For several years, the Department of Education has published “Dear Colleague” letters (UBmag.me/1612) that make it clear that institutions of higher education accepting Title IV federal aid are expected to comply with federal cybersecurity regulations, such as the Gramm-Leach-Bliley Act and the Federal Trade Commission’s Red Flags Rule.
In late 2017, a cybersecurity senior advisor for the Federal Student Aid Office of the DOE began delivering a webinar titled “Postsecondary Institution Data Security Overview and Requirements” (a copy of the presentation slide deck is available at UBmag.me/dso).
One of the key regulations discussed in the webinar was the Gramm-Leach-Bliley Act, which was originally written with financial institutions in mind.
The DOE has made it clear that it considers higher education institutions using Title IV funding to be “financial institutions” that must comply.
Got a tech story to tell? Present at UBTech 2019.
Requirements include:
– developing, implementing and maintaining a documented data security program
– conducting ongoing cybersecurity awareness training for all employees
– identifying reasonably foreseeable data security risks via formal, documented assessments
– implementing safeguards and regularly testing their effectiveness
While these requirements are commonsense practices, it is important for schools to right-size measures to the complexity of their information technology environments. It is too easy for these efforts to become burdensome.
In the webinar, the DOE recommends that institutions use a free tool from the Federal Financial Institutions Examination Council to self-audit, and then use the results to better prepare (UBmag.me/cam). This tool includes an “inherent risk profiler” that will help schools determine what steps to take across the five cybersecurity domains that the tool is organized around.
Once a school determines the level of sophistication required for its cyberdefenses, the audit questions for each domain can be considered benchmarks.
For example, schools of mid-level risk will want to meet all the “baseline” requirements for each domain, most or all of the “evolving” requirements, and, ideally, some of the “intermediate” and “advanced” requirements.
Breach-reporting controversy
The webinar’s requirements for reporting security breaches alarmed some leaders in the higher ed world. Reporting is expected—for detected or even just suspected breaches—on the day an event is discovered.
Additionally, the breach-reporting requirements are onerous due to their broad definition and highly punitive nature. According to the Gramm-Leach-Bliley Act, a breach is “any unauthorized disclosure, misuse, alteration, destruction or other compromise of information.”
Schools not promptly reporting breaches—even just suspected breaches—may face fines exceeding $50,000 for each violation.
These breach-reporting requirements have, not surprisingly, been controversial. In fact, the DOE notified a number of college and university presidents late in 2017 that they had failed to adequately report breaches because some hacked faculty email accounts were reported to have been found on non-college-related sites.
Educause became aware of this and stepped in with a 12-page letter reviewing specifically what the DOE guidance and related laws do and do not say about this (UBmag.me/brc). The organization argued that the DOE had overstepped its bounds, and should work to define what a breach is and provide realistic reporting guidelines. The DOE has not responded to this.
Regardless of breach-reporting practices, colleges and universities would do well to step up their cybersecurity governance. It is everyone’s responsibility to help protect student data and their school’s reputation as an overseer of sensitive personal information.
Kelly Walsh is CIO at the College of Westchester in New York.
