The American Council on Education (ACE) has submitted a letter to FSA expressing support for our comments and request for FSA/higher education collaboration.
A few weeks ago, EDUCAUSE submitted comments to the Office of Federal Student Aid (FSA) at the U.S. Department of Education (ED) raising a number of concerns about breach notification/information security reporting compliance letters received by member institutions. Issues addressed included the initiation of compliance processes without appropriate coordination with designated institutional contacts, validation of the alleged security incidents, and confirmation of their relevance to student financial aid data; the need for clarification of the basis and scope of FSA's compliance authority, especially in relation to undefined "suspected" data breaches, regardless of their relationship to student financial aid data; and the lack of official, documented policies and procedures to facilitate institutional compliance where necessary.
At that time, EDUCAUSE expected to meet soon with senior FSA officials to discuss our community's concerns and how FSA might collaborate with our members to develop appropriate compliance expectations and processes. Unfortunately, in the same timeframe, FSA experienced a senior leadership transition, in which the relatively new FSA chief operating officer (COO) (the head of the agency) was replaced by an acting COO while a new deputy COO was also appointed. This turnover combined with the need to give our detailed comments due consideration led FSA to cancel the anticipated meeting. FSA officials indicated that they would reschedule it once a formal response to our concerns had been prepared. We have yet to receive word on when those steps might take place.
In the interim, the American Council on Education (ACE) has submitted a letter to FSA expressing support for our comments and request for FSA/higher education collaboration. ACE also asked FSA to suspend the institutional response deadlines for the compliance processes it already has underway pending the outcome of the proposed collaborative efforts, which would more effectively define what an appropriate institutional response should be. Likewise, ACE urged FSA to narrowly target any future compliance actions in this space by working with its designated institutional contacts, focusing on breach and information security reporting issues that are clearly related to FSA data, and refraining from initiating formal compliance actions as long as institutions are working with it in good faith.
ACE has not yet received a response to its comments, but again, the recent leadership changes at FSA mean it will likely take more time than usual for agency reviews and replies. EDUCAUSE will continue to work with ACE, however, on our shared concerns about the scope and nature of FSA's actions, as well as the lack of clarity around its authority and compliance frameworks to support them. That includes further outreach to FSA as needed to resolve our concerns within the context of FSA's legitimate interests in the security and integrity of student financial aid data. It also entails engaging other higher education stakeholders in those discussions as appropriate.
Jarret Cummings is Director of Policy and Government Relations at EDUCAUSE.
© 2018 Jarret Cummings. The text of this work is licensed under a Creative Commons BY-NC-ND 4.0 International License.