Educause Security Discussion mailing list archives
Re: GLBA: How are you handling it?
From: Jarret Cummings <jcummings () EDUCAUSE EDU>
Date: Thu, 6 Jun 2019 22:03:15 +0000
Thanks, Mark, for flagging FSA's FAQ on this, which appears to have been posted a couple of weeks ago. I'm not sure why Department of Education (ED) and/or FSA reps. didn't communicate with us about his in advance, but the good news is that the FAQ specifically excludes the example Joey's service provider identified from what FSA considers a reportable incident: We recently heard in an FSA conference session that we can no longer accept faxed or emailed copies of taxes or tax transcripts. Is this the case? Are we permitted to accept such documents via a student's school email account? A data breach could be created if a student or parent sends PII or SPII via unsecure means, which would allow PII or SPII to be accessible by individuals who do not have a need to know... However, at this time, this type of data breach does not need to be reported as an institutional data breach to FSA. That said, the FAQ reintroduces a number of points of concern that we had previously addressed with FSA, such as the concept of reporting "suspected" data breaches. We have reached out to ED about revisiting these problems and will report back once we have more information to share. - Jarret _______________________________________________ Jarret S. Cummings Senior Advisor, Policy and Government Relations EDUCAUSE Uncommon Thinking for the Common Good direct: 202.331.5372 | educause.edu<http://www.educause.edu/> From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Mark Purcell Sent: Thursday, June 6, 2019 1:28 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] GLBA: How are you handling it? I believe the following Department of Education FAQ echoes Jarret's comments: https://ifap.ed.gov/eannouncements/attachments/CyberFAQ.pdf<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fifap.ed.gov%2Feannouncements%2Fattachments%2FCyberFAQ.pdf&data=02%7C01%7C%7C816538460f4b42d6f4ea08d6eaa5ae3c%7Cdd4b037fe626495db0170cc0f7dddb37%7C0%7C1%7C636954394660065965&sdata=E1zH%2B4hVT9ZgWy7XkyPaUSOG3dhyvi7aZJ4yWX77u8o%3D&reserved=0> Mark Mark Purcell Executive Director of IT Security and Compliance La Salle University 1900 W. Olney Ave., Philadelphia, PA 19141-1199 215-951-1582 From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Jarret Cummings Sent: Thursday, June 6, 2019 12:59 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] GLBA: How are you handling it? External Email: Use caution and do not click links or open attachments from unknown senders. Hi, Joey - I believe the vendor is relying on outdated information that EDUCAUSE contested in formal comments to FSA in January 2018. In the fall of 2017, the then-cybersecurity senior advisor for FSA had distributed letters to some institutions with a very expansive interpretation of a breach reporting requirement in the agency's Student Aid Internet Gateway Agreement, which the letters then tried to tie to a very expansive interpretation of the agency's Safeguards Rule compliance requirement as presented in its Title IV Program Participation Agreement. The analysis we shared with FSA showed that these interpretations were fundamentally flawed and not backed by any formal guidance by the agency. We then asked FSA to provide such guidance and asked it to work with our community in doing so. Since that time, new leadership at the agency has taken a more targeted and collaborative approach to working with institutions to resolve specific concerns as needed. To the best of our knowledge, those have not involved any of the overly broad interpretations of breach that the agency had asserted in its prior letters. In the meantime, we have had constructive conversations with FSA about the potential for collaboration, although a process hasn't yet been initiated. We remain hopeful, though, that we will get to formal, public guidance, and that such guidance will be developed in cooperation with experts from the EDUCAUSE community. If your institution does receive a communication from FSA asserting a reporting requirement based on a novel interpretation of breach, please let me know to the extent you are able to. I would be surprised if that happened, but I would want to fold that into our dialogue with FSA if something like that did arise. - Jarret Jarret S. Cummings Senior Advisor, Policy and Government Relations EDUCAUSE Direct: (202) 331-5372 jcummings () educause edu<mailto:jcummings () educause edu> www.educause.edu<http://www.educause.edu> Uncommon Thinking for the Common Good ________________________________ From: Joey Rego <regoj () LYNN EDU<mailto:regoj () LYNN EDU>> Sent: Thursday, June 6, 2019 10:44 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] GLBA: How are you handling it? Hi Everyone, We are looking for some feedback on GLBA? We recently were told by a vendor that under the GLBA Compliance for Title IV SFA Program that the following scenario would be considered a breach and the university would be responsible for notifying the DOE within 24 hours. * Does this seem correct? * If so how are you handling this specific scenario? * How are you handling sensitive information in the body of emails or files being shared from parents or students? Consider this - has a parent every sent your institution an unencrypted copy of their tax return in an email? Did you know that qualifies as a reportable breach under the regulations? Unreported breaches may also be subject to significant fines. Any insights on your approaches would be appreciated. Thank you [http://lynnda/DesktopAuthorityConsole/Images/Upload/9fcddab6-8cf5-43af-97db-6d11a7f75a10/Lynn.jpg] Joey Rego Associate Director of Information Security Information Technology Lynn University 3601 North Military Trail Boca Raton, FL 33431 T: +1 561-237-7982 jrego () lynn edu<mailto:jrego () lynn edu> +1 561-237-7000 | lynn.edu<https://nam03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.lynn.edu%2F&data=02%7C01%7C%7C816538460f4b42d6f4ea08d6eaa5ae3c%7Cdd4b037fe626495db0170cc0f7dddb37%7C0%7C0%7C636954394660075959&sdata=Y7qodoiBjK9s1sUt%2F6UnonZhOtDW60sygH82eox68R4%3D&reserved=0> | give.lynn.edu<https://nam03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgive.lynn.edu%2F&data=02%7C01%7C%7C816538460f4b42d6f4ea08d6eaa5ae3c%7Cdd4b037fe626495db0170cc0f7dddb37%7C0%7C0%7C636954394660085954&sdata=AaOKIGvT6m4gsb%2F3TRc6LCXssHdJJEuNuDhsFDemyQY%3D&reserved=0> Beware of Phishing and Spam https://www.lynn.edu/news/2019/beware-of-phishing-and-spam<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.lynn.edu%2Fnews%2F2019%2Fbeware-of-phishing-and-spam&data=02%7C01%7C%7C816538460f4b42d6f4ea08d6eaa5ae3c%7Cdd4b037fe626495db0170cc0f7dddb37%7C0%7C0%7C636954394660085954&sdata=CYBMAITKRRbyj%2Bz0u8q6rmaLJfpzHy4rVzkvj%2BNd87U%3D&reserved=0> Protect your data and your presence online. Learn more. http://staysafeonline.org/data-privacy-day/privacy-tips/<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttp-3A__staysafeonline.org_data-2Dprivacy-2Dday_privacy-2Dtips_%26d%3DDwMFAg%26c%3DtSGu_Pc6mPnB6zIYTZr3Sw%26r%3DzzPEtvSCalM4JZ1u3Q8b-q2EUyQDXQ5pr60nTVXP31w%26m%3DGV34BaXJReARow9IMermz-oMV9q1ftmpnCUczUvdgcQ%26s%3D9q30UYB8IQfyvTSJT1LU1Q-h0Z59jU03mkQnso8j0kw%26e%3D&data=02%7C01%7C%7C816538460f4b42d6f4ea08d6eaa5ae3c%7Cdd4b037fe626495db0170cc0f7dddb37%7C0%7C0%7C636954394660095948&sdata=wnVgLrm7zuCvCQHf3Z9Ypuyfp8%2B%2B6RGLfJXvV7xf5%2FY%3D&reserved=0> Remember !! Lynn University IT Support Personnel will never ask for your password as part of any support interaction. This email is intended for the designated recipient only, and may be confidential, non-public, proprietary, protected by the attorney/client or other privilege. Unauthorized reading, distribution, copying or other use of this communication is prohibited and may be unlawful. Receipt by anyone other than the intended recipients should not be deemed a waiver of any privilege or protection. If you are not the intended recipient or if you believe that you have received this email in error, please notify the sender immediately and delete all copies from your computer system without reading, saving, or using it in any manner. Although it has been checked for viruses and other malicious software, malware, we do not warrant, represent or guarantee in any way that this communication is free of malware or potentially damaging defects. All liability for any actual or alleged loss, damage, or injury arising out of or resulting in any way from the receipt, opening or use of this email is expressly disclaimed.
Current thread:
- GLBA: How are you handling it? Joey Rego (Jun 06)
- Re: GLBA: How are you handling it? Penn, Blake C (Jun 06)
- Re: GLBA: How are you handling it? Penn, Blake C (Jun 06)
- Re: GLBA: How are you handling it? AIS (Jun 06)
- Re: GLBA: How are you handling it? Penn, Blake C (Jun 06)
- Re: GLBA: How are you handling it? Jarret Cummings (Jun 06)
- Re: GLBA: How are you handling it? Mark Purcell (Jun 06)
- Re: GLBA: How are you handling it? Jarret Cummings (Jun 06)
- Re: GLBA: How are you handling it? Jarret Cummings (Jun 07)
- Re: GLBA: How are you handling it? Mark Purcell (Jun 06)
- Re: GLBA: How are you handling it? Penn, Blake C (Jun 06)