The pandemic and virtual learning have exposed educational institutions to more compliance risk. Learn how to navigate FERPA compliance in a virtual world.
The Family Educational Rights and Privacy Act (FERPA) is a U.S. federal law that gives parents the right to have access to their children’s education records, the right to seek amendments to them, and the right to have some control over the disclosure of personally identifiable information from the education records. These rights transfer to a student who turns 18 or enters a postsecondary institution at any age.
Student records include (but are not limited to) grades, transcripts, class lists, student course schedules, student financial information, student discipline files and health records for K-12 levels – including personal COVID-related data. Under FERPA, educational institutions must protect the personally identifiable information (PII) that resides in each student’s record.
The law applies to all educational agencies and institutions that receive funds under any program administered by the Secretary of Education. When an agency or institution violates FERPA rules, it risks a complete withdrawal of federal funding support. You can find the FERPA statute at 20 U.S.C. § 1232g and the FERPA regulations at 34 CFR Part 99.
Remote Faculty, Staff and Students Raise FERPA Compliance Risk
It’s no surprise that the pandemic has exposed educational institutions to more compliance risk. Yet, many are not well prepared to avoid running afoul of data privacy laws, including FERPA.
Consider the case of the University of California (UC). On December 24, 2020, the University’s Accellion file transfer appliance (FTA) was compromised in a targeted cyber attack, causing a significant data breach. According to an FAQ published by UC, students’ PII that was stolen in the breach likely included “full names, addresses, telephone numbers, Social Security numbers, driver’s license information, passport information, financial information including bank routing and account numbers, health and related benefit information, disability information, and birthdates, as well as other personal information provided to UC.”
Sadly, UC revealed to students (and the greater UC community) that some of the PII had already been posted to the Internet by March 29, 2021.
In addition to then-current students’ PII being stolen and posted, new applicants to the UC system also received bad news: “Information from submitted applications for the University of California for the 2020-2021 school year were impacted. This information could include date of birth, gender identity, family household income level, ethnicity and/or tribal affiliation and first language, sexual orientation, academic information (GPA, test scores), and whether you have received foster care,” stated the UC FAQ.
In an attempt to prevent such future loss of student PII (and PII of others), UC informed the community that it had taken four major steps:
Decommissioned the Accellion technology
Began to transition to a more secure solution
Was cooperating with the FBI
Engaged external cybersecurity experts to investigate further
In a subsequent section of the same FAQ, UC also stated that it was enhancing security controls, processes and procedures.
The Costs of Being Unprepared for FERPA Compliance
Certainly, the potential for withdrawal of federal funding should have motivated UC and other institutions/agencies to better prepare themselves prior to the December 2020 attack. If that were not enough, consider the other costs that UC incurred as a result of the data breach. At a minimum, additional costs included the following:
Fees for high-priced cybersecurity and forensics consultants
IT costs to ‘rip and replace’ one or more technology solutions on little notice
Legal fees associated with potential legal actions from the victims
Resources spent on the rapid development of new security controls, processes and procedures
Lost tuition and fees from students and applicants who decided to forego UC
Long-term damage to the UC brand’s reputation
The bottom line is that your educational institution needs to be better prepared to keep student PII safe, particularly with the rate of cyberattacks skyrocketing in recent years.
FERPA Compliance in a Virtual World
Splashtop has been providing remote access, remote support and collaboration to top educational institutions for two decades. That makes us uniquely qualified to provide you with best practices for FERPA compliance while you enable a virtual learning environment for students, faculty and staff. Follow these 4 proven best practices to keep your students’ PII safer.
Best Practice #1: Update your cybersecurity policy to reflect the “remote work” reality
Many people are unfamiliar with data security issues and simply do not recognize how their actions could lead to a data breach. Everyone in your institution must be informed and aware in order to prevent the exposure of student PII.
Your best way to inform employees is to establish and share a cybersecurity policy that instructs them how to keep student records data safe. The IT security policy can be a simple document. It should explain the reasons that it exists and provide the specific security protocols (in non-technical terms) which all employees should follow. It should also provide a contact source (email or phone #) for employees who need additional help understanding it.
How Splashtop follows this best practice
At Splashtop, for example, we developed “Security Policies” as a subset of our Technical and Organizational Measures (TOMs). These describe the security measures and controls implemented and maintained by Splashtop to protect and secure the data we store and process.
Our IT security experts regularly review and amended our IT security policies. Splashtop employees complete information security training annually and comply with Splashtop’s ethical business conduct, confidentiality and security policies as set out in our “Code of Conduct.”
If you have a policy but have not updated it since allowing remote work, you can quickly create a remote working policy that includes rules and tips for remote work. Focus on how remote employees should act to keep personal information and company data safe, especially when working from home.
Best Practice #2: Train employees and ensure IT can support them
As mentioned above, Splashtop employees complete information security training annually and comply with Splashtop’s ethical business conduct, confidentiality, and security policies as set out in Splashtop’s Code of Conduct.
We prepare our IT team to support remote employees in the following ways:
Account and Password Policies:
Splashtop assigns all users their own logins and grants access via strong passwords and two-factor / multi-factor authentication.
Data Security Control:
Splashtop’s data security controls include role-based access based on the least-privilege principle, access monitoring and logging. This means that all users have a minimal level of data access as they start using the Splashtop system.
Access Control:
Splashtop has implemented access controls to manage electronic access to data and systems. Our access controls are based on authority levels, need-to-know parameters and a clear separation-of-duties for people who access the system.
Security Incident Response:
Splashtop has established “Security Incident Response” procedures that enable Splashtop to investigate, respond to, mitigate and notify of events related to Splashtop services and information assets.
Best Practice #3: Keep data encrypted in transit and at rest
The two keys to maintaining data protection when your employees work remotely are encryption and access control.
Encryption:
Splashtop encrypts all user data in transit and at rest, plus all user sessions are securely established using TLS. The content accessed within each session is always encrypted via 256-bit AES.
Access Control:
Splashtop has implemented access controls to manage electronic access to data and systems. Our access controls are based on authority levels, need-to-know levels and the separation of duties for those who access the system.
Additional Tip: Splashtop purposely avoids the over-collection of data – something which too many businesses do without legitimate reason. We align more easily with regulations by NOT collecting sensitive data/information. We only collect, store and process limited PII, such as username (email), password and session logs (for customers to review, troubleshooting, etc.), and Splashtop does not sell customer information per GDPR and CCPA guidelines.
Best Practice #4: Use secure remote access
Splashtop’s remote access solution follows a Zero Trust approach. When employees remotely access their office computer or workstation, they enter via a special Splashtop connection. A connection that is not part of the corporate network. This means that they can only view and work with the data (I.e., Word documents) on their remote desktop. Data never travels outside the corporate network. IT security leaders also have the choice with Splashtop to enable or disable both file transfer and print functions, which are highly recommended for compliance.
Splashtop remote access introduces even more security features, such as device authentication, two-factor authentication (2FA), single sign-on (SSO) and more. These modern security measures do not exist in VPN architecture.
Conclusion: Start Now to Keep Student PII safe
The four best practices represent simple, common-sense steps that not only protect your students’ PII, but also your institution as a whole. Moreover, preventing a widespread data breach caused by a FERPA violation. An ounce of prevention can save you from remediation costs and brand damage.