FERPA (the Family Educational Rights and Privacy Act) is a United States federal law protecting the privacy of student education records, more specifically governing access from public entities, such as employers, public schools, and foreign governments.
FERPA also gives parents the right to make decisions regarding their children’s education until they reach 18 years of age or attend a school above the high school level, at which point FERPA describes them as “eligible students.” Parents and students do not necessarily have FERPA rights simultaneously and transfer from the parent to the students when specified.
To help educational institutions understand FERPA, this article will focus on the main cybersecurity requirements to stay compliant with federal law, including what the act covers, who must comply, common penalties for FERPA violations, and best practices for complying with FERPA and other student data privacy laws and regulations.
History of FERPA
Before FERPA was passed in 1974, student academic records were largely unprotected, despite containing large amounts of personally identifiable information (PII) and sensitive data, including social security numbers (SSN), student medical data, and student loan information. Compromised student data could potentially lead to individuals becoming victims of fraud or data theft.
FERPA is sometimes referred to as the Buckley Amendment, in which Senator Buckley was the principal sponsor of the bill, citing “growing evidence of the abuse of student records across the nation.” Anyone in an assumed position of authority was able to access student records, which often contained medical information, and students were put into various programs without the parents’ consent or knowledge.
Although FERPA was initially introduced as an amendment to another education act, it was quickly adopted as its own legislation after Senator Buckley maintained its importance and necessity. Further amendments to FERPA added new circumstances to PII and its definition to protect student records.
FERPA Rights and Requirements
The educational rights outlined by FERPA are as follows:
- Parents and eligible students have the right to access and view the student’s education records at any time, free of charge (schools are not required to provide copies of the records and may charge a fee for a copy).
- Parents and eligible students can request corrections to records they deem inaccurate or misleading. If the school does not comply, the parents or eligible student can request a formal hearing. If this is unsatisfactory, parents or eligible students can add an explanatory statement to the record.
- Schools can release education records with written permission from parents or eligible students.
However, FERPA allows schools to release information from student records without written consent to certain parties, including officials involved in health and safety emergencies and other schools to which a student will transfer. The parties the school is allowed to disclose the data to without written consent — referred to as directory information (name, address, phone number, date of birth, attendance records)— include:
- School officials (with legitimate educational reasons)
- Specificed auditing officials or other evaluation purposes
- Financial aid institutions
- Accrediting organizations
- Government officials with appropriate judicial orders or subpoenas
- Appropriate officials during health and safety emergencies
- State and local authorities within the juvenile justice system
What is an Education Record?
FERPA defines education records as follows:
- Directly related to a student
- Maintained by the educational institution, agency, or a third party acting on its behalf
- In any format and medium, including paper, audio, and video.
Exceptions include notes for personal use and student information created and maintained by law enforcement agencies.
How Educational Institutions Can Maintain FERPA Compliance
Because student information is a heavily targeted area for attackers, federal law also mandates educational institutions to uphold specific data security standards to protect student interests. Failure to comply with FERPA requirements can result in significant penalties through fines, employee suspension or termination, loss of federal funding, or disciplinary action from the US Department of Education.
NOTE: It’s important to note that FERPA does not explicitly detail how schools should implement data and information privacy — the law is designed to protect student privacy through any means necessary.
FERPA applies to all publicly-funded schools receiving funds under an applicable U.S. Department of Education (DoE) program, typically among the following:
- Primary or public elementary schools
- Secondary or public middle and high schools
- Postsecondary institutions and higher education establishments, colleges, and universities
Private or parochial educational establishments under the postsecondary level are generally exempt as they tend not to receive federal funding.
1. Follow Cybersecurity Frameworks
It can be helpful for educational agencies or institutions to aim for compliance and data privacy by following established cybersecurity frameworks, such as:
- NIST CSF (National Institute of Standards and Technology Cybersecurity Framework)
- CIS (Center for Internet Security) Controls
- International Organization for Standardization 27001 (ISO 27001)
- Control Objectives for Information and Related Technologies (COBIT)
These commonly used frameworks have helped other industries achieve the necessary information security compliance standards and can provide a roadmap for schools to protect student records and comply with FERPA and other student data privacy laws and regulations, including the Children’s Internet Protection Act (CIPA) 2000 and the Federal Trade Commission’s (FTC) Children’s Online Privacy Protection Act (COPPA) 1998.
