Security breaches have become commonplace for many businesses. Here are some examples from 2018 and 2019:
- Hackers accessed the personal information of 147 million Facebook subscribers.
- A data breach at Marriott Hotels affected 500 million customers.
- A cyber attack at British Airways caused the theft of bank card numbers, expiration dates, and CVV codes of 380,000 bookings.
- More than 24 million mortgage and banking documents remained unprotected for two weeks at Ascension.
- User passwords of 330 million Twitter users were obtained.
- A cyber attack at Uber resulted in the release of the personal records of 57 million customers.
The above examples refer to business entities. What about institutions of higher education? Should students be concerned about the possibility of a security breach at their college or university? The answer is, “yes!”
U.S. colleges harbor a wealth of information, including personal, medical, and banking details on students. These institutions realize that they are susceptible to attacks on the confidential data of students and their parents or guardians.
From 2006 to 2013, 550 universities in the United States reported a data breach (NBC News-2015).
Hackers in China were suspected behind the breaches at Pennsylvania University and the University of Virginia. The University of Connecticut had students’ Social Security numbers and credit card numbers taken during a security breach.
Reported security breaches in the education sector place third, behind Healthcare (#1) and Retail.
What about federal laws protecting colleges?
Firstly, students need to be familiar with Title IV institutions. These schools fall under the Higher Education Act of 1965, which refers to federal student financial aid programs. There is a host of criteria to meet the U.S. Department of Education’s definition of an Institution of Higher Education. As examples, the school must have national accreditation, be a public or nonprofit school, and offer degrees with not less than a two-year program.
Students with federal loans who want to refinance may encounter rejection if they have not attended a Title IV school.
The acceptance of federal aid for student loans makes these learning institutions a financial entity, according to the Gramm-Leach-Bliley Act (GLBA) of 2003. It is named after the politicians who introduced the bill” Senator Phil Gramm, House of Representatives Republicans, Jim Leach and Thomas Bliley.
Learning institutions that provide student loans for tuition are in the same category as companies offering financial services. Therefore, Title Iv schools must adhere to the GLBA rules and regulations. One of the critical points of the Act is the requirement that institutions protect the private information and financial data of the students. Enter the necessity for schools to incorporate adequate safeguarding means to prevent cyber attacks.
A condensed list of the institution’s requirements is:
- Limit information system access to authorized users
- Create information system audit records
- Perform appropriate maintenance on information systems
- Assess security controls regularly and implement action plans
- Control, monitor, and protect organizational communications
- Identify, report, and correct information flaws promptly
Failure to comply can cause the suspension, limitation, or termination of participation in the federal aid program. The OIG may also decide to impose a civil penalty.
Under the Compliance, stipulations of the GLBA, all paper, and electronically stored information must be protected. Examples of crucial data that needs to be secured are:
- Driver’s License
- Bank and credit card numbers
- Social Security number
- Income (if applicable)
- Tax returns
- Student records of grades and evaluations
The Technology Crimes Division of the U.S. Department of Education (Department), under the banner of the Office of the Inspector General (OIG), oversees this program. Institutions require proof of compliance with the GLBA, as part of the school’s annual student aid audit. An actual or suspected breach mandates immediate notification to the OIG and the Department by telephone.
As a student, cybersecurity issues may not seem relevant as you head off to college. However, it is a grave concern for those in positions of authority at U.S. colleges and universities. Each Title IV institution must appoint an employee or a group of employees dedicated to cybersecurity. Written policies and procedures demand implementation, the same as any other financial corporation, investment firm, or company that houses sensitive employee data. To succeed in this endeavor, personnel must have the proper training and education in cybersecurity, information security, network security, IT, or related field.