What to Know About ED's New Stance on Data Breach Reporting -- Campus Technology

Viewpoint

What to Know About ED's New Stance on Data Breach Reporting

02/08/18

ED has also not expressly defined what information it considers sensitive and, when a breach occurs, what triggers notification obligations. ED's presentations generally reference personally identifiable information, creating ambiguity because PII has very specific meanings under different laws. Expressly defining the universe of sensitive information that could trigger a reporting obligation is an integral part of any reporting framework. Institutions store vast amounts of information, but only a subset of that information would be considered sensitive information protected by GLBA and other non-educational-specific data privacy laws: e.g., files containing account numbers, social security numbers, governmental IDs and healthcare information.

However, many innocuous documents not protected by GLBA or those other data privacy laws would be considered "education records" under FERPA. And education records that do not contain sensitive information, if accessed improperly, do not justify reporting to a government agency because unauthorized access will not lead to identity theft or other cybercrimes. Moreover, education records that do contain sensitive information are already protected under other federal and state privacy laws.

ED and institutions enter into PPAs and SAIG Agreements to govern the administration of Federal Student Aid. According to ED's website, the Office of Federal Student Aid awards more than $120 billion dollars a year in grants, work-study funds and loans. With such large amounts of money at stake, cybercriminals have and will continue to target the Federal Student Aid system (and too-often under-protected college and university systems). Preventing cybercrimes that relate to Federal Student Aid should be a top priority for ED and institutions alike, and reporting breaches directly to ED that relate specifically to the administration of Federal Student Aid makes good sense. ED's reporting expectations should, however, be expressly defined, rooted in proper jurisdiction and formally announced. Until then, colleges and universities will continue to be confused about ED's new reporting expectations.

About the Author

Sean D. Tassi is a partner at Husch Blackwell LLP, an industry-focused litigation and business law firm with offices across the U.S.

E-Mail this page

Printable Format

Featured

Rubrik Upgrades Data Protection Platform for Speedier Threat Hunting

Data security specialist Rubrik is upgrading its data protection platform to allow for quicker recoveries in the familiar backup & recovery process.
Educause Horizon Report: Sustainability Pressures Lead to Increased Cybersecurity Risks

Educause recently released the 2024 Cybersecurity and Privacy Edition of its Horizon Report series, forecasting key trends, technologies, and practices shaping the future of cybersecurity and privacy in higher education.
Study: 1 in 10 AI Prompts Could Expose Sensitive Data

Nearly one in 10 prompts used by business users when interacting with generative artificial intelligence tools may inadvertently disclose sensitive data, according to a study released today by data protection startup Harmonic Security Inc.
Digital Leadership Must-Haves for 2025: A CDO's Picks

Now that he's more than a year and a half into his chief digital officer role at NJIT, we've asked Ed Wozencroft to reflect on his areas of concentration: What work must digital leaders "own" in 2025?