[BreachExchange] Cybersecurity lapses could cost Title IV eligibility for higher ed

Mon Dec 11 19:25:24 EST 2017

https://www.jdsupra.com/legalnews/cybersecurity-
lapses-could-cost-title-74737/

Data security breaches are an unfortunate reality for almost all businesses
in today’s information-driven marketplace. From Target, to Home Depot, to
Equifax, data breaches are increasingly common and potentially devastating
for businesses and their customers. But data breaches are not limited to
traditional businesses. Any entity that collects, holds, or uses personal
information, and in particular, personal financial information, faces risks
from data breaches.

One group that may not fully appreciate these risks are institutions of
higher education. Most schools may be familiar with the data security and
privacy requirements of the Family Educational Rights and Privacy Act
(FERPA). But for schools that participate in the Federal Title IV
Educational Assistance Programs, there may be additional data security and
privacy requirements they should be aware of.

One such law, the Gramm-Leach-Bliley Act (GLBA), applies to “financial
institutions.” While these “financial institutions” would include
traditional banks, credit unions, and savings and loans, the law’s
definition of “financial institution” encompasses all entities that are
“significantly engaged” in providing financial products or services —
including student loans. Failure to comply with GLBA’s privacy and security
requirements can subject schools to GLBA penalties. But potentially more
importantly, where Title IV schools suffer cybersecurity breaches or are
found to be deficient in cybersecurity protections, the Department of
Education has made clear that such schools may face restrictions on Title
IV funding, including a complete loss of eligibility.

What do Title IV schools need to know?

The Department of Education has made clear that Title IV schools must
comply with cybersecurity regulations — including those found in GLBA. The
Department has begun the process of incorporating GLBA security controls
into its Annual Audit Guide and will soon require evidence of compliance
with GLBA as part of schools’ annual student aid compliance audit.

Thus, at a minimum, Title IV schools must understand the requirements of
GLBA and ensure compliance with those requirements. GLBA requires Title IV
schools to take specific actions in order to protect personal information
in their possession. One such action is that schools must develop their own
cybersecurity programs. While no set of guidelines could cover every
organization’s specific needs, the Department of Education has issued some
guidelines that should be considered with the development of every
cybersecurity program. These requirements include:

- Assessing the personal information collected, stored, accessed, used, and
transmitted by the Title IV school. This assessment should include not just
the school, but any and all vendors, contractors, and other third parties
that provide personal information to or, as part of their services for the
school, have access to, personal information entrusted to the school.
- Appointing an employee or set of employees to manage the school’s
cybersecurity program. This person does not have to be a new hire, and may
have other responsibilities at the school, but they need to be the point of
contact and have ultimate responsibility for running and managing the
cybersecurity program.
- Implementing physical and technical safeguards for all personal
information in the school’s possession. This would include not just IT
features like firewalls, but would encompass limiting access to secure
areas (both on the system and in physical facilities) with passcodes and
security cards as well as making sure that only those employees, vendors,
or staff with a legitimate need have access to the school’s personal
information.
- Developing written policies and procedures to govern the handling,
management, and transmission of the school’s personal information.  Along
with the policies, the school must make sure that its employees, and any
third parties like vendors or contractors, are made aware of the policies
and procedures, trained on them, and appropriately disciplined if they are
not followed.
- Auditing the school’s technical, physical, and procedural protections to
make sure that they are performing as expected and making adjustments to
any protections that are not performing as expected.
- Ensuring that vendors, contractors, consultants, and other service
providers who have access to sensitive information are subject to the
requirements of the cybersecurity policy and are contractually bound to
protect sensitive information.

In addition to developing a cybersecurity program, it is important for
schools to properly train their employees, managers, staff, and vendors on
their cybersecurity programs. The most thorough and well thought out
cybersecurity program is meaningless if it is deployed without the full
support of the organization.

The people required to implement, manage, and maintain that program must
understand it, appreciate its importance, and be properly incentivized to
follow and adhere to it. Management must make sure that violations of the
program are addressed appropriately. Vendors who do not want to comply or
choose not to comply with the program must be dropped. Training must be
held on a reoccurring basis — not just when employees are hired. Employees
and management alike must understand how the cybersecurity program works,
their role in the program, and how they can help improve the program over
time.

For additional insight and tips regarding cybersecurity, please see this
overview, “Cybersecurity for Title IV Schools,” from the Department of
Education’s Office of the Inspector General.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171211/6f67709d/attachment.html>