Recently-issued guidance from the U.S. Department of Education (ED) threatens to “yank” Title IV funding for post-secondary institutions lacking appropriate data security safeguards. The guidance comes as the risk of educational data breaches has intensified, as we have previously reported. The stakes are even higher now that ED has put Title IV recipients on notice that, beginning in fiscal year 2018, they may be subject to compliance audits regarding their data security programs.

Tiina Rodrigue, Senior Advisor for Cybersecurity, Federal Student Aid, has cautioned that even a theoretically minor breach can trigger strict reporting requirements. “If you have an unauthorized disclosure or something happened to even one record it’s reportable,” she said during a recent webinar on the topic. “It doesn’t matter if it’s a digital record [or] a paper record. It’s reportable because data is data in whatever state it lives.”

ED requires educational institutions to adopt “reasonable safeguards” to protect data from falling into the wrong hands. To this end, institutions typically enter into a Student Aid Internet Gateway (SAIG) Enrollment Agreement, which require that an unauthorized disclosure or breach of sensitive information be “immediately” reported to ED. According to Rodrigue, reports must be made directly to ED and should include information such as breach impact method and remediation status. This information can also be reported by phone to the Education Security Operation Center, or EDSOC, or directly on the ED website.

Rodrigue’s statements provide the most recent public statement of ED’s regulatory expectations. Educational institutions are already subject to Title IV of the Higher Education Act, the Family Educational Rights and Privacy Act (FERPA), the Privacy Act of 1974, state data breach and privacy laws, among others. However, as ED acknowledges in its Data Breach Response Checklist, FERPA does not “require” an institution to inform ED of a data security breach.

The cost of not reporting a breach in view of this new guidance carries stiff penalties. Educational institutions may be deemed “administratively incapable,” or unable to properly administer Title IV funds. Rodrigue warned that ED has the “authority to fine institutions [and] to remove Title IV aid.” Institutions that ignore their reporting obligations face fines of up to $54,789 per violation regulations such as 34 C.F.R. § 36.2. Rigorous enforcement of the data security laws through audit and penalties underscores the need for Title IV stakeholders to establish infrastructure for prompt detection and reporting of actual and potential breaches.

We will continue to monitor developments in this area.