DATA SECURITY
ED with the overarching authority to require institutions to report breaches that are not subject to GLBA or otherwise unrelated to the administration of Federal Student Aid.
Indeed, the expectation of reporting a “suspected” breach is inconsistent with the framework of U.S. data privacy laws, including GLBA. For example, if a financial institution sus- pects that it has experienced a data security incident, GLBA requires the institution to conduct a reasonable investiga- tion to promptly determine whether sensitive information has been or will be misused. The institution is only required to provide notice if, after the investigation, the standard has been triggered. GLBA also contemplates delaying notice if, after communicating with local law enforcement agencies, it is determined that sending the notice will hinder the agen- cy’s criminal investigation. State data breach reporting stat- utes contemplate similar investigations and law enforce- ment delays. Prompt investigation of a security incident to determine whether sensitive information has or will be mis- used is a fundamental principle of U.S. data privacy laws — in line with the notion that over reporting innocuous incidents imposes unnecessary administrative burdens and is unlikely to decrease identity theft or other cybercrimes.
ED has also not expressly defined what information it considers sensitive and, when a breach occurs, what triggers notification obligations. ED’s presentations generally reference personally identifiable information, creating ambiguity because
PII has very specific meanings under different laws. Expressly defining the universe of sensitive information that could trigger a reporting obligation is an integral part of any reporting framework. Institutions store vast amounts of information, but only a subset of that information would be considered sensitive information protected by GLBA and other non-educational- specific data privacy laws: e.g., files containing account
to govern the administration of Federal Student Aid. According to ED’s website, the Office of Federal Student Aid awards more than $120 billion dollars a year in grants, work-study funds and loans. With such large amounts of money at stake, cybercriminals have and will continue to target the Federal Student Aid system (and too-often under-protected college and university systems). Preventing cybercrimes that relate to
Education records that do not contain sensitive information,
if accessed improperly, do not justify reporting to a government agency because unauthorized access will not lead to identity theft or other cybercrimes.
numbers, social security numbers, governmental IDs and healthcare information.
However, many innocuous documents not protected by GLBA or those other data privacy laws would be considered “education records” under FERPA. And education records that do not contain sensitive information, if accessed improperly, do not justify reporting to a government agency because unauthorized access will not lead to identity theft or other cybercrimes. Moreover, education records that do contain sensitive information are already protected under other federal and state privacy laws.
ED and institutions enter into PPAs and SAIG Agreements
Federal Student Aid should be a top priority for ED and institutions alike, and reporting breaches directly to ED that relate specifically to the administration of Federal Student Aid makes good sense. ED’s reporting expectations should, however, be expressly defined, rooted in proper jurisdiction and formally announced. Until then, colleges and universities will continue to be confused about what to do in the event of a breach.
Sean D. Tassi is a partner at Husch Blackwell LLP, an industry-focused litigation and business law firm with offices across the U.S.
8
CAMPUS TECHNOLOGY | March/April 2018