FERPA Compliance

A Guidance to Complying with FERPA

By Vijay Krishna
Published : 28 April, 2021 | Last Modified : 24 May, 2021 | Resource


Compliance is definitely a great deal for most of the companies that handle money. If an online bank couldn’t follow certain rules to become a PCI compliant, they risk losing clients, a bad reputation, and mounds of paperwork to clean up the mess. However, compliance is not only a big deal for financial services. In fact, it is even more important for organizations in other industries, due to professionals’ lack of awareness towards it. Without having a thorough understanding of the industry-specific compliance regulations, there is a chance that you or one of your employees may be violating the rules.

“In education, the federal Family Educational Rights and Privacy Act (FERPA) addresses institutional responsibility where student information is concerned,” said Clifford A. Ramirez, author of FERPA Clear and Simple. “Violations occur when unauthorized disclosures of specific student information occur—whether initiated by a school official or the result of a breach in the institution’s technological systems. The resulting consequences of unauthorized disclosures may be costly for both the institution and for the individuals whose information was released. While FERPA prescribes federal investigations of school policies and procedures in response to a complaint or alleged violation, state and local laws may provide additional requirements, such as specific protocols on notification and for ensuring that identity theft protection services are offered to those affected. And, finally, studies have yet to examine the personal and psychological impacts on the individuals who may have been adversely affected by the unauthorized disclosure of their education records. All the more reason for institutions to ensure that appropriate security measures are in place in every facet of its human, property, and electronic operations.”

Compliance is especially important for education institutes because even tiny and unintentional activities from employees can cause serious consequences that might result in a lawsuit. Think about this situation: you, as a school employee that handles student records, someday unintentionally leak a student’s GPA to your friends. According to Family Educational Rights and Privacy Act (FERPA), one of the most important privacy regulations in the education sector, you might face some serious civil lawsuits.

Read this guide carefully to help you understand the ins and outs of compliance in the education area.

PART 1: Background and Statistics on Data Breaches in the Education Sector

SECTION 1 Data Breaches and Compliance in the Education Sector

The education sector has always been vulnerable to all kinds of data breaches, and that’s why our government sets up various mandatory regulations to help institutes protect their data. To help you understand the severity of information security issue in education institutes, below are three important facts that you need to keep in mind:

  • 35% of all security breaches take place in higher education institutes.
  • In 2005 – 2014, there were over 700 data breaches involving education institutes, exposing more than 30 million records to hackers. What’s more, in 2005 – 2014,, 551 breaches were made by colleges and universities, meaning over one breach happening per week.
  • The average cost per breached record in an educational environment is $142, making an average cost in every data breach in the education sector roughly $4 million.

More data about information breaches in educational organizations could be found in this infographic by SysCloud, highlighting the facts that you need to know and some initiatives you can take to avoid data breaches:

Knowing these facts, you should now be able to understand how important it is to comply with all the mandatory federal regulations in hope of avoiding unfavorable consequences and creating a secure environment for all sensitive and proprietary data in your institution.

However, compliance is never easy to work for most of the organizations. There are a lot of federal regulations and laws that educational organizations need to respond to, making compliance almost a headache for many institutes. In fact, meeting compliance standards (such as FERPA) ranks the third among all challenges that higher-education IT professionals have to face.

But don’t worry, every challenge could be broken down and accomplished through several steps. Below will be a brief introduction on some of the most important regulations in the education sector — with a focus on FERPA — followed by the consequences of non-compliance and a guidance on ensuring compliance in the education sector.

SECTION 2 What is FERPA and The Cost of Non Compliance

FERPA is one of the most important federal regulations in the education sector, aiming at protecting the privacy of students and their parents. FERPA requires that all institutions funded by the federal government under programs administered by the U.S. Department of Education comply with certain rules and procedures with regard to maintaining and disclosing the student’ educational records, including GPA, enrollment and even billing information. The act gives parents and students over 18 years old access to perspective educational records, the power of requiring amendments in these documents and also some control over the disclosure of information from the records. In most of the cases, the school must have the parent’s or the student’s consent before it releases the education records to any other third parties.

You should be able to find the latest update on FERPA on the website of the U.S. Department of Education: http://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html

Failing to comply with FERPA can cause serious consequences. First of all, an educational institution that fails in FERPA compliance may forfeit its federal funding. What’s more, several states would also impose a monetary penalty on the Institute for the disclosure of the private information.

Secondly, given the fact that over 30% of security breaches in colleges are caused by unintended disclosure, the overlook of student privacy may result in serious information leakage that will potentially cause great financial loss and lawsuits.

Thirdly, failure in FERPA compliance can also have a negative influence on the reputation of the institute, which could further result in a loss of alumni donations and even a reduction in the number of students applying to or attending the institution.

All of these unfavorable consequences could be avoided by conducting internal employee education on FERPA and deploying a comprehensive IT solution to accomplish day-to-day monitoring and evaluation. Both of these initiatives would be talked about in details in the following part of this book.

PART 2: A Guidance on Compliance in Educational Organizations

SECTION 1 The Five-layered Compliance Framework Model for IT Professionals

As mentioned in Part 1, education institutions increasingly need to comply with many different federal and state regulations focused on data protection and privacy. To avoid the potential overlap of efforts in meeting these requirements, an institute could implement a university-wide IT compliance framework to ensure the compliance at a high level with various applicable federal and industry regulations including FERPA, HIPAA, FISMA, and others.

