On January 30, 2018, EDUCAUSE, a higher education technology association, submitted a letter to the U.S. Department of Education describing concerns that it had with the Federal Student Aid (“FSA”) ability to protect federal student financial aid data. EDUCAUSE’s members include IT professionals from over 1,800 colleges and universities as well as other organizations.
First, EDUCAUSE expressed concerns about letters that various colleges and universities received from the FSA. These letters indicated that a data breach or suspected data breach occurred at educational institutions, and required the institutions to make a full accounting of their information security program. Some of the letters also indicated that the institutions failed to self-report alleged or suspected breaches. It appeared that the FSA identified these institution from news reports, but EDUCAUSE expressed concern that FSA did not confirm that the breaches or suspected breaches occurred prior to sending the letter.
Second, EDUCAUSE expressed concerns that FSA did not have proper reporting procedures in place. In late 2017, the FSA stated that notifications could be made via text message to an FSA official’s cellphone number. It also indicated that blocked phishing attempts constituted a suspected data breach that must be “immediately reported,” (i.e. on the date of detection). Institutions were concerned that they would not have sufficient time to investigate a suspected breach and that institutional resources would be overly taxed. They were also concerned that the FSA did not have standardized, secure processes for receiving and storing sensitive information.
EDUCAUSE requested that the FSA disclose the basis for its guidance, including the iteration of the FSA’s Program Participation Agreement or FSA Student Aid Information Gateway agreement. It also argued that the FSA should act collaboratively with institutions to developed reporting standards, guidance and processes. Finally, it challenged the FSA’s ability to require institutions to report all breaches or suspected breaches rather than limit their reporting obligations to those related to federal financial aid data.
In a blog post written the following date, EDUCAUSE indicated that it expected a meeting to occur with FSA representatives in the following several days. However, it does not appear that any meeting has taken place yet.