Pop Quiz – What Is an Institution Responsible for in the Event of a Data Breach?


School XYZ accidentally released personally identifiable information to the wrong students, which included the name of the student, the amount of financial aid the student was eligible to receive, and the student’s school identification number, which is used in accessing the student portal. Roughly 100 students were affected. How should the school handle this mistake?


The U.S. Department of Education’s Privacy Technical Assistance Center (PTAC) has a document called the Data Breach Response Checklist, which the school may find helpful in this situation.

The Data Breach Response Checklist identifies what a data breach entails, items to consider when coming up with a response strategy, what to do before a breach, how to respond once a breach occurs, and additional resources. Since the data breach has already occurred, the recommended steps are summarized below:

  1. Validate a data breach has occurred.
  2. Once validated, assign an incident manager to be responsible for the investigation.
  3. Assemble a response team.
  4. Determine how many students were affected and the composition of the breach.
  5. Notify data owners.
  6. Consider notifying the Family Policy Compliance Office (FPCO) about the breach.
  7. Consult your legal counsel and determine whether authorities, such as law enforcement should be notified.
  8. Decide how to investigate to ensure the integrity of evidence is upheld.
  9. Determine if notification of the students is appropriate given the situation and, if so, how to do it.
  10. Collect and review any breach response documentation and reports.

More detailed guidance can be found in the Data Breach Response Checklist document.


Publication Date: 10/19/2017

You must be logged in to comment on this page.

Comments Disclaimer: NASFAA welcomes and encourages readers to comment and engage in respectful conversation about the content posted here. We value thoughtful, polite, and concise comments that reflect a variety of views. Comments are not moderated by NASFAA but are reviewed periodically by staff. Users should not expect real-time responses from NASFAA. To learn more, please view NASFAA’s complete Comments Policy.
View Desktop Version