The Catholic University of America


Welcome to the security issues page:


NACUANOTES:  Key Issues in Managing Data Breach Risk In Higher Education:Practical Tips for Before, During and After, By Sandra Brown and Scott Schneider, Oct. 12, 2018.

Educause Letter to the Department of Education's Office of Federal Student Aid on Data Breach notification and Information Security Reporting, Jan. 30, 2018-Calls into question DOE authority for guidance referenced below. 

IFAP FAQ about Cybersecurity Compliance

The Student Aid Internet Gateway (SAIG) Agreement requires that as a condition of continued participation in the federal student aid programs, PSIs report actual data breaches, as well as suspected data breaches. Title IV PSIs must report on the day that a data breach is detected or even suspected. The U.S. Department of Education (the Department) has the authority to fine institutions—up to $54,789 per violation per 34 C.F.R. § 36.2 —that do not comply with the requirement to self-report data breaches.

The Department has reminded all institutions of this requirement through Dear Colleague Letters
 (GEN 15-18, GEN 16-12), electronic announcements, and the annual FSA Handbook.

Duane Morris article titled Schools Must adhere to Cybersecurity Regulations or Risk losing Title IV eligiblity (Sept. 14, 2017)

At the end of 2017, the Department of Education announced that it would be requiring insitutions of higher education to report any security breach of personally identifiable information. The Department is taking this position under Title IV Program Participation Agreements (which include Gramm-Leach-Bliley Act commitments) and Student Aid Internet Gateway agreements. A recorded session presented at the Federal Student Aid Conference in Nov-Dec. 2017 is online. The presenter is Tiina K.O. Rodrigue. (spelling not a typo) The power point can be found at item 37 in the program link.

Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Information: May 11, 2017

EDUCAUSE Cybersecurity Initiative Page*