By Rick Cox
Colleges maintain a balancing act between student experience, open and free data, and security threats, with a data breach costing a higher education institution $3.79 million on average.
The U.S. Department of Education has set two priorities for data security at colleges: Improve student privacy data and cybersecurity control at institutions of higher education and strengthen data protection and cybersecurity safeguards.
The department can assist with cybersecurity training materials.
All colleges must have a plan in place to deal with these threats. The college needs to assess threats regularly and must notify the department of any breach as soon as possible.
There will be a new cybersecurity breach intake form for reporting breaches. Once the form is submitted, it will generate an email to the cybersecurity team with all the information on the form. We should see this soon.
A Cybersecurity Newsletter is available. Sign up to receive these newsletters by emailing FSASchoolCyberSafety@ed.gov with the subject line “Send me the FSA Cybersecurity Newsletter for IHEs.”
Our takeaways from FSA’s 2022 virtual conference session on data security include:
- Protect your data
- Because of their financial nature, colleges house a great deal of students’ and parents’ Personally Identifiable Information
- Be proactive on how to do a better job protecting and preventing data breaches
- Colleges cannot allow security challenges, such as lack of resources, cost, awareness, small IT staff and limited cybersecurity expertise to prevent protection of all data. Colleges need to be training staff and conducting phishing exercises to know the status of their team.
Reporting a breach is not considered a negative situation because the Department of Education’s goal is to assist and repair any issues. If a breach occurs, the college should take the following action:
- Send an email to FSASchoolCyberSafety@ed.gov as of now. Coming soon: Colleges will be able to report from the FSA Partner Page at fsapartner.ed.gov. This method includes a form that collects the information below. The department will notify the financial aid community when the FSA Partner Page has been updated.
Include the following information in your email:
- Date of breach (suspected or known)
- Impact of breach (number of records affected, etc.)
- Method of breach (accidental disclosure or hack)
- Point of Contact for the college on Information Security (including email and direct phone number)
- Remediation status (in process with necessary details or completed)
- Next steps (if applicable)
The college should report to FSA so FSA can work with IHE to resolve the incident.
No college has lost eligibility to date because of a data breach. Assistance is available from the IHE FSA Cybersecurity and Homeland Security offices.
Rick Cox is Global’s Executive Director of Regulatory Affairs and Compliance