IV of the Higher Education Act of 1965, as amended.
On December 19, 2019, the U.S. Department of Health and Human Services (HHS) and the U.S. Department of Education (ED) issued an updated version of its “Joint Guidance on the Application of the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to Student Health Records” (the Joint Guidance, available here). Educational institutions at both the K-12 and postsecondary level can be subject to FERPA or HIPAA, and in certain circumstances, both. The Joint Guidance, which was first issued in November 2008 and has not been previously updated, seeks to assist educational institution administrators, health care professionals, and others in navigating what can be a complex intersection between FERPA and HIPAA as applied to health-related records maintained on students. It also addresses certain disclosures that are allowed without the written consent of the parent or eligible student under FERPA or without authorization under the HIPAA Privacy Rule, especially when those disclosures are related to emergency health or safety situations.
As discussed in a previous DBR on Data post, the U.S. Department of Education (“ED”) in recent years has repeatedly emphasized the importance of higher education institutions taking all appropriate measures to secure and protect their data systems and data from breaches and inadvertent disclosures. The threats to educational institutions’ data are real, recurring and well-documented. The University of Maryland reported in 2014 that a computer system breach compromised more than 300,000 personal records for faculty, staff and students. A private cybersecurity firm reported that Chinese hackers targeted research databases at more than two dozen universities in the 2017-18 timeframe. In 2019, applicants to Grinnell College, Hamilton College and Oberlin College discovered their admissions files were subject to a ransomware attack. These instances are just a few recent examples of significant data breaches in the education sector.
On February 5, 2019, the U.S. Department of Education (ED) released new and important regulatory guidance entitled “School Resource Officers, School Law Enforcement Units, and the Family Educational Rights and Privacy Act.” This guidance document was prepared and issued in response to the December 2018 final report of the Federal Commission on School Safety (the Commission), which was established following the February 2018 shooting at Marjory Stoneman Douglas High School in Parkland, Florida. Among the findings of that final report was the following, which concerns threat assessment efforts in the nation’s schools:
Acknowledging that schools have “long been targets for cyber thieves,” the Federal Student Aid Office (FSA) of the U.S. Department of Education (ED) posted an alert on October 16, warning school districts and other educational institutions of criminal extortion schemes threatening to release sensitive student data. Recent, similar cyberattacks in Montana and Iowa are being investigated by the FBI.
The Federal Trade Commission (FTC) and the U.S. Department of Education (ED) will co-host a live workshop on December 1, 2017 highlighting two intersecting regulatory regimes: the FTC’s rules implementing the Children’s Online Privacy Protection Act (COPPA), which applies to K-12 schools and to children under the age of 13, and the simultaneous application of the Family Education Rights and Privacy Act (FERPA), which also applies to schools and is administered by ED.