Re: GLBA: How are you handling it?

[Jarret Cummings <jcummings () EDUCAUSE EDU>]

Thanks, Mark, for flagging FSA's FAQ on this, which appears to have been posted a couple of weeks ago. I'm not sure why 
Department of Education (ED) and/or FSA reps. didn't communicate with us about his in advance, but the good news is 
that the FAQ specifically excludes the example Joey's service provider identified from what FSA considers a reportable 
incident:

We recently heard in an FSA conference session that we can no longer accept faxed or emailed copies of taxes or tax 
transcripts. Is this the case? Are we permitted to accept such documents via a student's school email account?

A data breach could be created if a student or parent sends PII or SPII via unsecure means, which would allow PII or 
SPII to be accessible by individuals who do not have a need to know... However, at this time, this type of data breach 
does not need to be reported as an institutional data breach to FSA.

That said, the FAQ reintroduces a number of points of concern that we had previously addressed with FSA, such as the 
concept of reporting "suspected" data breaches. We have reached out to ED about revisiting these problems and will 
report back once we have more information to share. - Jarret

_______________________________________________
Jarret S. Cummings
Senior Advisor, Policy and Government Relations

EDUCAUSE
Uncommon Thinking for the Common Good
direct: 202.331.5372 | educause.edu<http://www.educause.edu/>

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Mark Purcell
Sent: Thursday, June 6, 2019 1:28 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] GLBA: How are you handling it?

I believe the following Department of Education FAQ echoes Jarret's comments: 
https://ifap.ed.gov/eannouncements/attachments/CyberFAQ.pdf<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fifap.ed.gov%2Feannouncements%2Fattachments%2FCyberFAQ.pdf&data=02%7C01%7C%7C816538460f4b42d6f4ea08d6eaa5ae3c%7Cdd4b037fe626495db0170cc0f7dddb37%7C0%7C1%7C636954394660065965&sdata=E1zH%2B4hVT9ZgWy7XkyPaUSOG3dhyvi7aZJ4yWX77u8o%3D&reserved=0>

Mark

Mark Purcell
Executive Director of IT Security and Compliance
La Salle University
1900 W. Olney Ave., Philadelphia, PA 19141-1199
215-951-1582

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Jarret Cummings
Sent: Thursday, June 6, 2019 12:59 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] GLBA: How are you handling it?


External Email: Use caution and do not click links or open attachments from unknown senders.
Hi, Joey - I believe the vendor is relying on outdated information that EDUCAUSE contested in formal comments to FSA in 
January 2018. In the fall of 2017, the then-cybersecurity senior advisor for FSA had distributed letters to some 
institutions with a very expansive interpretation of a breach reporting requirement in the agency's Student Aid 
Internet Gateway Agreement, which the letters then tried to tie to a very expansive interpretation of the agency's 
Safeguards Rule compliance requirement as presented in its Title IV Program Participation Agreement.

The analysis we shared with FSA showed that these interpretations were fundamentally flawed and not backed by any 
formal guidance by the agency. We then asked FSA to provide such guidance and asked it to work with our community in 
doing so.

Since that time, new leadership at the agency has taken a more targeted and collaborative approach to working with 
institutions to resolve specific concerns as needed. To the best of our knowledge, those have not involved any of the 
overly broad interpretations of breach that the agency had asserted in its prior letters.

In the meantime, we have had constructive conversations with FSA about the potential for collaboration, although a 
process hasn't yet been initiated. We remain hopeful, though, that we will get to formal, public guidance, and that 
such guidance will be developed in cooperation with experts from the EDUCAUSE community.

If your institution does receive a communication from FSA asserting a reporting requirement based on a novel 
interpretation of breach, please let me know to the extent you are able to. I would be surprised if that happened, but 
I would want to fold that into our dialogue with FSA if something like that did arise. - Jarret

Jarret S. Cummings
Senior Advisor, Policy and Government Relations
EDUCAUSE
Direct: (202) 331-5372
jcummings () educause edu<mailto:jcummings () educause edu>
www.educause.edu<http://www.educause.edu>
Uncommon Thinking for the Common Good
________________________________
From: Joey Rego <regoj () LYNN EDU<mailto:regoj () LYNN EDU>>
Sent: Thursday, June 6, 2019 10:44 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] GLBA: How are you handling it?

