What to Know About ED's New Stance on Data Breach Reporting
It's no longer optional for colleges and universities to report data breaches to the U.S. Department of Education â yet the agency has not clearly defined its expectations. Here's what institutions should be aware of.
Until recently, colleges and universities that experienced a data breach had no unique reporting obligations to the U.S. Department of Education. Institutions were expected to analyze security incidents under applicable federal and state laws and, when appropriate, notify affected individuals and appropriate federal and state agencies. Because the Family Educational Rights and Privacy Act (FERPA) does not contain a breach reporting obligation, ED had taken the position that a report directly to ED was optional.
ED, however, has now changed its stance and has started levying Cleryesque fines — up to $56,789 per violation — against institutions that fail to report a data breach directly to ED. The importance of data security and the prevention of cybercrimes are unquestioned, but ED's new stance on breach reporting raises practical problems.
ED has taken an informal approach to notifying institutions about its new breach reporting expectations. Instead of publishing official guidance, ED is notifying institutions about the new obligations at Federal Student Aid conferences and via webinars (such as the Nov. 14, 2017 webinar available here.) Attendees are taking the mandate back to their campuses, but the change is being met with resistance from administrators and practitioners — in large part, because the new expectations contradict ED's previous written guidance in documents like the Data Breach Response Checklist published by ED's Privacy Technical Assistance Center in 2012 (which was still available on the PTAC's website as of the date that this article was written). ED's informal approach to notification means that some institutions likely do not know that ED's reporting expectations have changed and, more importantly, institutions will continue to be confused in 2018.
ED now asserts that institutions must report any "suspected" data breach on the day it is detected. ED has stated that the legal authority for the new reporting expectations are found in an institution's Federal Student Aid Program Participation Agreement (PPA) and its Student Aid Internet Gateway (SAIG) Agreement. Although institutions certify that they comply with the Gramm-Leach-Bliley Act (GLBA) in their PPAs, and the SAIG Agreements require institutions to report a security incident that involves a compromise of "Electronic Services" that are utilized to administer Federal Student Aid, neither agreement (nor GLBA) states that an institution must report any "suspected" breach on the day it is detected. The current PPAs and SAIG Agreements do not appear to provide ED with the overarching authority to require institutions to report breaches that are not subject to GLBA or otherwise unrelated to the administration of Federal Student Aid.
Indeed, the expectation of reporting a "suspected" breach is inconsistent with the framework of U.S. data privacy laws, including GLBA. For example, if a financial institution suspects that it has experienced a data security incident, GLBA requires the institution to conduct a reasonable investigation to promptly determine whether sensitive information has been or will be misused. The institution is only required to provide notice if, after the investigation, the standard has been triggered. GLBA also contemplates delaying notice if, after communicating with local law enforcement agencies, it is determined that sending the notice will hinder the agency's criminal investigation. State data breach reporting statutes contemplate similar investigations and law enforcement delays. Prompt investigation of a security incident to determine whether sensitive information has or will be misused is a fundamental principle of U.S. data privacy laws — in line with the notion that over reporting innocuous incidents imposes unnecessary administrative burdens and is unlikely to decrease identity theft or other cybercrimes.
ED has also not expressly defined what information it considers sensitive and, when a breach occurs, what triggers notification obligations. ED's presentations generally reference personally identifiable information, creating ambiguity because PII has very specific meanings under different laws. Expressly defining the universe of sensitive information that could trigger a reporting obligation is an integral part of any reporting framework. Institutions store vast amounts of information, but only a subset of that information would be considered sensitive information protected by GLBA and other non-educational-specific data privacy laws: e.g., files containing account numbers, social security numbers, governmental IDs and healthcare information.
However, many innocuous documents not protected by GLBA or those other data privacy laws would be considered "education records" under FERPA. And education records that do not contain sensitive information, if accessed improperly, do not justify reporting to a government agency because unauthorized access will not lead to identity theft or other cybercrimes. Moreover, education records that do contain sensitive information are already protected under other federal and state privacy laws.
ED and institutions enter into PPAs and SAIG Agreements to govern the administration of Federal Student Aid. According to ED's website, the Office of Federal Student Aid awards more than $120 billion dollars a year in grants, work-study funds and loans. With such large amounts of money at stake, cybercriminals have and will continue to target the Federal Student Aid system (and too-often under-protected college and university systems). Preventing cybercrimes that relate to Federal Student Aid should be a top priority for ED and institutions alike, and reporting breaches directly to ED that relate specifically to the administration of Federal Student Aid makes good sense. ED's reporting expectations should, however, be expressly defined, rooted in proper jurisdiction and formally announced. Until then, colleges and universities will continue to be confused about ED's new reporting expectations.