One-Day Breach Notification for Colleges and Universities?
Since at least fall of 2017, the Department of Education (“ED”) has expected institutions of higher education to report data breaches directly to the department on the same day a breach is discovered – or face fines.
Most colleges and universities are by now well aware of their responsibility for safeguarding the confidentiality of student educational records under the Family Educational Rights and Privacy Act (“FERPA”) – but no federal statute or regulation expressly requires educational institutions to notify ED of a data breach, and ED has not engaged in any formal rulemaking to create a breach notification rule. Nevertheless, since at least the fall of 2017, ED has taken the position that postsecondary institutions receiving Title IV Federal Student Aid (“FSA”) funds (“Title IV schools”) must report “actual or suspected” breaches of any data – not just FSA data – directly to ED. Specifically, the FSA Office notes in its Cybersecurity FAQ that Title IV schools must report breaches “on the day that a data breach is detected or even suspected,” and failure to comply with this requirement may result in fines of up to $54,789 per violation.
ED has stated that this breach reporting requirement derives from 1) the Gramm-Leach-Bliley Act (“GLBA”) Safeguards Rule, to which schools agree to adhere in their FSA Program Participation Agreements, and 2) a breach notification requirement contained in Title IV schools’ Student Aid Internet Gateway (“SAIG”) Agreements. However, neither the GLBA Safeguards Rule nor the FTC’s non-binding Safeguards Rule guidance contains a breach notification requirement, much less a requirement for institutions to notify ED within one day. A sample SAIG Agreement made available by ED requires Title IV schools to immediately notify the FSA Office “in the event of an unauthorized disclosure or breach of applicant information or other sensitive information (such as personally identifiable information)” but says nothing about “suspected” breaches (which, as practical matter, includes virtually all security events and incidents on the day they are detected, before a full investigation has occurred) or breaches of non-sensitive data. For such an apparent change in interpretation, one would expect a formal rulemaking or more involved process.
The agency allegedly has been threatening enforcement for non-compliance. The non-profit association EDUCAUSE claimed in a public letter that ED has sent letters to various Title IV schools alleging that the schools have suffered an unspecified breach and/or failed to comply with breach self-reporting requirements. The ED letters, which EDUCAUSE believes to be based on unconfirmed media reports, allegedly demand that the schools respond within 30 days with a full accounting of their information security programs, and threaten fines for non-compliance with the breach notification requirement. EDUCAUSE also states that ED officials have suggested that routine security events, such as blocked phishing attempts, could trigger reporting requirements. If true, such a notification requirement arguably would be the most rigorous standard applied in the U.S. in any industry, including healthcare, finance, and defense.
While there are no public reports of ED actually fining Title IV schools for failing to notify the agency within one day of a breach, the threats are cause for concern. If routine security events are considered to be “breaches,” fines could quickly stack up if schools are found to be noncompliant for failure to report such events. Even absent these threats, Title IV schools should ensure that they have robust, Safeguards Rule-compliant security programs to avoid allegations of negligence in the event that they experience a breach. Additionally, they should consider how ED’s notification expectations fit into their incident response plans and engage with ED officials to clarify ED’s basis for asserting authority in this area and continue to monitor for further regulatory developments.