DATA SECURITY sean d. tassi What to Know About ED’s New Stance
on Data Breach Reporting
It’s no longer optional for colleges and universities to report data breaches to the
U.S. Department of Education — yet the agency has not clearly defined its expectations. Here’s what institutions should be aware of.
UNTIL RECENTLY, colleges and universities that experienced a data breach had no unique reporting obligations to the U.S. Department of Education. Institutions were expected to analyze security incidents under applicable federal and state laws and, when appropriate, notify affected individuals and appropriate federal and state agencies. Because the Family Educational Rights and Privacy Act (FERPA) does not contain a breach reporting obligation, ED had taken the position that a report directly to ED was optional.
ED, however, has now changed its stance and has started levying Cleryesque fines — up to $56,789 per violation — against institutions that fail to report a data breach directly to ED. The importance of data security and the prevention of cybercrimes is unquestioned, but ED’s new stance on breach reporting raises practical problems.
ED has taken an informal approach to notifying institutions about its new breach reporting expectations. Instead of publishing official guidance, ED is notifying
6
CAMPUS TECHNOLOGY | March/April 2018
Antonio Guillem/Shutterstock.com