Cybersecurity and Potential Loss of Title IV Eligibility

By Michelle Donovan, Partner and Jessica S. High, Attorney, Duane Morris, LLP

Cybercrime and inadvertent data breaches are practically a daily occurrence. The Department of Education has always been concerned with this issue in our sector because postsecondary institutions are at high risk due to the nature and sensitivity of the data schools collect.

This risk continues to grow as schools move away from paper records and utilize electronic data systems to store, process, and send records both internally and externally.

Historically, the Department provided only general recommendations as to the cybersecurity measures schools should consider. However, over the past two years, the Department has taken several actions that make it abundantly clear that Title IV schools must adhere to strict federal cybersecurity regulations and has begun actively investigating security breaches. It has also explicitly stated that it considers a breach to the security of student records as a demonstration of a potential lack of administrative capability, which can lead to restrictions on a school’s Title IV funding, including, a complete loss of Title IV eligibility.

These are some of the actions the Department has taken with regard to cybersecurity matters, namely:

• Issued two Dear Colleague Letters (GEN 15-18; GEN 16-12);
• Amended the Student Aid Gateway (“SAIG”) Enrollment Agreements to require compliance with federal cybersecurity laws and reporting requirements in the event of a breach or suspected breach;
• Amended the 2016-2017 FSA Handbook to address the cybersecurity compliance and reporting requirements set forth in the SAIG Enrollment Agreement;
• Amended the Audit Guide to include cybersecurity measures;
• FSA’s chief information security officer gave a presentation entitled “Cyber Security Requirements for Institutions of Higher Education” at the July 2016 National Association of Student Financial Aid Administrators (“NASFAA”) Conference;
• FSA reminded FA administrators at the July 2017 NASFAA Conference of the cybersecurity obligations and indicated that a new Dear Colleague letter is expected shortly; and
• The Department is now actively investigating data breaches to confirm compliance with the federal cybersecurity laws and to ensure that there is no lack of administrative capability.

We will also discuss the cybersecurity requirements set forth under federal cybersecurity law and the Department’s guidance as to what it considers reasonable security measures. In order to comply with legal and regulatory requirements, schools must:

• Perform an initial assessment identifying what sensitive information the school possesses, how is it stored, how is it accessed, who has access, who really needs access to the information for valid business purposes, and how and to whom the data is transmitted.
• Develop written policies and procedures to protect sensitive information, including policies for managing access to the data, physical and technical security measures, and employee training on the policies at all levels of the organization.
• Implement physical and technical security measures to protect sensitive information.
• Test and monitor security measures to confirm efficacy.
• Adjust security measures as needed based on the results of testing and/or changes to business practices.
• Designate an employee(s) to manage its cybersecurity program.
• Oversee service providers who have access to sensitive information.

Dear Colleague Letters

On July 29, 2015, the Department released Dear Colleague Letter (DCL) GEN 15-18, affirming its expectation that Title IV schools implement strong security policies, and reminding schools that sound administration of the Title IV program includes implementing satisfactory cybersecurity policies, safeguards, monitoring, and management practices related to information security. The 2015 DCL also discussed the cybersecurity responsibility that schools assume by entering into Student Aid Internet Gateway (SAIG) enrollment agreements, which includes a provision that the institution “[m]ust ensure that all Federal Student Aid applicant information is protected from access by or disclosure to unauthorized personnel.” The 2015 DCL also specified an institution’s requirement to comply with the Gramm-Leach-Bliley Act (GLBA). The GLBA is a federal law governing financial institutions regarding their use and collection of customer personally-identifiable information. The specific cybersecurity requirements of the GLBA are set forth in the Safeguards Rule, issued by Federal Trade Commission (“FTC”) and discussed in detail below.

On July 1, 2016, the Department issued a follow-up Dear Colleague Letter (GEN 16-12) addressing the legal obligations to protect student information under the GLBA and the methods the Department will use to assess institutional compliance. Here, the Department reminds institutions that each Program Participation Agreement (PPA) contains a provision requiring GLBA compliance. The 2016 DCL also announced the Department’s intention to assess GLBA compliance by incorporating GLBA security controls into the Annual Audit Guide.

SAIG Enrollment Agreement

If your school participates in the Direct Loan Program, the Pell Grant Program, utilizes electronic versions of student FAFSAs, accesses NSLDS, or annually submits the required FISAP, then your school has entered into an SAIG Enrollment Agreement. The SAIG allows schools to electronically interact with the Department. The SAIG Enrollment Agreement includes data security provisions requiring it to “take all reasonable steps necessary to safeguard the confidentiality of the data received” and to “develop, implement, maintain, and use reasonable and appropriate administrative, technical, and physical security measures to preserve the confidentiality, integrity, and availability of all data electronically maintained or transmitted pursuant to this Agreement.”

Additionally, the Agreement requires an institution to report to the Department, in writing, any unauthorized use or disclosure of ISIR or FAFSA data within one business day.

