REGULATORY FEATURE – Is it Safe Yet?
The world has become high tech. It is hard to imagine a world without computers and technology. The “imaginary” world of the1960s television series, Star Trek, utilized technological capabilities that truly seemed to be science fiction. Yet, today many devices employed in the daily activities of the crew of the Enterprise are not seen as futuristic. (Perhaps the “transporter” and “food replicators” would be exceptions!)
Technology advances have indeed increased our capabilities. But, along with these advancements have come prospects for violations of personally identifiable information (PII). Such risks lead to the occasions for identity theft on a personal level. Students understandably ask if their PII is safe. Postsecondary institutions are a source that provides a trove of data for such thievery through the information they collect. An article1 in December 2014 reported there were over 500 security breaches at more than 320 higher education institutions since 2005. The article continued with the fact that 35% of all data breaches occur at postsecondary schools. One may guess such breaches only happen at larger institutions. But, the reality is that any school’s information system may be targeted.
Data Security Practices
The U.S. Department of Education (ED) has re-emphasized schools’ responsibilities to ensure data security. This past summer, ED released Dear Colleague Letter GEN-15-18 (DCL). The letter clearly states institutions are required to maintain strict standards that protect student records and related data. The reminder points out obligations schools have to safeguard information under the Higher Education Act and many other laws and agreements.
The DCL encourages schools to follow industry standards and best practices pertaining to PII. These include a number of specifics, such as:
- assessing the scope of potential risk in the event of unauthorized access to systems and/or data
- determining what level of security is necessary to protect PII and related data and systems
- ensuring the school has appropriate policies and procedures adopted and implemented that reduce risks
- regular evaluation of data, systems, and policies to verify the effectiveness of practices related to information security (Include your third-party servicer in your analysis if you use one.)
Additional items about information security at your school are contained in the 2015-2016 Federal Student Aid Handbook, Volume 2, and Chapter 7. These are crucial to a school maintaining compliance with ED requirements. Some of these stipulations are that a school must have an information security program and a specific employee designated as the coordinator of its program.
A school’s information security program must ensure its measures safeguard PII no matter the format. Safeguarding information includes data as it is initially received, while being worked with by staff, and when being retained on file, or as it is destroyed (after appropriate record retention requirements have been met). Steps to consider for making data safe include:
- determining the format in which data is to be received (paper, electronic, etc.)
- ensuring only appropriately authorized individuals work with, and have access to, PII
- ascertaining the best process to ensure security of data during the entire workflow and tenure of the student at the school:
- Define the information flow and data security measures.
- Implement a clean desk policy as it relates to PII.
- Develop a safeguard policy that monitors and checks for data integrity and security.
A school’s safeguard policy is critical to the security of PII. A policy might consist of:
- computer access being set to auto-lock after a defined period of inactivity (e.g., 10 minutes, 20 minutes, etc.)
- requiring passwords to be reset every month or 90 days, etc.
- supervisors performing regular and ad-hoc monitoring of employees’ work areas to ensure no PII is left unattended, and all information is locked away when not being worked
- verifying staff do not have login and password information written on “sticky notes” on their computer monitor or available in other easily accessible areas to inquiring eyes and hands, etc.
- secure data destruction, as appropriate, after expiration of record retention requirements
Enhancing Your PII Policies and Procedures
Below are additional considerations2 related to PII policies and practices. Following such points will enhance the likelihood of your students’ PII remaining secure.
1. Designate a coordinator of the school’s overall information security program.
2. Assess the risks to which the institution (and, the financial aid office in particular) may be exposed for a breach in information security.
3. Test and monitor your safeguards to protect PII from potential risks.
4. Schedule on your annual planning calendar a formal review of your current policies and practices regarding security of PII to ensure they are adequate and appropriate, and that they are being followed.
- Have you had any data breaches or otherwise inappropriate disclosures of PII?
- How did such action occur?
- What was the extent and impact of such violations?
- What resolution was reached and what was the cost of doing so?
- What steps have been taken to ensure such violations do not occur again?
5. Ensure each employee that has contact with students’ PII are instructed and/or reminded of the appropriate protocol for ensuring security of PII. This should be done on at least an annual basis and may include having the employee sign a statement of understanding of your current policies and procedures, in addition to FERPA requirements, etc.
- All communication of personally identifiable information in an electronic format [e.g., sharing a student’s Institutional Student Information Record (ISIR)] must be via an encrypted and/or password protected manner.
- If you are faxing information, ensure you alert the intended recipient to be aware the document is being transmitted so that PII is not left on a fax machine for multiple people to view.
7. Inventory the location and manner of storing and/or transmitting PII (paper files, USB drives, CD-ROMS, etc.) at your school.
- Collect no more PII than is necessary and that will be used.
- Do you have policies regarding the type of USB drive (also known as a flash drive, thumb drive, or stick drive) that is authorized to be used in your office? Is any general USB drive allowed to be used, or do you require a secure, password protected drive?
- Are paper files that contain PII maintained in a locked and secure environment when not being actively worked on (including at the end of the day, i.e., no loose files sitting on top of desks, left on printers or copiers, etc.)?
- Regularly shred any paper documents that are not required to be maintained under record retention requirements, e.g., multiple copies of the same document, etc.
- Map out the flow of PII of students (and employees) to know where all PII is contained so it may all be appropriately destroyed when appropriate.
8. Verify that access to students’ PII is restricted to authorized employees with a legitimate educational interest; exceptions to this are documented in the student’s file.
- There are limited exceptions to this requirement of having to document to whom information was disclosed , e.g., the parent (if applicable) or eligible student, a party with written consent from the parent or eligible student, a party seeking directory information, and in cases of certain court orders or subpoenas.
9. Require that any disclosure of information to other parties be documented in the student’s file.
- Auditors are required to document their examination of student information.
- ED officials (e.g., during a program review) must document their evaluation of the file.
- Individuals from accrediting agencies that may need to review a file must document their access in the file.
- Any other outside parties (e.g., consultants) must also document that the PII was disclosed to them.
10. Review any documents and information that may be posted on bulletin boards, displays, or online to ensure there is no PII that will be displayed.
- Use fictional data for training purposes so you do not have an issue with PII
- If fictional data is not possible, ensure that any PII that displays in training material is thoroughly and completely redacted.
13. Maintain an active information breach response team that has clearly defined roles and responsibilities that is immediately engaged when a breach or suspected breach or unauthorized disclosure of PII occurs and acts within defined time frames, including notification of affected parties and ED.
Information security is a key element of compliance in the administration of student financial aid. Asking yourself if PII is safe is a question you should ask regularly. Doing so will increase the likelihood that you did “make it so” when asked by ED or a student, “Is it safe yet?”
________________________________________________________________________________________________________ 35 Percent of All Security Breaches Take Place in Higher Education; BetaNews, Inc.; http://betanews.com/2014/12/17/35-percent-of-all-security-breaches-take-place-in-higher-education. Accessed 08/17/2015.
2 Portions of these considerations were adapted from Ross C. Hughes’ presentation in Session #40, “Computers, Privacy, and Data Protection,” at ED’s 2014 FSA Conference.
NOTE: An abridged version of this article is being simultaneously released in Beauty Link Magazine, a publication of the American Association of Cosmetology Schools (AACS) and the Career Educators Alliance.
The above article is presented for informational and educational purposes only and should not be considered to be giving legal advice.