February 22, 2020

February 21, 2020

Subscribe to Latest Legal News and Analysis

February 20, 2020

Subscribe to Latest Legal News and Analysis

ED Requires Higher Education Audits to Review GLBA Data Security Compliance

As discussed in a previous DBR on Data post, the U.S. Department of Education (“ED”) in recent years has repeatedly emphasized the importance of higher education institutions taking all appropriate measures to secure and protect their data systems and data from breaches and inadvertent disclosures. The threats to educational institutions’ data are real, recurring and well-documented. The University of Maryland reported in 2014 that a computer system breach compromised more than 300,000 personal records for faculty, staff and students. A private cybersecurity firm reported that Chinese hackers targeted research databases at more than two dozen universities in the 2017-18 timeframe. In 2019, applicants to Grinnell College, Hamilton College and Oberlin College discovered their admissions files were subject to a ransomware attack. These instances are just a few recent examples of significant data breaches in the education sector.

In Dear Colleague Letters GEN-15-18 (July 29, 2015) and GEN-16-12 (July 1, 2016), ED reminded higher education institutions of their data security obligations under the Gramm-Leach-Bliley Act (“GLBA”), and also that those obligations are incorporated into both the institution’s Title IV Federal Student Aid Program Participation Agreement and the related Student Aid Internet Gateway (SAIG) Enrollment Agreement. Those GLBA requirements include: (1) developing written information security protocols; (2) designating at least one information security program coordinator; (3) identifying and assessing risks to student information; and (4) choosing third-party servicers who maintain appropriate safeguards. The SAIG Enrollment Agreement further requires, among other things, institutions to ensure that “all users are aware of and comply with” requirements to protect and secure data received from ED sources (which inherently includes significant student financial data). ED thus requires institutions to not only have appropriate protocols and technological safeguards for their data systems, but to also engage in meaningful education, training, and access management among its personnel who handle institutional data.

The focus by ED on appropriate protocols, technology and training is supported by statistical findings, including the 2019 Verizon Data Breach Investigations Report determination that human errors account for 35% of data breaches in the education sector. Web application attacks – mostly phishing of cloud-based email servers – were the second highest cause, comprising roughly 25% of education sector data breaches. In particular, the education sector had the highest phishing click-through rate (reported from testing exercises) of any industry sector – 4.9%, as compared with 3% across all industries. These statistics also are consistent with the July 16, 2019 Financial Crimes Enforcement Network (“FinCEN”) advisory, which named colleges and universities among the top targets of business email compromise schemes. Where data security is concerned, the Verizon Report suggests that the education sector can significantly reduce its exposure by adopting relatively basic solutions; according to the Report, employee training to address human error and response to social engineering/phishing schemes, coupled with requiring baseline two-factor authentication to access internet facing-assets like email servers, could have prevented many of the reported breaches. However, data security preparedness should be scaled to the type of data involved. Though employee training and an industry-standard cybersecurity IT protocol may be sufficient to guard against theft of faculty and student personally identifying information, research universities that partner with private companies or the federal government may be the targets of more sophisticated attacks – including cyberespionage and attacks from hostile nation-states— that require enhanced cybersecurity measures.

Against this backdrop of continuing and expanding cybersecurity dangers, higher education institutions must now have GLBA compliance reviewed as part of their annual federal compliance audits submitted to ED. Specifically, under both the Office of Management and Budget’s 2019 Compliance Supplement for audits conducted under 2 CFR Part 200, Subpart F (applicable to nonprofit educational institutions) and ED’s Dear CPA Letter CPA-19-01 (applicable to proprietary educational institutions), a higher education institution’s independent audit must determine whether the institution has:

  • Designated an individual to coordinate the information security program;

  • Performed a risk assessment that addresses the three areas noted in 16 CFR 314.4(b), which are (i) employee training and management; (ii) information systems, including network and software design, as well as information processing, storage, transmission and disposal, and (iii) detecting, preventing and responding to attacks, intrusions, or other systems failures; and

  • Documented safeguards for identified risks.

Depending on an institution’s fiscal year end, these requirements have either taken effect during the current compliance audit cycle or will be effective with audits performed in calendar year 2020. Additionally, ED is frequently requesting institutional data security policies and protocols as part of federal student aid program reviews. Thus, all institutions of higher education should carefully review their data systems and practices for GLBA compliance.

© 2020 Faegre Drinker Biddle & Reath LLP. All Rights Reserved.

TRENDING LEGAL ANALYSIS


About this Author

Jonathan Tarnow, Education and Government affairs lawyer, Drinker Biddle
Partner

Jonathan D. Tarnow advises clients on a wide range of education law matters involving the U.S. Department of Education, accrediting bodies, state agencies and other government regulators. He has extensive experience advising public, non-profit and proprietary institutions of higher education on the statutory and regulatory requirements of federal student financial aid programs under Title IV of the Higher Education Act, and has represented institutions in Title IV compliance reviews and audits, including administrative hearings and appeals related to...

(202) 354-1357
Partner

Kristin Ann Shepard focuses on the defense of insurance companies and other financial institution clients in high-stakes litigation in state and federal trial and appellate courts. She has defended financial services companies in nationwide class actions, multidistrict litigation, and market conduct litigation, including underlying claims of consumer fraud, unfair insurance practices, RICO, and various common law torts. Kristin also has defended corporate-owned life insurance (COLI) carriers in litigation by policyholders and insureds, and advised clients on related tax matters.

In addition to her class action practice, Kristin has counseled clients in connection with market conduct exams and regulatory issues related to life insurance, annuities and lender-placed insurance, using her background as a litigator to help clients proactively identify and reduce litigation risk.

Kristin is a frequent writer and speaker on cutting-edge developments in class action law, including data breach class actions and cybersecurity litigation. She received 2017 and 2016 JD Supra Readers' Choice Awards as a Top Author for Class Action Defense.

202-230-5232