The report must identify: (i) the nature of the unauthorized use or disclosure; (ii) the data that was used or disclosed; (iii) the person or entity, if known, who made the unauthorized use or received the unauthorized disclosure; (iv) what the institution has done or will do to notify affected students and mitigate any harmful effects of such use or disclosure; and (v) what corrective action the institution has taken or will take to prevent further unauthorized use or disclosure.

FSA Handbook

The 2016-2017 Federal Student Aid Handbook (Handbook) contains two key provisions regarding cybersecurity. First, the Handbook contains a provision on “Reporting Security Breaches to Students and ED,” stating that institutions must immediately notify the Department of any breach of security of student records and information. The provision goes on to add that, “[t]he Department considers any breach to the security of student records and information as a demonstration of a potential lack of administrative capability.” If the Department determines that an institution lacks administrative capability, it can lead to restrictions on a school’s Title IV funding, including, a complete loss of Title IV eligibility. Second, the Handbook contains a section on “FTC Standards for Safeguarding Customer Information.” This section specifically states that Title IV institutions must safeguard customer information, defined as, “any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic or other form, that is handled or maintained by or on behalf of you or your affiliates.” The section also clarifies that customer information is not limited to student information; it extends to any individual’s information (including parent information) that was provided to the institution. This means your school must protect all personally identifiable information that it has been provided with, which is not publicly available.

2016 Audit Guide

As indicated in the 2016 DCL, the Department added a provision regarding cybersecurity measures to the Annual Audit Guide.

Specifically, the Audit Guide includes language requiring auditors to evaluate “the integrity and security of electronic processes.”

It is unclear how this vague and broad provision will be implemented. However, given the Department’s specific guidance in the DCLs, it is clear that the Department intends to use the annual audit as a way to ensure an institution’s compliance with GLBA requirements. Schools should not only be prepared to demonstrate compliance during the annual audit but should also ensure that their cybersecurity policy mirrors their actual practices. Variance from the institution’s written policies may result in the auditor’s expanded recommendations in the audit report to highlight an inconsistency with the school’s written policies and procedures. Auditor notes within the audit report regarding cybersecurity will likely become a method the Department utilizes to select institutions for investigation.

Financial aid conferences

At the two most recent National Association of Student Financial Aid Administrators (NASFAA) conferences, the Department has echoed their written guidance, stating that Title IV institutions must comply with GLBA and the Department is taking active steps to ensure compliance. At the July 2016 NASFAA conference, the Department’s Chief Information Security Officer, Dr. Linda R. Wilbanks, presented on “Cyber Security Requirements for Institutions of Higher Education.” The presentation covered data protection obligations, including a detailed discussion of the GLBA requirements. Additionally, at this year’s NASFAA conference, Jeff Baker, the Department’s director of the policy liaison and implementation staff for federal student aid, gave a presentation that included a discussion of an institution’s obligation to protect student information. Mr. Baker referenced the 2015 and 2016 DCLs and stated that the Department would likely issue another DCL on cybersecurity this year. He also indicated that the Department is going to take increasing action in ensuring compliance and investigating breaches.

Department investigations

The Department has stated that it will require examination of GLBA compliance as part of each school’s annual student aid compliance audit. Additionally, the SAIG Enrollment Agreement requires any breach to be reported directly to the Department. If you are required to submit such a report, you should expect an investigation by the Department. The Department considers a school’s compliance with the cybersecurity requirements of the GLBA to be a reflection of the school’s overall administrative capability. Therefore, it is vitally important that schools take immediate action to implement and/or reassess their cybersecurity policies to ensure compliance with the GLBA.

The Gramm-Leach-Bliley Act and the Safeguards Rule

The GLBA places an affirmative obligation on financial institutions to explain their information sharing practices and to safeguard sensitive information. The scope of what is considered a financial institution under the GLBA is very broad, and includes businesses that are not typically described as financial institutions. As discussed above, the Department considers any Title IV school to be a financial institution and required to comply with the GLBA. The Federal Trade Commission (FTC) has also made it very clear that it considers colleges and universities to be financial institutions under the GLBA because of their lending activities: “the Commission disagrees with those commentators who suggested colleges and universities are not financial institutions. Many, if not all, such institutions appear to be significantly engaged in lending funds to consumers.”¹

The FTC issued two sets of regulations under the GLBA that potentially apply to schools: (i) the Financial Privacy Rule² and (ii) the Safeguards Rule³.

