The Government Accountability Office (GAO), after a recent audit, found several weaknesses in the Department of Education’s (ED) Office of Federal Student Aid’s (FSA) procedures for protecting student records from potential security breaches.
GAO’s report to the House Committee on Oversight Government Reform — “Better Program Management and Oversight of Postsecondary Schools Needed to Protect Student Information” — was published in November and released Monday.
ED and post-secondary schools are responsible for distributing billions of dollars in financial aid each year, and as a result must collect a copious amount of information on students and parents, most notably through the FAFSA. The FAFSA contains personally identifiable information (PII) such as a student’s social security number, driver’s licence number, and savings account information, as well as his or her parents’ social security numbers and asset information.
“What we found is that there are definitely needed improvements to be made both in how the Department of Education manages that information itself, and how it ensures that participating schools are protecting the information that they also maintain,” Nick Marinos, director of cybersecurity and information management and author of the report, said on GAO’s podcast, “Watchdog Report.”
Between 2013 and 2016, 13 schools reported physical or electronic data breaches, which allowed students’ PII data to be exposed to the public. The breaches included a laptop being stolen containing students names and addresses, medical files being taken during a building break-in, and loan notices with sensitive information being sent to the wrong student.
“The risk is high when you’ve got large amounts of data,” Marinos said on the podcast.
While GAO found that FSA established policies and procedures to maintain and protect student information and comply with federal laws, GAO reported that “shortcomings in key areas hinder the effectiveness of FSA's procedures.”
The report found, for example, that while FSA created methods for maintaining, organizing and disposing of paper records, it does not have policies in place to the same extent for electronic data. It also determined several policies to be outdated and found that FSA did not consistently analyze the risks involved with using electronic systems.
ED Inspector General Kathleen Tighe identified similar weaknesses with electronic security procedures in another audit, but her suggestions to improve information systems and policies were not implemented.
“Until FSA implements the recommendations, it increases the risk of improper disclosure of information contained in student aid records,” Marinos wrote.
While FSA oversees and reviews schools’ student aid programs based on risk factors, it does not assess schools’ information systems or require that schools prove that they can protect students’ most sensitive information, despite reports of data breaches. Currently schools are not required to demonstrate that they adhere to the Federal Trade Commission’s regulations regarding protecting personal information.
Results from a recent GAO survey showed that while a majority of schools that offer financial aid reported that they have policies in place to protect students’ information, those procedures are, according to Marinos, “vague and unclear.”
The audit found that some schools are failing to implement federal regulations to create safeguards or analyze risks to systems, and that they vary varied in the ways they stored records, retained the data, and disposed of sensitive information.
“This raises concerns about FSA's oversight and how effectively schools are protecting student aid information,” Marinos wrote. “Until Education ensures that information security requirements are considered in program reviews of schools, FSA will lack assurance that schools have effective information security programs.”
GAO offered several recommendations to strengthen FSA’s current procedures and improve its oversight activity.
GAO suggested that FSA establish a document outlining a standard procedure for disposing of electronic records, require that staff receive regular training on managing online information, and set up a review of FSA’s records management program every three years. It also suggested that security policies be reviewed annually.
To improve FSA’s oversight of schools, GAO recommended that it include a review of schools’ security procedures for managing data in its regular audits, and that the Secretary of Education require that the ability to protect personal information be included in the assessment of a school’s administrative capability.
“By including the protections of personal information as a requirement for schools in demonstrating their administrative capability, FSA would have better insight and the schools would be better able to protect student information, including PII,” Marinos wrote.
Publication Date: 12/6/2017