Dept of Edu Letters

["Hudson, Edward" <ehudson () CALSTATE EDU>]

Interested in institutions response to the DoE taking an increasingly broad interpretation of breach reporting 
obligations around any security breach of PII. At a recent conference the DoE lead presentation reportedly includes 
insistence that

1-ALL (broadly defined) “breaches” be reported “immediately” (i.e. within a day )

2- an announcement that GLBA audits of institutions will begin in 2018 with fines consistent with Clery fines (up to 
54,789) for each violation.

 

A read of those Dear Colleague letters, the obligation (especially under GLBA, which regulates in the financial sector) 
is to ensure the security and confidentiality of student financial aid records/information only, and that the data 
breach notification requirements relate to that subset of information only, not all PII.  But it sounds like the DoE is 
now interpreting their mandate and authority much more broadly. A review of one of their recent letters was, in my 
view, very heavy handed and threatening and stemmed from a random media post, not from an actual incident.

Would like to talk to anyone off line that has had to go through this process with DoE. 

 

Best

 

Ed Hudson

Interim CISO 

401 Golden Shore

Long Beach, CA 90802

Tel 562-951-8431

ehudson () calstate edu

 

I subscribe to e-mail classification: i=Information, a=Action, u=Urgent

Attachment: smime.p7s
Description: