Skip to content Menu

The Federal Student Aid (FSA) division of the Department of Education has taken the unorthodox step of sending breach notification and information security reporting compliance letters to colleges and universities, based on unconfirmed reports of student information data breaches. Many of these letters were sent directly to presidents and chancellors, without FSA first communicating with designated institutional contacts as laid out in agreements between FSA and the contacted schools. In some cases, the compliance letters are based solely on media reports of suspected breaches without FSA first confirming the veracity of the breach.

These letters, copies of which have been made available by EDUCAUSE, range in tone from asserting various reporting requirements that institutions must ostensibly comply with based on actual or suspected data breaches, to reprimanding schools for alleged failures in self-reporting breaches to FSA. Additionally, FSA's self-described authority to regulate in this area is based on contractual provisions in its Program Participation and Student Aid Information Gateway agreements, as opposed to law or regulation, so it's unclear whether authority actually exists for FSA to regulate in this space.

As NACUBO reported last April, the FSA expressed interest at that time in adding an audit objective that would evaluate institutional compliance with the Safeguards Rule of the Gramm-Leach-Bliley Act, which also deals with protecting student information through information security and risk management plans. The audit has yet to be officially implemented and no guidance or documentation was ever issued by ED that would enable compliance with such an audit objective.

EDUCAUSE has responded to these latest compliance letters by sending a letter to newly appointed FSA Chief Operating Officer A. Wayne Johnson. In the letter, EDUCAUSE asserts its support of FSA's attempts to develop and enforce data security regulations, but urges the department to work with EDUCAUSE and other higher education associations to develop a more reasonable and well-documented plan to address FSA's concerns, as well as address trepidation about the information institutions are being asked to provide to FSA, without any guarantee of FSA's ability to keep this information secure and confidential.

NACUBO supports EDUCAUSE's efforts and is working with their team to advocate for reasonable and established guidelines to ensure student information is safeguarded at colleges and universities. A number of compliance resources are listed on NACUBO's website, and we also encourage institutions to utilize EDUCAUSE's Cybersecurity and Privacy Guide.


Liz Clark

Vice President, Policy and Research


Related Content

New OMB Policy Requires Title IV Privacy and Data Security Audit Checks

The long-awaited Office of Management and Budget 2019 Compliance Supplement has been released and features a new privacy and data security audit objective for Title IV program audits.

Copyright Royalty Board Sets New Rates for College Radio Stations

Updated rates take effect this year for college and university radio stations broadcasting music that’s legally protected by copyright.

ED Further Delays Third-Party Servicer Guidance, Clarifies Certain Arrangements

The Department of Education has announced that it will again postpone the roll out of its guidance on third-party servicers in order to review comments received from the public. ED shared some examples of functions that would not qualify as a TPS and indicated that subsequent guidance will not be effective until at least six months after it is published.