Media Center

DOE Imposes Data Security Requirements on Colleges and Universities

August 16, 2017

Do you have a written data security program in place to meet federal requirements?

By Devin Chwastyk, CIPP/US  and Alexandra Snell*

In the last year, the Department of Education (DOE) released guidance in the form of a “Dear Colleague” letter emphasizing the importance of data security for higher education institutions.  The letter illustrates the DOE’s intentions to regulate data security practices at colleges and universities under the standards of the Gramm-Leach-Bliley Act (GLBA).  The GLBA is the federal law that governs financial institutions and their collection and use of private and personally-identifiable information.  The Act requires these institutions to develop security programs and to disclose their privacy practices to customers.

As applied by DOE, the GLBA requires colleges and universities to, among other things:

  • Develop, implement, and maintain a written information security program;
  • Designate the employee(s) responsible for coordinating the information security program;
  • Identify and assess risks to stored information;
  • Design and implement an information safeguards program;
  • Select appropriate service providers that are capable of maintaining appropriate safeguards; and
  • Periodically evaluate and update their security program.

The DOE specifically instructed that:

Presidents and Chief Information Officers of institutions should have, at a minimum, evaluated and documented their current security posture against the requirements of GLBA and have taken immediate action to remediate any identified deficiencies. 

Participation in the federal Title IV program indicates that institutions are subject to the GLBA, and so the DOE is expected to be auditing institutions to ensure compliance.

Information breaches and cybersecurity threats are growing concerns as the influx of online recordkeeping continues to grow.  Higher-education institutions are feeling this pressure, as most student financial-aid information is stored electronically online.  In 2014, for example, the University of Maryland experienced a security breach of 300,000 records containing names, birth dates, and social security numbers.  Institutions like Penn State and Harvard have also been recent targets, causing many to question whether colleges and universities are taking sufficient steps in protecting student financial information.

The “Dear Colleague” letter was issued to emphasize that educational institutions must protect student information used in Title IV financial aid programs.  An institution’s Title IV Program Participation Agreement mandates compliance with the GLBA.

The GLBA requirements will be reflected in the DOE’s Annual Audit Guide.  The DOE will use its annual audit to assess financial aid information protection, and it will expect and examine evidence of institutions’ compliance with the Act.

In addition to GLBA requirements, the DOE highly encourages institutions to comply with the National Institute of Standards and Technology (NIST) standards.  NIST Special Publication 800-171, published in June of 2015, presents recognized security standards for the protection of “controlled unclassified information.”  Student financial aid information should be protected by information security sufficient to meet the NIST standards.

The policies and procedures mandated by the GLBA and recommended through the NIST can be an overwhelming burden for many institutions.  The DOE acknowledges and recognizes both the investment and effort that is required to meet these security standards, but emphasizes that it is “imperative” that schools’ cybersecurity efforts match the evolving threats to students’ private information.

McNees’s Privacy & Data Security team can help your institution implement a comprehensive privacy and data security program that meets DOE, GLBA, and all other applicable legal requirements.

*Alexandra Snell was a 2017 McNees Summer Associate

© 2017 McNees Wallace & Nurick LLC
McNees Privacy & Data Security Alert is presented with the understanding that the publisher does not render specific legal, accounting or other professional service to the reader. Due to the rapidly changing nature of the law, information contained in this publication may become outdated. Anyone using this material must always research original sources of authority and update this information to ensure accuracy and applicability to specific legal matters. In no event will the authors, the reviewers or the publisher be liable for any damage, whether direct, indirect or consequential, claimed to result from the use of this material.