Written By: Therese King Nohos
On February 28, 2020, the Department of Education’s Office of Federal Student Aid published new guidance on how auditors should evaluate data security compliance at colleges and universities. This article is the first in a series of five on how to avoid an adverse audit finding regarding data security and related issues. Avoiding an adverse finding is critical as compliance failures can come with stiff penalties, such as a fine of up to $58,328 for failure to timely report a data breach. It also can result in a referral to the FSA’s Cybersecurity Team for evaluation of an institution’s administrative capability, and a referral to the Federal Trade Commission for possible enforcement action.
When we think of data security on campus, the Federal Education Rights and Privacy Act, or FERPA, immediately comes to mind for many of us. Campuses may be less familiar with the Gramm-Leach-Bliley Act, or GLBA, enacted in 1999, and for good reason: it applies only to “financial institutions.” While on the books for about two decades, ED only recently announced “reminders” that institutions of higher education are considered “financial institutions” for purposes of GLBA here and here, as well as its intent to begin enforcing the requirements of the GLBA in concert with the Federal Trade Commission. As described in detail here, the FTC is responsible for certain GLBA enforcement activities.
Relevant to colleges and universities, the FTC’s GLBA regulations focus on three main areas:
- training and managing employees;
- developing sound information systems to safeguard consumer information, including its processing, storage, transmission and disposal; and
- detecting, preventing and responding to data breaches.
Importantly, institutions must document their efforts to identify risks and corresponding safeguards regarding each of the three main areas. Simply taking a “wait-and-hope-we-don’t-have-a-breach” approach will not suffice.
Here are five steps colleges and universities can take to ensure a clean audit.
First, designate a qualified individual to coordinate the institution’s information security program (if not in place already) and ensure that employees with access to consumer information are appropriately qualified and trained.
Second, perform a risk assessment of each of above three areas and document the assessment for the auditor’s review.
Third, identify safeguards for every risk identified, such as:
- identifying service providers who possess, receive or transmit consumer information and contractually require them to adopt the same data security measures as the institution;
- developing a written data incident response plan;
- evaluating existing insurance coverage to determine if it is adequate to cover a breach and incident response costs.
Bonus, while the audit guidance is focused on data security, the GLBA has consumer disclosure requirements as well. Institutions should become familiar with those requirements and ensure that they are met.
Parts 2 to 5 of this article series will flesh out each of the above steps in detail.
Therese King Nohos is a member of Rathje Woodward’s Higher Education team. She counsels colleges and universities on regulatory compliance, conducts internal investigations on their behalf and defends them in litigation, including claims involving civil rights, consumer fraud, and breach of contract. Her full Bio can be found here. Our online contact form may be found here.