To help IT professionals develop the most suitable compliance deployment for institutions in different scales and with various demands, the Information and Communication Technologies department at New Mexico State University developed a five-layered IT compliance framework model in 2012 to provide educational organizations with a short checklist to identify essential gaps in meeting major regulations and ensure that compliance could be executed correctly at a university-wide level.

The model focuses on five essential compliance requirements that should be addressed in almost all regulations, helping institutions to quickly discover loopholes and determine what kind of modification should be made in current policies to meet compliance requirements. Below are the five requirements mentioned in the model:

  • Formal designation of Information Security Responsibility
  • Establishment of an Information Security Program
  • Development of IT policies and procedures
  • Ongoing Monitoring/Incident Handling/Compliance
  • Development of a Training and Awareness Program to ensure that employees are aware of their responsibilities and data security practices that relate to privacy threats

In this model, both appointing a chief information security officer and set up an information security program is closely related to the institute’s human resources policies and thereby will not be elaborated in this ebook. Instead, the following sections will focus on providing some tips and tricks for IT professionals on how to create proper IT policies and develop ongoing compliance monitoring systems, as well as providing suggestions on what to do to increase employee awareness and regulate their behaviors to avoid violations of regulations.

SECTION 2 Five Tips and Tricks for IT Professionals

Although different educational organizations may have different IT systems and requirements regarding compliance, below are five basic tips and tricks that are universal to almost all institutions, helping them to find the right direction of customizing their own compliance plans.

  • Set up a compliance team to identify all regulations and make a checklist of specific behaviors needed to be monitored: Compliance is not a one-day work, it requires continuous monitoring and evaluations. To make sure that the compliance issue is taken good care of, educational organizations should set up a professional team in the IT department to deal with all related regulatory checks and daily monitoring. This team, once being set up, should first identify all regulations and make a checklist based on these regulations to keep track of all behaviors needed to be monitored, such as the file exchange, file upload, information retrieval and so on.
  • Find vulnerabilities through security scans: Most of the educational organizations have a huge library of student records and sensitive documents that are stored in the cloud. There are chances that some of the databases in the cloud are not well-protected. These databases may then become loopholes and vulnerabilities in a cyber attack. Software on the market today can identify possible risks of data exposure and noncompliance. After running a security scan and finding these vulnerabilities, it’s important to take corrective action immediately.
  • Build compliance monitoring mechanisms: The threat of data exposure and violations to compliance is around 24/7. Therefore, an effective way to ensure compliance is building a monitoring mechanism to secure organization assets. A good monitoring mechanism should meet three requirements below: 1) It should be able to run in the background so that it causes zero burdens to the IT system and will not interrupt the operation of any software running in the foreground. 2) It doesn’t only take care of the data itself, but also keeps an eye on employee behaviors that might threaten information security. 3) It should be easy to use and also compatible with other major analytics applications so that IT professionals are able to execute seamless integration among different software.
  • Always remember to back up your files and data in the cloud: One of the major causes of insider data breaches is the disposal of used tapes and hard drives. Therefore, when documenting files, institutions should try to backup important information in the cloud, instead of keeping it on physical devices. There are already many cloud security solutions on the market that institutions can choose from to secure all activities in cloud apps.
  • Conduct Regular Assessment and Update to Improve Security Plan: Regulations like FERPA can change in order to counter the increasingly rampant cyber attacks. Therefore, it’s important for institutions to conduct regular assessment and update of the information systems to improve its security plan and comply with the latest regulations.

SECTION 3 Internal Employee Training and Education on Compliance

Developing and maintaining a secure IT system is not the only thing you need to do to achieve compliance. How to regulate the behaviors of hundreds or thousands of employees in educational organizations is another important topic for institutions to think about. A common way to address this issue is to impose a well-designed employee behavior regulation/policy/manual/checklist with an emphasis on information security and compliance.

Different organizations and different regulations all have specific requirements for employee behaviors. For example, below is a sample of the FERPA compliance checklist that you can refer to when setting up your own.


  • Never download unauthorized documents from random websites to avoid data breaches
  • Keep database passwords in a secure place
  • Remember to log out when leaving the workplace and don’t access the school database using an insecure network
  • Never share student information with unauthorized others or post this information in public places
  • Make sure to obtain signed and written consent from a student before releasing personally identifiable information (PII) to any employer, third party or resume referral database.
  • Advise students annually about their rights under FERPA
  • Conduct timely communications to students about the latest disclosure policy
  • Review and revise any third-party agreements to ensure such agreements comply with FERPA requirements
  • Keep in mind how the institution would respond to data breaches or unauthorized disclosure and make sure to follow the plan when an emergency happens

PART 3: Conclusion

“Compliance is a big deal.” After going through the whole book, you should at least have this notion in mind. For educational organizations specifically, ensuring that you meet all federal regulatory requirements doesn’t only help you avoid all fines, lawsuits, and other unfavorable consequences, but also shows a sincere, honest and caring attitude towards thousands of students and parents who choose you and trust you all the way.

Therefore, all educational organizations should understand their obligations and create a comprehensive security plan to address compliance concerns, ensuring that every student record is protected from unauthorized access.

The guidance in this book gives you all the basic facts and information you need to customize your own compliance plan. Please make sure that you take good use of this book and avoid headaches and potential lawsuits to compliance violations.