[BreachExchange] What to Know About ED's New Stance on Data Breach Reporting

Audrey McNeil audrey at riskbasedsecurity.com
Thu Feb 8 18:48:58 EST 2018


Until recently, colleges and universities that experienced a data breach
had no unique reporting obligations to the U.S. Department of Education.
Institutions were expected to analyze security incidents under applicable
federal and state laws and, when appropriate, notify affected individuals
and appropriate federal and state agencies. Because the Family Educational
Rights and Privacy Act (FERPA) does not contain a breach reporting
obligation, ED had taken the position that a report directly to ED was

ED, however, has now changed its stance and has started levying Cleryesque
fines — up to $56,789 per violation — against institutions that fail to
report a data breach directly to ED. The importance of data security and
the prevention of cybercrimes are unquestioned, but ED's new stance on
breach reporting raises practical problems.

ED has taken an informal approach to notifying institutions about its new
breach reporting expectations. Instead of publishing official guidance, ED
is notifying institutions about the new obligations at Federal Student Aid
conferences and via webinars (such as the Nov. 14, 2017 webinar available
here.) Attendees are taking the mandate back to their campuses, but the
change is being met with resistance from administrators and practitioners —
in large part, because the new expectations contradict ED's previous
written guidance in documents like the Data Breach Response Checklist
published by ED's Privacy Technical Assistance Center in 2012 (which was
still available on the PTAC's website as of the date that this article was
written). ED's informal approach to notification means that some
institutions likely do not know that ED's reporting expectations have
changed and, more importantly, institutions will continue to be confused in

ED now asserts that institutions must report any "suspected" data breach on
the day it is detected. ED has stated that the legal authority for the new
reporting expectations are found in an institution's Federal Student Aid
Program Participation Agreement (PPA) and its Student Aid Internet Gateway
(SAIG) Agreement. Although institutions certify that they comply with the
Gramm-Leach-Bliley Act (GLBA) in their PPAs, and the SAIG Agreements
require institutions to report a security incident that involves a
compromise of "Electronic Services" that are utilized to administer Federal
Student Aid, neither agreement (nor GLBA) states that an institution must
report any "suspected" breach on the day it is detected. The current PPAs
and SAIG Agreements do not appear to provide ED with the overarching
authority to require institutions to report breaches that are not subject
to GLBA or otherwise unrelated to the administration of Federal Student Aid.

Indeed, the expectation of reporting a "suspected" breach is inconsistent
with the framework of U.S. data privacy laws, including GLBA. For example,
if a financial institution suspects that it has experienced a data security
incident, GLBA requires the institution to conduct a reasonable
investigation to promptly determine whether sensitive information has been
or will be misused. The institution is only required to provide notice if,
after the investigation, the standard has been triggered. GLBA also
contemplates delaying notice if, after communicating with local law
enforcement agencies, it is determined that sending the notice will hinder
the agency's criminal investigation. State data breach reporting statutes
contemplate similar investigations and law enforcement delays. Prompt
investigation of a security incident to determine whether sensitive
information has or will be misused is a fundamental principle of U.S. data
privacy laws — in line with the notion that over reporting innocuous
incidents imposes unnecessary administrative burdens and is unlikely to
decrease identity theft or other cybercrimes.

ED has also not expressly defined what information it considers sensitive
and, when a breach occurs, what triggers notification obligations. ED's
presentations generally reference personally identifiable information,
creating ambiguity because PII has very specific meanings under different
laws. Expressly defining the universe of sensitive information that could
trigger a reporting obligation is an integral part of any reporting
framework. Institutions store vast amounts of information, but only a
subset of that information would be considered sensitive information
protected by GLBA and other non-educational-specific data privacy laws:
e.g., files containing account numbers, social security numbers,
governmental IDs and healthcare information.

However, many innocuous documents not protected by GLBA or those other data
privacy laws would be considered "education records" under FERPA. And
education records that do not contain sensitive information, if accessed
improperly, do not justify reporting to a government agency because
unauthorized access will not lead to identity theft or other cybercrimes.
Moreover, education records that do contain sensitive information are
already protected under other federal and state privacy laws.

ED and institutions enter into PPAs and SAIG Agreements to govern the
administration of Federal Student Aid. According to ED's website, the
Office of Federal Student Aid awards more than $120 billion dollars a year
in grants, work-study funds and loans. With such large amounts of money at
stake, cybercriminals have and will continue to target the Federal Student
Aid system (and too-often under-protected college and university systems).
Preventing cybercrimes that relate to Federal Student Aid should be a top
priority for ED and institutions alike, and reporting breaches directly to
ED that relate specifically to the administration of Federal Student Aid
makes good sense. ED's reporting expectations should, however, be expressly
defined, rooted in proper jurisdiction and formally announced. Until then,
colleges and universities will continue to be confused about ED's new
reporting expectations.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180208/bebfa8b0/attachment.html>

More information about the BreachExchange mailing list