Do you have a written data security program in place to meet federal requirements?
In the last year, the Department of Education (DOE) released guidance in the form of a “Dear Colleague” letter emphasizing the importance of data security for higher education institutions. The letter illustrates the DOE’s intentions to regulate data security practices at colleges and universities under the standards of the Gramm-Leach-Bliley Act (GLBA). The GLBA is the federal law that governs financial institutions and their collection and use of private and personally-identifiable information. The Act requires these institutions to develop security programs and to disclose their privacy practices to customers.
As applied by DOE, the GLBA requires colleges and universities to, among other things:
-
Develop, implement, and maintain a written information security program;
-
Designate the employee(s) responsible for coordinating the information security program;
-
Identify and assess risks to stored information;
-
Design and implement an information safeguards program;
-
Select appropriate service providers that are capable of maintaining appropriate safeguards; and
-
Periodically evaluate and update their security program.
The DOE specifically instructed that:
Presidents and Chief Information Officers of institutions should have, at a minimum, evaluated and documented their current security posture against the requirements of GLBA and have taken immediate action to remediate any identified deficiencies.
Participation in the federal Title IV program indicates that institutions are subject to the GLBA, and so the DOE is expected to be auditing institutions to ensure compliance.
Information breaches and cybersecurity threats are growing concerns as the influx of online recordkeeping continues to grow. Higher-education institutions are feeling this pressure, as most student financial-aid information is stored electronically online. In 2014, for example, the University of Maryland experienced a security breach of 300,000 records containing names, birth dates, and social security numbers. Institutions like Penn State and Harvard have also been recent targets, causing many to question whether colleges and universities are taking sufficient steps in protecting student financial information.
The “Dear Colleague” letter was issued to emphasize that educational institutions must protect student information used in Title IV financial aid programs. An institution’s Title IV Program Participation Agreement mandates compliance with the GLBA.
The GLBA requirements will be reflected in the DOE’s Annual Audit Guide. The DOE will use its annual audit to assess financial aid information protection, and it will expect and examine evidence of institutions’ compliance with the Act.
In addition to GLBA requirements, the DOE highly encourages institutions to comply with the National Institute of Standards and Technology (NIST) standards. NIST Special Publication 800-171, published in June of 2015, presents recognized security standards for the protection of “controlled unclassified information.” Student financial aid information should be protected by information security sufficient to meet the NIST standards.
The policies and procedures mandated by the GLBA and recommended through the NIST can be an overwhelming burden for many institutions. The DOE acknowledges and recognizes both the investment and effort that is required to meet these security standards, but emphasizes that it is “imperative” that schools’ cybersecurity efforts match the evolving threats to students’ private information.
