ED Requires Higher Education Audits to Review GLBA Data Security Compliance
As discussed in a previous DBR on Data post, the U.S. Department of Education (“ED”) in recent years has repeatedly emphasized the importance of higher education institutions taking all appropriate measures to secure and protect their data systems and data from breaches and inadvertent disclosures. The threats to educational institutions’ data are real, recurring and well-documented. The University of Maryland reported in 2014 that a computer system breach compromised more than 300,000 personal records for faculty, staff and students. A private cybersecurity firm reported that Chinese hackers targeted research databases at more than two dozen universities in the 2017-18 timeframe. In 2019, applicants to Grinnell College, Hamilton College and Oberlin College discovered their admissions files were subject to a ransomware attack. These instances are just a few recent examples of significant data breaches in the education sector.
In Dear Colleague Letters GEN-15-18 (July 29, 2015) and GEN-16-12 (July 1, 2016), ED reminded higher education institutions of their data security obligations under the Gramm-Leach-Bliley Act (“GLBA”), and also that those obligations are incorporated into both the institution’s Title IV Federal Student Aid Program Participation Agreement and the related Student Aid Internet Gateway (SAIG) Enrollment Agreement. Those GLBA requirements include: (1) developing written information security protocols; (2) designating at least one information security program coordinator; (3) identifying and assessing risks to student information; and (4) choosing third-party servicers who maintain appropriate safeguards. The SAIG Enrollment Agreement further requires, among other things, institutions to ensure that “all users are aware of and comply with” requirements to protect and secure data received from ED sources (which inherently includes significant student financial data). ED thus requires institutions to not only have appropriate protocols and technological safeguards for their data systems, but to also engage in meaningful education, training, and access management among its personnel who handle institutional data.
The focus by ED on appropriate protocols, technology and training is supported by statistical findings, including the 2019 Verizon Data Breach Investigations Report determination that human errors account for 35% of data breaches in the education sector. Web application attacks – mostly phishing of cloud-based email servers – were the second highest cause, comprising roughly 25% of education sector data breaches. In particular, the education sector had the highest phishing click-through rate (reported from testing exercises) of any industry sector – 4.9%, as compared with 3% across all industries. These statistics also are consistent with the July 16, 2019 Financial Crimes Enforcement Network (“FinCEN”) advisory, which named colleges and universities among the top targets of business email compromise schemes. Where data security is concerned, the Verizon Report suggests that the education sector can significantly reduce its exposure by adopting relatively basic solutions; according to the Report, employee training to address human error and response to social engineering/phishing schemes, coupled with requiring baseline two-factor authentication to access internet facing-assets like email servers, could have prevented many of the reported breaches. However, data security preparedness should be scaled to the type of data involved. Though employee training and an industry-standard cybersecurity IT protocol may be sufficient to guard against theft of faculty and student personally identifying information, research universities that partner with private companies or the federal government may be the targets of more sophisticated attacks – including cyberespionage and attacks from hostile nation-states— that require enhanced cybersecurity measures.
Against this backdrop of continuing and expanding cybersecurity dangers, higher education institutions must now have GLBA compliance reviewed as part of their annual federal compliance audits submitted to ED. Specifically, under both the Office of Management and Budget’s 2019 Compliance Supplement for audits conducted under 2 CFR Part 200, Subpart F (applicable to nonprofit educational institutions) and ED’s Dear CPA Letter CPA-19-01 (applicable to proprietary educational institutions), a higher education institution’s independent audit must determine whether the institution has:
Designated an individual to coordinate the information security program;
Performed a risk assessment that addresses the three areas noted in 16 CFR 314.4(b), which are (i) employee training and management; (ii) information systems, including network and software design, as well as information processing, storage, transmission and disposal, and (iii) detecting, preventing and responding to attacks, intrusions, or other systems failures; and
Documented safeguards for identified risks.
Depending on an institution’s fiscal year end, these requirements have either taken effect during the current compliance audit cycle or will be effective with audits performed in calendar year 2020. Additionally, ED is frequently requesting institutional data security policies and protocols as part of federal student aid program reviews. Thus, all institutions of higher education should carefully review their data systems and practices for GLBA compliance.