Cybersecurity Requirements in Education

FERPA expects reasonable security but specifies no particular controls; the GLBA Safeguards Rule applies to universities holding financial aid information as financial institutions; and state laws like California's SOPIPA and New York's Education Law 2-D (NIST-based) plus all-50-state breach-notification laws add requirements.

The Department of Education has reminded universities holding financial aid information that they are covered by the Gramm-Leach-Bliley Act as financial institutions. The GLBA Safeguards Rule requires maintaining an information security program, conducting risk assessments, and selecting service providers that maintain appropriate safeguards. Schools are also encouraged to implement the NIST Framework.

State cybersecurity examples
Law	Requirement
California SOPIPA	Edtech companies must ensure reasonable security measures for student data
New York Education Law 2-D	School districts must adopt cybersecurity policies adhering to the NIST Cybersecurity Framework
All 50 states	Have enacted data breach notification laws (check whether schools are covered)

State cybersecurity examples

Law

Requirement

California SOPIPA

Edtech companies must ensure reasonable security measures for student data

New York Education Law 2-D

School districts must adopt cybersecurity policies adhering to the NIST Cybersecurity Framework

All 50 states

Have enacted data breach notification laws (check whether schools are covered)

Key terms - quick answers

What is “GLBA Safeguards Rule”?

The Gramm-Leach-Bliley Act rule requiring financial institutions to maintain an information security program, conduct risk assessments, and oversee service providers; applies to universities holding financial aid information.

What is “NIST Framework”?

The National Institute of Standards and Technology cybersecurity framework that K-12 schools and universities are encouraged to follow.