Educational Institutions Have Cybersecurity and Infrastructure Security Compliance Obligations

On April 3, 2019, Jonathan Vogel attended a program at McGuireWoods LLP on the federal government’s newly formed Cybersecurity and Infrastructure Security Agency (CISA) within the U.S. Department of Homeland Security. Cybersecurity and infrastructure security are issues that impact many areas of the public and private sectors, including schools, colleges, and universities. Aside from complying with the Family Educational Rights and Privacy Act of 1974 (FERPA) — which protects the privacy of student education records at all schools, colleges, and universities that receive funds under an applicable program of the U.S. Department of Education – educational institutions should be mindful that they must comply with other legal requirements to ensure that they are not vulnerable to computer hackers and to physical threats to infrastructure.

For example, colleges and universities that participate in the federal student aid programs authorized by Title IV of the Higher Education Act of 1965 (Title IV, HEA) are required to comply with the privacy and security requirements of the Gramm-Leach-Bliley Act (GLBA). GLBA applies to “financial institutions,” which includes institutions of higher education that provide federal student aid pursuant to Title IV, HEA, and GLBA is enforced by the Federal Trade Commission (FTC). Additionally, institutions sign Program Participation Agreements (PPAs) that expressly condition their participation in the Title IV, HEA programs upon the institution’s compliance with GLBA, specifically the collection, storage, and use of student financial records. Therefore, the failure to comply with GLBA could subject institutions to the risk of restrictions on their Title IV, HEA eligibility.

At the April 3 cybersecurity and infrastructure security program, Vogel caught up with longtime friend and former colleague at the Education Department and Justice Department, Dan Sutherland, who now serves as chief counsel for CISA, and Vogel met Steven Kaufman, the principal deputy chief counsel. Vogel is pictured with Sutherland and Kaufman, as well as with his former McGuireWoods colleague, Susan Rodriguez, who hosted the program.

Jonathan A. Vogel, a former deputy general counsel with the U.S. Department of Education and a former federal prosecutor, is the managing attorney of Vogel Law Firm PLLC, an education law firm focused on legal issues that arise in K-12, higher education, and student loans.

Categories: Higher Education, K-12, and Student Loans.