Data Security Julie D. Wilson Sr Data Security Julie D. Wilson Sr. ERP Financial Aid Analyst Dynamic Campus TASFAA 2019

AGENDA Overview of Graham-Leach-Bliley Act (GLBA 2002) and General Data Protection Regulation (GDPR, May 2018) Who needs to be concerned about data security? What data needs protecting and where is it? What are the requirements? Why is this coming up now? What constitutes a data breach and how to handle them? Planning and Implementation Resources. TASFAA 2019

Graham-Leach-Bliley Act (GLBA 2002) Because FA administers the Direct Loans, IHEs are subject to the GLBA. The GLBA requires the following: Designated person or group to coordinate security program. Identify reasonably foreseeable internal/external risks to data security. Control risks identified and regular testing of controls. Take reasonable steps to select service providers who adhere to security safeguards. TASFAA 2019

General Data Protection Regulation (GDPR) GDPR is NOT required for compliance here. However, if you have international students from European countries, compliance is required beginning May 2018. Encryption methods on servers, storage, media, networks. Strong key management Adhere to the students’ ‘right to be forgotten’ Verify legitimacy of user identities and transactions. Ensure data accuracy. Minimize student identity exposure. Implement data security measures. TASFAA 2019

Who Needs to be Concerned About Data Security? President, VP, Senior Administration, Board CIO/CISO Registrar, Financial Aid, Finance Faculty, Staff, Students EVERYONE! Your president and everyone with access to COD, NSLDS, FAA, and CPS agrees to adhere to GLBA on the PPA and every time you log in to these systems. TASFAA 2019

What data needs to be protected? Personally Identifiable Information (PII) Full Name Date of Birth (DOB) Social Security Numbers (SSN) Bank Accounts Any data elements that when combined can be linked back to a specific person. TASFAA 2019

Where is data that needs protecting? Systems: SIS, ERP, Data Management Paper and Imaged Files Forms and Applications Reports Transmissions Identification Cards Paper checks, credit cards, statements Check Stubs, W2s, 1098s Desks, phones, emails, etc. TASFAA 2019

Why Now? At the 2017 FSA Conference it was announced that as part of the annual A133 audit for 2018, IHEs must include the Data Security Assessment Report. The report must include the following: Identify the person/group responsible for data security program. Identify reasonably foreseeable internal/external risks to data security via formal documented risk assessments of employee training/management; information systems, storage, transmission, and disposal; detection, preventing, and responding to attacks. Control risks identified and regularly test/monitor effectiveness. Ensure that servicers have a security program. TASFAA 2019

Identify the Person/Group for Data Security Program GDPR requires that ONE person at the senior administration level be responsible for Data Security. Group/Team should include: Financial Aid, Records/Registrar, Institutional Research, Information Technology, AR, HR. Whoever has access to sensitive data. Produce Data Security Assessment Report of issues found. Enforce data security protocols. TASFAA 2019

Identify Risks to Data Security Common risks: Community printers: Can items be printed from the history? Personal devices with institutional email, data, reports, etc. Insufficient security classes in Colleague, imaging, etc. Insufficient controls for internal/external networks. Password sharing. Paper files. TASFAA 2019

Control Risks Identified Perform penetration tests and correct issues identified. Training to reduce and eliminate user scams (phishing attacks, password sharing, etc.) Develop security classes to make data ‘need to know.’ Employ automatic log out on campus computers. Develop policies and procedures to address personal devices, institutional information, document destruction, etc. Employ mandatory training for all users. Include students in any data security plan. TASFAA 2019

Ensure Servicers Have a Security Program Third party services must be GLBA compliant. Shred companies, debit cards, bookstore, cafeteria, etc. Review the contract: Does it address data security protections. Are they insured for breaches? How will they notify you of a breach? If they have a breach, you’ve had a breach! Report it! TASFAA 2019

Reminder about ‘Red Flag’ rules? FTC Identity Theft Red Flag Rules (2007) Detection of Identity Fraud/Theft Prevention of Identity Fraud/Theft Response to suspected Identity Fraud/Theft TASFAA 2019

What is a Data Security Breach? GLBA defines a breach as data: Disclosure Misuse Alteration Destruction Other compromise of data/information No minimum record count. Applies to all records, electronic and paper. Storage, transit, and processing. Your third party vendors (if they had a breach, you had a breach). TASFAA 2019

TASFAA 2019 Breach Reporting SAIG agreement requires breaches be reported ON THE DAY OF DETECTION or SUSPICION. No minimum number of files. Not just electronic files. Report first, investigate further after. DOE can levy fines of up to $54,789 per violation if the IHE does not comply with self-reporting requirements. Million dollar liability insurance covers approximately 18 compromised records not reported. TASFAA 2019

TASFAA 2019 Resources FTC Red Flag Rules https://www.ftc.gov/tips-advice/business-center/guidance/fighting-identity-theft-red- flags-rule-how-guide-business Federal Student Aid Cybersecurity Compliance Information https://ifap.ed.gov/eannouncements/Cyber.html FSA Postsecondary Institution Data Security Overview & Requirements https://fsaconferences.ed.gov/conferences/library/2017/2017FSAConfSession37.ppt 16 CFR 314.4 (b) https://www.gpo.gov/fdsys/pkg/CFR-2003-title16-vol1/pdf/CFR-2003-title16-vol1- sec314-4.pdf TASFAA 2019

Questions TASFAA 2019

Thank you. Julie D. Wilson Sr Thank you! Julie D. Wilson Sr. ERP Financial Aid Analyst Dynamic Campus Julie.Wilson@dynamiccampus.com TASFAA 2019