What to Know About ED's New Stance on Data Breach Reporting
It's no longer optional for colleges and universities to report data breaches to the U.S. Department of Education — yet the agency has not clearly defined its expectations. Here's what institutions should be aware of.
Until recently, colleges and universities that experienced a data breach had no unique reporting obligations to the U.S. Department of Education. Institutions were expected to analyze security incidents under applicable federal and state laws and, when appropriate, notify affected individuals and appropriate federal and state agencies. Because the Family Educational Rights and Privacy Act (FERPA) does not contain a breach reporting obligation, ED had taken the position that a report directly to ED was optional.
ED, however, has now changed its stance and has started levying Cleryesque fines — up to $56,789 per violation — against institutions that fail to report a data breach directly to ED. The importance of data security and the prevention of cybercrimes are unquestioned, but ED's new stance on breach reporting raises practical problems.
ED has taken an informal approach to notifying institutions about its new breach reporting expectations. Instead of publishing official guidance, ED is notifying institutions about the new obligations at Federal Student Aid conferences and via webinars (such as the Nov. 14, 2017 webinar available here.) Attendees are taking the mandate back to their campuses, but the change is being met with resistance from administrators and practitioners — in large part, because the new expectations contradict ED's previous written guidance in documents like the Data Breach Response Checklist published by ED's Privacy Technical Assistance Center in 2012 (which was still available on the PTAC's website as of the date that this article was written). ED's informal approach to notification means that some institutions likely do not know that ED's reporting expectations have changed and, more importantly, institutions will continue to be confused in 2018.
ED now asserts that institutions must report any "suspected" data breach on the day it is detected. ED has stated that the legal authority for the new reporting expectations are found in an institution's Federal Student Aid Program Participation Agreement (PPA) and its Student Aid Internet Gateway (SAIG) Agreement. Although institutions certify that they comply with the Gramm-Leach-Bliley Act (GLBA) in their PPAs, and the SAIG Agreements require institutions to report a security incident that involves a compromise of "Electronic Services" that are utilized to administer Federal Student Aid, neither agreement (nor GLBA) states that an institution must report any "suspected" breach on the day it is detected. The current PPAs and SAIG Agreements do not appear to provide ED with the overarching authority to require institutions to report breaches that are not subject to GLBA or otherwise unrelated to the administration of Federal Student Aid.
Indeed, the expectation of reporting a "suspected" breach is inconsistent with the framework of U.S. data privacy laws, including GLBA. For example, if a financial institution suspects that it has experienced a data security incident, GLBA requires the institution to conduct a reasonable investigation to promptly determine whether sensitive information has been or will be misused. The institution is only required to provide notice if, after the investigation, the standard has been triggered. GLBA also contemplates delaying notice if, after communicating with local law enforcement agencies, it is determined that sending the notice will hinder the agency's criminal investigation. State data breach reporting statutes contemplate similar investigations and law enforcement delays. Prompt investigation of a security incident to determine whether sensitive information has or will be misused is a fundamental principle of U.S. data privacy laws — in line with the notion that over reporting innocuous incidents imposes unnecessary administrative burdens and is unlikely to decrease identity theft or other cybercrimes.