What is FERPA And Why We Should Care?

September 25, 2020

In 1974, the Family Educational Rights and Privacy Act (FERPA) was created. The reason behind it was to protect the abuse of student records in the U.S. At the time, these records were easily accessible to law enforcement and eventually led to those records being misused. In response, FERPA supported the protection of data for students and their families. FERPA requires educational institutes to obtain written consent from the parent to access student PII (personally identifiable information).

With the advent of digital technology since 1974, FERPA has become even more vital to protecting student PII. Since PII can be stolen in a cyberattack by an anonymous hacker, the need to properly protect student data now takes center stage. Educational institutions have become a favorite target for ransomware attacks, partly because their data security is infamous for being unequipped to handle a cyberattack. A Breach Level Index Report found attacks on data within the education realm have led to the exposure of 33.5 million student PII records including Social Security numbers, birthdates, student school ID numbers, grade point averages, and details about their parents.

Not properly protecting student PII can result in the reputation of educational institutions being tarnished. However, non-compliance with FERPA regulations can mean a lot more than just a hit to the reputation. Possible sanctions against a school include the loss of federal funding, criminal prosecution, and the dismissal or suspension of those responsible for protecting student PII.

The responsibility to protect student records clearly falls on the institution to provide proper protection measures. It may be more challenging in the digital age than it was over 40 years ago when FERPA was created. Nevertheless, protecting PII still remains in the hands of education providers, no matter what year it may be.

Start with securing the perimeter of the network. Firewalls and antivirus and antimalware products are a great first start. Next, ensure all employees in the school system have access only to information they need. Limit who can see the PII as much as possible. Require strong passwords that include upper and lowercase letters, numbers, and special characters of everyone and insist that the passwords are not easy to guess and don’t include personal information such as the user’s birthdate. Require passwords to be changed regularly. Always ensure that the systems being used to store the PII are properly configured and accessible only to those with passwords. Require multi-factor authentication whenever possible.

Finally, these institutions are in the business of education. Therefore, take some time to educate staff, instructors, and all employees about the ever-evolving cybersecurity threats that exist online. These people are often the first line of defense against phishing attacks.

Stickley on Security