Hi Everyone,

We are looking for some feedback on GLBA?  We recently were told by a vendor that under the GLBA Compliance for Title 
IV SFA Program that the following scenario would be considered a breach and the university would be responsible for 
notifying the DOE within 24 hours.

*         Does this seem correct?

*         If so how are you handling this specific scenario?

*         How are you handling sensitive information in the body of emails or files being shared from parents or 
students?

Consider this - has a parent every sent your institution an unencrypted copy of their tax return in an email?  Did you 
know that qualifies as a reportable breach under the regulations? Unreported breaches may also be subject to 
significant fines.

Any insights on your approaches would be appreciated.

Thank you

[http://lynnda/DesktopAuthorityConsole/Images/Upload/9fcddab6-8cf5-43af-97db-6d11a7f75a10/Lynn.jpg]

Joey Rego
Associate Director of Information Security
Information Technology
Lynn University
3601 North Military Trail
Boca Raton, FL 33431
T: +1 561-237-7982
jrego () lynn edu<mailto:jrego () lynn edu>
+1 561-237-7000 | 
lynn.edu<https://nam03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.lynn.edu%2F&data=02%7C01%7C%7C816538460f4b42d6f4ea08d6eaa5ae3c%7Cdd4b037fe626495db0170cc0f7dddb37%7C0%7C0%7C636954394660075959&sdata=Y7qodoiBjK9s1sUt%2F6UnonZhOtDW60sygH82eox68R4%3D&reserved=0>
 | 
give.lynn.edu<https://nam03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgive.lynn.edu%2F&data=02%7C01%7C%7C816538460f4b42d6f4ea08d6eaa5ae3c%7Cdd4b037fe626495db0170cc0f7dddb37%7C0%7C0%7C636954394660085954&sdata=AaOKIGvT6m4gsb%2F3TRc6LCXssHdJJEuNuDhsFDemyQY%3D&reserved=0>

Beware of Phishing and Spam
https://www.lynn.edu/news/2019/beware-of-phishing-and-spam<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.lynn.edu%2Fnews%2F2019%2Fbeware-of-phishing-and-spam&data=02%7C01%7C%7C816538460f4b42d6f4ea08d6eaa5ae3c%7Cdd4b037fe626495db0170cc0f7dddb37%7C0%7C0%7C636954394660085954&sdata=CYBMAITKRRbyj%2Bz0u8q6rmaLJfpzHy4rVzkvj%2BNd87U%3D&reserved=0>

Protect your data and your presence online. Learn more.
http://staysafeonline.org/data-privacy-day/privacy-tips/<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttp-3A__staysafeonline.org_data-2Dprivacy-2Dday_privacy-2Dtips_%26d%3DDwMFAg%26c%3DtSGu_Pc6mPnB6zIYTZr3Sw%26r%3DzzPEtvSCalM4JZ1u3Q8b-q2EUyQDXQ5pr60nTVXP31w%26m%3DGV34BaXJReARow9IMermz-oMV9q1ftmpnCUczUvdgcQ%26s%3D9q30UYB8IQfyvTSJT1LU1Q-h0Z59jU03mkQnso8j0kw%26e%3D&data=02%7C01%7C%7C816538460f4b42d6f4ea08d6eaa5ae3c%7Cdd4b037fe626495db0170cc0f7dddb37%7C0%7C0%7C636954394660095948&sdata=wnVgLrm7zuCvCQHf3Z9Ypuyfp8%2B%2B6RGLfJXvV7xf5%2FY%3D&reserved=0>
Remember !!
Lynn University IT Support Personnel will never ask for your password as part of any support interaction.


This email is intended for the designated recipient only, and may be confidential, non-public, proprietary, protected 
by the attorney/client or other privilege. Unauthorized reading, distribution, copying or other use of this 
communication is prohibited and may be unlawful. Receipt by anyone other than the intended recipients should not be 
deemed a waiver of any privilege or protection. If you are not the intended recipient or if you believe that you have 
received this email in error, please notify the sender immediately and delete all copies from your computer system 
without reading, saving, or using it in any manner. Although it has been checked for viruses and other malicious 
software, malware, we do not warrant, represent or guarantee in any way that this communication is free of malware or 
potentially damaging defects. All liability for any actual or alleged loss, damage, or injury arising out of or 
resulting in any way from the receipt, opening or use of this email is expressly disclaimed.