Adopting the cybersecurity best practices can be key in helping educational establishments mitigate the security risks of cyber attacks, like phishing and ransomware, as well as data breaches and data leaks, including the disclosure of personally identifiable information (PII).
2. Install Firewalls, Antivirus, and Anti-Malware Software
Firewalls, antivirus, and anti-malware software are the first line of defense against malicious actors and software attempting to gain unauthorized access. Without these basic protections, schools risk putting student data in jeopardy and violating FERPA data privacy requirements.
Firewalls regulate all incoming and outgoing network traffic using settings determined by the network administrators. Without proper firewalls, devices and systems are completely exposed, which can put the entire school system at risk of a potential ransomware attack. Antivirus and anti-malware offer additional protections against malicious programs aimed at stealing data, as well as detection.
3. Conduct Risk Assessments
Risk assessments are the cornerstone of every cybersecurity audit and can help identify gaps in controls, processes, and IT security. This means all security policies regarding student data handling need to be reviewed and assessed on a regular basis to ensure that all teachers and staff understand the importance of protecting that data. Additionally, risk assessments can identify security risks in the school’s IT environment that may pose a risk to student data.
Many of the most common FERPA violations occur due to a lack of understanding of privacy laws and poorly communicated data policies from the school or school system. More importantly, risk assessments classify the most important data, the potential impact of a security breach, and compliance gaps that need to be resolved.
4. Encrypt All Data
Data encryption is one of the first data protection policies that all schools should implement. All personal data being used, in transit, or stored (at rest) must be encrypted, especially if large amounts of physical devices are used. Encryption prevents criminals or unauthorized parties from accessing critical data without the proper decryption key.
Because device theft or loss is a common problem amongst organizations in every industry, the most common FERPA violations are because of lost unencrypted devices resulting in data theft.
5. Implement Access Control
Access controls help limit information access to only authorized parties. This means unless the staff or school official has a clear, legitimate reason to access student data, they are blocked off and prevented from seeing that data. Access control policies center around defining access through roles and assigns permissions based on their role, which can prevent sharing of information between parties.
As a secondary measure for preventing unauthorized access or cases of stolen credentials, authentication processes should also be implemented to verify the identities of individuals requesting data access.
6. Monitor, Log, and Audit Network Activity
By logging all user activity on the school network, there is a electronic record of the type of data accessed, how many times it was viewed, when it was viewed, and who requested access. In the event of a data breach, it would help IT teams detect where and when the entry point was, the exact data file that was compromised, and help them prepare damage control.
If a hacker successfully gains access to a school’s network, every minute that they roam freely, uninhibited, can result in extreme loss of data. By monitoring network traffic activity, IT teams can quickly resolve issues and prevent threat actors from entering the system.
7. Provide Annual FERPA Updates
One of the main stipulations of FERPA states that stakeholders must receive annual updates of their FERPA rights, along with the option to opt out of data disclosures should they choose to. Under FERPA, parents and eligible students are considered “stakeholders” in public schools.
However, exceptions related to directory information still apply. If student data does result in disclosure to a third party, schools must notify the student or parent/guardian immediately.
Common FERPA Violations
Below are some of the most common FERPA violations involving improper sharing of private information:
- Failing to implement adequate data security programs
- Denying an eligible student or parent access to the student’s records
- Including protected student information on a mailing list or shared documents
Issues like these can occur due to lapses of judgment, absent-mindedness, or being unaware of the need for data protection. Continual training, security awareness, and vigilance are required to ensure that staff comply with FERPA requirements and the institution avoids penalties and the potential loss of reputation caused by security errors with education records.
Penalties for FERPA Violations
The most significant penalty for non-compliance with FERPA is a ban from federal funding from the U.S. Department of Education. Before issuing this penalty, however, the Department of Education’s Family Policy Compliance Office (FPCO) would most likely investigate and offer the organization the possibility of coming into compliance.
The FPCO typically gets involved following a complaint or self-reporting by the school, college, or university. The FPCO focuses on voluntary compliance and tends to be diplomatic, offering organizations advice and opportunities to fix their mistakes.
If this approach fails, however, and an educational organization refuses to cooperate, the FPCO may try the following measures:
- Cease and desist orders
- Freezing federal funding
- Removing eligibility for federal funding
- Employee and school investigation