In December 2008, The U.S. Department of Education published the final amendments to the Family Educational Rights and Privacy Act (FERPA). Among several important changes and clarifications to FERPA, the publication also included recommendations for safeguarding education records, which parallel privacy and information security best practices. The privacy and information security safeguards recommendations published within the FERPA rules are significant because many educational agencies and institutions focus on FERPA for privacy guidance although other federal, state and industry regulations, less familiar to the education sector, may apply.

Although neither FERPA nor the Department of Education currently dictate data security safeguards, a substantial section of federal publication is devoted to recommendations for protecting education records. The department encourages that reasonable and appropriate steps be taken to safeguard the personally identifiable information (PII) agencies and institutions collect and handle. They are encouraged to take into consideration the type and quantity of information and the institutional profile when adapting safeguards.

The Department of Education recommendations parallel those articulated by other agencies such as the FTC and HHS regarding safeguarding of personally identifiable information and personal health information respectively. The recommendations are based on privacy and information best practices, and similar recommendations commonly appear in discussions about privacy and information security compliance with respect to other privacy and information security laws including HIPAA, the Gramm-Leach-Bliley Act and the Red Flags Rule. 

The recommendations suggest the development of a written institutional or agency privacy and information security policy and a breach notification policy. Performing risk assessments and employee training on policies and procedures are also discussed in the publication.

In the case of a data breach, the publication suggests the following:

• Report the incident to law enforcement
• Determine what and whose information was compromised
• Take steps to retrieve the compromised information
• Determine how the incident occurred and take immediate steps to prevent further compromise
• Determine what institutional policies or procedures were breached
• Conduct a risk assessment of physical, technical and administrative safeguards
• Notify those students whose personally identifiable information was compromised

Although FERPA does not require the notification of students or parents in the event of an information security breach, the publication was remiss in reminding covered entities that most every state has breach notification laws that may require public sector entities such as schools and local government to notify those people whose information was compromised. Additionally, there should have been emphasis on conducting a risk assessment of the physical, technical and administrative safeguards as a preventive measure. It appears that a risk assessment is suggested as a response to a data breach.

The recommendations explicitly specify student records—the subject of FERPA. It may have been appropriate for the suggestions and discussion for improving privacy practices in agencies and educational institutions to go beyond protecting education records. Data breaches reported by the education sector have compromised profiles of students and others.  

A recent analysis and report of education sector data breaches by J. Campana and Associates revealed that U.S. school-related data breaches account for nearly one-third of all the data breaches reported. The Education Sector, which comprises as little as 0.6% of the total number of U.S. entities, reported a disproportionate number of breaches. The data breach incidents reported by the Education Sector account for more than 12.4 million student, alumni, parental, employee, volunteer and other consumer profiles that were either lost or stolen, or inappropriately accessed, exposed or disposed. Consumers whose profiles have been compromised can be at increased risk of having their right to privacy abused or of becoming a victim of identity theft. The profiles compromised by the Education Sector amount to as much as 25% of all consumer profiles that have been compromised by all enterprises in "average" information security breaches according to the study. 

---

Add this page to your favorite Social Bookmarking websites