Education Department Updates Rules and Criminal Penalties for Accessing Agency Data

The Education Department is rolling out new rules for accessing and handling agency data by third parties—including students, parents and loan companies—with updated criminal penalties for anyone not following the new statutes.

The new rules intend to bring the department into compliance with the 2019 Stop Student Debt Relief Scams Act and the 2020 revision to the Higher Education Act of 1965, which “explicitly makes unauthorized access to the department’s IT systems and the misuse of identification devices issued by the department a criminal act,” according to a notice set to publish Friday in the Federal Register.

The update defines an access device as any “card; plate; code; account number; electronic serial number; mobile identification number; other telecommunications service, equipment or instrument identifier; or other means of account access that can be used alone or in conjunction with another access device to obtain money, goods, services or any other thing of value or to initiate a transfer of funds.”

These devices cannot be shared, “including through a power of attorney,” the notice states.

“No person or entity may access the department’s information systems for the purpose of assisting a student in managing loan repayment or applying for any repayment plan, consolidation loan, or other benefit authorized under title IV of the HEA, except as permitted under this ‘Acceptable Use of Systems,’” according to the update.

The notice defines the acceptable use of systems, including who may be deemed an authorized user: students, borrowers or parents; a guaranty agency, eligible lender or third-party agency acting on their behalf; or a licensed attorney representing one of these groups.

No matter which category a user falls into, “A person or entity may be granted access to the department’s information systems as an authorized user if the person or entity has a bona fide ‘need to know’ the information or data contained in the department’s information systems,” the notice states.

Once granted access, users will also be required to protect the data, including personally identifiable information and controlled unclassified information. Required protections include encrypting the data at rest—stored on any device or cloud—and in transit—such as over email—to “ensure the integrity and confidentiality of the information and protect against any reasonably anticipated security threats or unauthorized uses or disclosures of the information.”

All of these definitions are being established to clarify the criminal penalties for unauthorized access.

“A violator is subject to criminal penalties that include a fine of not more than $20,000, imprisonment for not more than five years, or both,” the notice states, “beginning one day after the date of publication of this notice.”

Users accessing agency IT systems will see a warning notifying them of the new regulations and that “usage may be monitored, recorded and/or subject to audit.”