The Federal Student Aid (FSA) division of the Department of Education has taken the unorthodox step of sending breach notification and information security reporting compliance letters to colleges and universities, based on unconfirmed reports of student information data breaches. Many of these letters were sent directly to presidents and chancellors, without FSA first communicating with designated institutional contacts as laid out in agreements between FSA and the contacted schools. In some cases, the compliance letters are based solely on media reports of suspected breaches without FSA first confirming the veracity of the breach.
These letters, copies of which have been made available by EDUCAUSE, range in tone from asserting various reporting requirements that institutions must ostensibly comply with based on actual or suspected data breaches, to reprimanding schools for alleged failures in self-reporting breaches to FSA. Additionally, FSA's self-described authority to regulate in this area is based on contractual provisions in its Program Participation and Student Aid Information Gateway agreements, as opposed to law or regulation, so it's unclear whether authority actually exists for FSA to regulate in this space.
As NACUBO reported last April, the FSA expressed interest at that time in adding an audit objective that would evaluate institutional compliance with the Safeguards Rule of the Gramm-Leach-Bliley Act, which also deals with protecting student information through information security and risk management plans. The audit has yet to be officially implemented and no guidance or documentation was ever issued by ED that would enable compliance with such an audit objective.
EDUCAUSE has responded to these latest compliance letters by sending a letter to newly appointed FSA Chief Operating Officer A. Wayne Johnson. In the letter, EDUCAUSE asserts its support of FSA's attempts to develop and enforce data security regulations, but urges the department to work with EDUCAUSE and other higher education associations to develop a more reasonable and well-documented plan to address FSA's concerns, as well as address trepidation about the information institutions are being asked to provide to FSA, without any guarantee of FSA's ability to keep this information secure and confidential.
NACUBO supports EDUCAUSE's efforts and is working with their team to advocate for reasonable and established guidelines to ensure student information is safeguarded at colleges and universities. A number of compliance resources are listed on NACUBO's website, and we also encourage institutions to utilize EDUCAUSE's Cybersecurity and Privacy Guide.