Because educational institutions are prohibited from disclosing personally identifying information without consent, schools are deemed to be in compliance with the Privacy Rule if they are compliant with FERPA.⁴

The Safeguards Rule requires institutions to develop, implement and maintain a written, comprehensive information security program that contains administrative, technical, and physical safeguards that are appropriate to the size and complexity of the company, the nature and scope of its activities, and the sensitivity of any customer information at issue.⁵ The program must meet the following three objectives: (i) insure the security and confidentiality of consumer information; (ii) protect against any anticipated threats or hazards to the security or integrity of such information; and (iii) protect against unauthorized access to or use of such information. There are five elements that are required under the Safeguards Rule:

1. Designated coordinators. Your school must designate one or more employees to manage its information security program.
2. Risk assessment. Your school must identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of student data that could result in the unauthorized use or disclosure of the data, and assess the sufficiency of any safeguards in place to control these risks. Minimally this assessment should include consideration of employee training and management, information systems, and detecting, preventing and responding to attacks. It is advisable to hire legal counsel to direct the assessment because doing so may protect the confidentiality of the results through the attorney/client privilege and will also assure compliance with federal and state cybersecurity laws.
3. Implementation, testing and monitoring. Your school must design and implement information safeguards to control the risks you identify through the risk assessment, and regularly test or otherwise monitor the effectiveness of the safeguards used to address such risks.
4. Evaluation and adjustment. Your school must also evaluate and adjust your information security program to address (i) the results of the testing and monitoring, (ii) any material changes to your operations, and (iii) any other circumstances that may have a material impact on your information security program.
5. Overseeing service providers. If your school uses any service providers that store, receive, maintain, process, or otherwise have access to student data, you must take reasonable steps to ensure the confidentiality of that data. This minimally includes conducting due diligence to confirm that the service provider is capable of maintaining appropriate safeguards to protect the student data and incorporating security implementation provisions in all service contracts.

National Institute of Standards and Technology guidelines

There is no one-size-fits-all cybersecurity program. Each school needs to go through its own assessment and analysis to develop a program that is appropriate based on its particular situation. However, the Department has strongly suggested that schools comply with the security standards set forth by the National Institute of Standards and Technology (“NIST”) in Special Publication 800-171.⁶ You should carefully review the NIST Standards when developing your cybersecurity program. Below are a few key features.

• Develop an information security program
  • Designate a program coordinator or team
  • Conduct risk assessment of each system component to identify risks
  • Establish a system security plan describing how safeguards are used to control the identified risks
  • Select service providers that will maintain safety standards

• Employee management and training
  • Background and reference checks
  • Confidentiality agreements
  • Limit access to authorized employees only
  • Complex passwords (changed at set intervals)
  • Screen savers
  • Limit unsuccessful logon attempts
  • Control remote access sessions (i.e., authentication, passwords)
  • Use and protection policies for all electronic devices
  • Encrypt communications containing sensitive data
  • Train employees to take steps to maintain security and confidentiality
  • Disciplinary measures

• Information systems
  • Know where sensitive customer information is stored
  • Store the information securely
  • Encrypt stored data
  • Regularly update software and applications
  • Allow only authorized employees to have access
  • Dispose of customer data when no longer needed
  • Dispose of information securely

• Detecting and managing system failures
  • Maintain updated and appropriate programs and system controls
  • Oversight procedures to detect security breaches or theft
  • Develop self-auditing procedure to regularly test security
  • Monitor relevant industry materials to learn about emerging threats
  • Preserve security, confidentiality of information in the event of breach
  • Consider notifying law enforcement, consumers if a breach occurs

Conclusion

Schools must have a robust cybersecurity program in place to protect student records in order to comply with legal and regulatory guidelines. There is no one-size-fits-all cybersecurity program. What may be reasonable for a large, publicly traded school is likely going to be unfeasible for a small, single campus school. You should work with your legal counsel and an information security professional to determine which options are right for your school.

Disclaimer: The contents of this article do not constitute legal or regulatory advice or counsel. No person or entity should act, or refrain from acting, on the basis of the information discussed herein without seeking individualized, professional counsel as appropriate.

Resources

1. 65 Federal Register 101, p. 33648, May 24, 2000.
2. Officially titled Privacy of Consumer Financial Information 16 CFR 313.
3. Officially titled Standards for Safeguarding Customer Information 16 CFR 314.
4. 65 Federal Register 101, p. 33648, May 24, 2000.
5. 16 CFR part 314.
6. Available at http://ws680.nist.gov/publication/get_pdf.cfm?pub_id=918804.

MICHELLE DONOVAN is a Partner at Duane Morris, LLP. She has a national practice in the areas of intellectual property law, cyber law and technology transactions. Ms. Donovan’s practice is largely focused on the career college sector and the specialized legal issues that arise for schools in the sector, including issues related to the protection of student records, privacy, online marketing and lead generation, trademarks, copyrights and domain names.

JESSICA S. HIGH is an attorney at Duane Morris, LLP. Her practice focuses on counseling private sector colleges and universities in matters of state and federal regulation, accreditation compliance and advocacy, and student and employee disputes and concerns. Ms. High was previously a Campus Director and founder of a private allied health college branch campus location. She has over 15 years of experience in this sector, 10 years of which she spent employed by private sector colleges in their financial aid, admissions, accounting, student services and human resources departments.