Education Department reminds colleges of deadline for following cybersecurity rules

Higher-education institutions that handle federal financial aid data have until early June to comply with federal rules for protecting privacy and personal information, the Education Department noted this week.

The announcement by the Federal Student Aid office refers to recent updates to the Gramm-Leach-Bliley law, which governs a broad range of financial activities. Parts of the law — especially rules created for safeguarding customer information — apply to colleges and universities that receive data related to federal student aid programs.

The June 9 deadline applies to requirements such as the creation of "a written, comprehensive information security program" that also designates an official for overseeing and enforcing the institution's information security.

Other mandates include risk assessments and "implementation of safeguards to control the risks," as well as processes for testing safeguards and ensuring staff "are able to enact the information security program." Institutions with more than 5,000 students must establish an incident response plan.

U.S. higher-education institutions have been big targets for ransomware gangs that steal data and make extortion demands. This week New York's Mount Saint Mary College reported an attack, saying that it had called in experts to help and paid for free credit monitoring and identity theft protection for anyone affected.

At least 35 colleges and universities in the U.S. were hit with ransomware in 2022, including North Carolina A&T University, Florida International University, Savannah College of Art and Design and North Idaho College. One school — Lincoln College in Illinois — was eventually forced to close due in part to the chaos caused by a ransomware attack.

The federal announcement also includes guidance on specific technologies, telling institutions to protect data "by encrypting customer information while it is in transit outside its systems or stored on its system and by implementing multi-factor authentication for anyone accessing customer information on its systems."

The department had previously announced that it would conduct annual compliance audits after the deadline. "Repeated non-compliance by an institution or a servicer may result in an administrative action taken by the Department, which could impact the institution’s or servicer’s participation" in federal student aid programs, the latest advisory said.

Jonathan Greig contributed to this article.