Data security breaches are an unfortunate reality for almost all businesses in today’s information-driven marketplace. From Target, to Home Depot, to Equifax, data breaches are increasingly common and potentially devastating for businesses and their customers. But data breaches are not limited to traditional businesses. Any entity that collects, holds, or uses personal information, and in particular, personal financial information, faces risks from data breaches.
One group that may not fully appreciate these risks are institutions of higher education. Most schools may be familiar with the data security and privacy requirements of the Family Educational Rights and Privacy Act (FERPA). But for schools that participate in the Federal Title IV Educational Assistance Programs, there may be additional data security and privacy requirements they should be aware of.
One such law, the Gramm-Leach-Bliley Act (GLBA), applies to “financial institutions.” While these “financial institutions” would include traditional banks, credit unions, and savings and loans, the law’s definition of “financial institution” encompasses all entities that are “significantly engaged” in providing financial products or services — including student loans. Failure to comply with GLBA’s privacy and security requirements can subject schools to GLBA penalties. But potentially more importantly, where Title IV schools suffer cybersecurity breaches or are found to be deficient in cybersecurity protections, the Department of Education has made clear that such schools may face restrictions on Title IV funding, including a complete loss of eligibility.
What do Title IV schools need to know?
The Department of Education has made clear that Title IV schools must comply with cybersecurity regulations — including those found in GLBA. The Department has begun the process of incorporating GLBA security controls into its Annual Audit Guide and will soon require evidence of compliance with GLBA as part of schools’ annual student aid compliance audit.
Thus, at a minimum, Title IV schools must understand the requirements of GLBA and ensure compliance with those requirements. GLBA requires Title IV schools to take specific actions in order to protect personal information in their possession. One such action is that schools must develop their own cybersecurity programs. While no set of guidelines could cover every organization’s specific needs, the Department of Education has issued some guidelines that should be considered with the development of every cybersecurity program. These requirements include:
- Assessing the personal information collected, stored, accessed, used, and transmitted by the Title IV school. This assessment should include not just the school, but any and all vendors, contractors, and other third parties that provide personal information to or, as part of their services for the school, have access to, personal information entrusted to the school.
- Appointing an employee or set of employees to manage the school’s cybersecurity program. This person does not have to be a new hire, and may have other responsibilities at the school, but they need to be the point of contact and have ultimate responsibility for running and managing the cybersecurity program.
- Implementing physical and technical safeguards for all personal information in the school’s possession. This would include not just IT features like firewalls, but would encompass limiting access to secure areas (both on the system and in physical facilities) with passcodes and security cards as well as making sure that only those employees, vendors, or staff with a legitimate need have access to the school’s personal information.
- Developing written policies and procedures to govern the handling, management, and transmission of the school’s personal information. Along with the policies, the school must make sure that its employees, and any third parties like vendors or contractors, are made aware of the policies and procedures, trained on them, and appropriately disciplined if they are not followed.
- Auditing the school’s technical, physical, and procedural protections to make sure that they are performing as expected and making adjustments to any protections that are not performing as expected.
- Ensuring that vendors, contractors, consultants, and other service providers who have access to sensitive information are subject to the requirements of the cybersecurity policy and are contractually bound to protect sensitive information.
In addition to developing a cybersecurity program, it is important for schools to properly train their employees, managers, staff, and vendors on their cybersecurity programs. The most thorough and well thought out cybersecurity program is meaningless if it is deployed without the full support of the organization.
The people required to implement, manage, and maintain that program must understand it, appreciate its importance, and be properly incentivized to follow and adhere to it. Management must make sure that violations of the program are addressed appropriately. Vendors who do not want to comply or choose not to comply with the program must be dropped. Training must be held on a reoccurring basis — not just when employees are hired. Employees and management alike must understand how the cybersecurity program works, their role in the program, and how they can help improve the program over time.
For additional insight and tips regarding cybersecurity, please see this overview, “Cybersecurity for Title IV Schools,” from the Department of Education’s Office of the Inspector General.
Jason Schwent is an attorney in Thompson Coburn’s Cybersecurity group. Aaron Lacey is a partner in Thompson Coburn’s Higher Education practice, and editorial director of REGucation, the firm’s higher education blog.