Cyberattacks on colleges and universities have been on the rise for years, and this trend will likely continue in 2025. In response to this, we can expect to see a number of new data privacy and security developments that will impact higher education in the new year.
So, as industry leaders start putting their resolutions into practice this month, here are a few more worth adding to the list.
Increase data transparency
In 2025, colleges and universities will likely need to respond to growing demands around data transparency. The Family Educational Rights and Privacy Act (FERPA) currently requires universities to provide students with certain rights over their educational data, but several states have taken it a step further and also imposed restrictions on how they can track, manage, and use that data—and more states are likely to jump on that bandwagon.
California and Colorado already require universities to track and document their data, and such data mapping requirements are likely to become a standard practice in the near future. Regardless of the law, establishing an effective privacy governance program is key to ensuring compliance, curbing cyberattacks and limiting liability should a breach occur.
Grant students more autonomy over their personally identifiable information
In 2025, universities will be encouraged, if not required, to give students more autonomy over their personally identifiable information. In fact, this is already happening. In the European Union, universities must let students request a copy of their data, and some states (like Maryland) allow students to request to have their data deleted in certain cases.
All of this comes amid a growing demand for increased data autonomy. A 2021 survey by Cornell University found that nearly three-fourths of students believe they should have the right to control how colleges use their data.
Pay attention to third parties
As more students demand control over their own data, they may also want visibility into how their data is shared with third parties. Going forward, universities may be expected to disclose which vendors are involved in collecting, storing or using students’ PII.
More from UB: College enrollment shows strong gains after a long decline
In Maryland, third parties that work with universities are required to abide by the institution’s cybersecurity policies. Though not a federal requirement (yet), other states could pass similar laws in 2025 to ensure all student data is protected and handled in the same manner.
Implement robust cyber controls and incident response planning
With higher education already being one of the most heavily-targeted sectors for cyberattacks, universities will need to focus on boosting their security controls in the new year. As the frequency and sophistication of attacks increase, more institutions should invest in mechanisms like encryption, access controls and threat detection to reduce the likelihood of an incident.
Additionally, universities should prioritize developing a comprehensive incident response plan and leveraging automated tools that can address threats in real time.
Prepare for new reporting requirements
With no federal mandate requiring universities to report cyber incidents, growing concerns over data breaches could bring more state or industry-specific regulations in 2025. Currently, FERPA does not explicitly require breach notification, but certain states and the European Union mandate that universities inform students if their data was involved in a breach (in the EU, serious breaches must be reported within 72 hours of discovery). As breaches continue to occur, regulatory bodies will likely enact new reporting requirements.
Keeping your resolutions
With the new year in full swing, university leaders should keep to these resolutions to stay ahead of cyber threats and evolving regulatory requirements. Even though cyberattacks continue to remain prevalent in the higher education sector, taking the right steps will help prepare your institution for success in 2025 and beyond.