Federal Student Aid Breach/Security Reporting Compliance

min read

(February 1, 2018 – Jarret Cummings) EDUCAUSE has submitted a formal letter to Federal Student Aid (FSA) asking it to initiate a collaborative process with EDUCAUSE members to resolve serious concerns about FSA compliance actions on breach notification and information security program reporting.

(February 1, 2018 – Jarret Cummings) Federal Student Aid (FSA), the U.S. Department of Education office that administers the federal student loan program, began a couple of years ago to draw attention to its views and interests regarding higher education information security. (For example, EDUCAUSE reported previously about FSA's work on introducing a GLBA Safeguards Rule audit objective into the federal single audit process.) Late last year, however, the office started sending breach notification and information security reporting compliance letters to EDUCAUSE member institutions that have raised significant concerns.

EDUCAUSE has responded by submitting a formal letter to FSA highlighting the problems our members are seeing and requesting that FSA collaborate with EDUCAUSE and the higher education community in general on solutions. Our letter's key points include the following:

  • EDUCAUSE recognizes that FSA has a vested interest in the security and integrity of student financial aid data. Our members share that interest and want to work with FSA to protect it.
  • We believe, however, that FSA's recent compliance efforts may inadvertently detract from our shared interest, rather than advance it.
  • For example, FSA has sent formal compliance letters directly to institutional presidents based on unconfirmed media reports of alleged data breaches or suspected breaches.
  • They assert institutional responsibility to report to FSA on any alleged breach or suspected breach, regardless of the incident's relationship to federal student financial aid data, if any.
  • In sending the letters, FSA has bypassed the institutional contacts established in the agreements it cites as the basis for compliance and has not worked with those contacts to validate the legitimacy of alleged incidents before initiating formal action.
  • The letters leverage the alleged incidents and another FSA/institutional agreement to require highly detailed reporting on the institution's information security program as well as any alleged incident, in some cases down to the machine level.
  • The process for responding to these letters is not officially documented outside the letters themselves and does not address institutional concerns about the security and confidentiality of the information institutions are asked to provide to FSA.
  • FSA appears to derive its authority in this space not from law or regulation, but from two contract provisions in two separate agreements. It is not clear that those provisions can support the requirements FSA asserts, or that contract provisions are the appropriate vehicles for establishing compliance.
  • FSA has not yet provided the official guidance, documentation, and processes to support an objective, shared understanding of the basis for compliance and how best to fulfill it.

EDUCAUSE has requested a meeting with FSA representatives to discuss these issues, which we believe will occur in the next several days. As mentioned above, we will seek to emphasize the interest in student financial aid data security that our members share with FSA, as well as their desire to collaborate with FSA in defining a clear, consensus-based path forward. We will continue to update the community as the dialogue with FSA continues to unfold to what we hope will be a positive conclusion.

Jarret Cummings is the Director of Policy and Government Relations for EDUCAUSE.