Personally identifiable information, or PII, is a truly modern resource. A resource that many companies across industries store. This extends into the world of education, where schools and colleges often keep comprehensive databases on employees and pupils. As with any other field, IT teams need to protect this information and keep it from falling into the hands of cybercriminals. This mean creating policies to help protect information from outside hackers and inside accidental exposure.
The urgency around adopting such policies have just increased due to the U.S. Department of Education’s new rules on data breach disclosures. Now, school administrators and IT leaders are burdened with to making sure their processes and practices are in line with the government's latest policies.
What should schools do?
Recently, educators were warned that their current approaches to data management may have to change this year to meet the latest guidelines, according to a Campus Technology Article. Since the ED has been speaking to school representatives informally about the new reporting rules rather than publishing an official update, it is likely that many institutions won't even realize procedures have changed. The new standard involves reporting “suspected” data breaches on the same day they are detected.
A potential problem with this standard is that it is housed in the Federal Student Aid Program Participation Agreement(PPA) and the Student Aid Internet Gateway Agreement(SAIG), which, along with the Gramm-Leach-Bliley Act (GBLA), don't deal with suspected breaches in consistent ways. In the GLBA, for instance, reporting is only required if there is a chance sensitive information was affected and may be misused, and there are provisions for delay in case such a disclosure would impede action from local law enforcement.
With the ambiguity regarding the definition of sensitive information, many schools are probably unsure about how exactly to proceed. But that doesn't mean they should slack on data protection. On the contrary, IT departments, in particular, should do more to protect data in the Federal Student Aid system. Criminals tend to target this information because of the large amount of money involved in the program, and the fact that security measures are often lacking.
Challenges to reporting rules
EDUCAUSE, a nonprofit technology association has challenged the ED's data breach reporting guidance, according to Data Privacy + Security Insider. The letter of concerns expressed the group's uncertainty about certain provisions in the current ED rules. For example, events such as blocked phishing attempts are considered suspected breaches and must therefore be investigated. Educators are worried that they might not have the bandwidth to investigate every issue and that institutional resources would be overworked. The reporting procedures for FSA breach reporting also came under fire. It remains unclear whether the letter will lead to any changes.
Real risk to school data
While there is consternation and a little conflict over the nature of data breach reporting in the education world, there is little question that school resources are really under threat from cybercriminals.
EdTech reported that EDUCAUSE has, for the third year in a row, named data security the top issue facing education. IT departments will have to appropriately prepare in the years ahead to make sure their internal practices aren't putting information at risk. Creating secure web portals for educators, students, and technical staff members could be one way to keep a closer eye on data. The challenge facing schools comes from a dual need to make records available while not exposing them to potential theft.
In the years to come, educational institutions will need to think often about their data defenses. Identity Guard Business Solutions can help institution prepare your employees for a data breach and help educate them to recognize signs of phishing and fraud. Contact Identity Guard Business Solutions today to learn more about how Identity Guard can help your school.