The office isn’t effectively monitoring cyber protections after it shares student information, including with collection agencies.
The Education Department office that oversees student loan issues isn’t effectively monitoring cybersecurity vulnerabilities among the third parties it shares students’ personal information with, including collection agencies, according to a watchdog report released Monday.
In general, the Federal Student Aid office is most closely monitoring the security of collection agencies and third-party servicers of federal student loans, according to the Government Accountability Office report.
The office is exercising less oversight over private student loan providers, such as banks and credit unions, and guaranty agencies that insure student loan, the report found.
The report breaks down four “key practices” for protecting student’s personal information: mandating that those third parties have privacy and security controls in place; independently ensuring those controls are implemented and effective; mandating fixes when security weaknesses are identified; and conducting ongoing monitoring to make sure security and privacy controls stay in place.
The student aid office got spotty marks all around for ongoing monitoring of security and privacy controls, but those marks were worst for guaranty agencies and nonfederal lenders.
When it came to nonfederal lenders, in fact, the office has done little more than establish high-level security requirements. The office isn’t independently assessing whether lenders are instituting those requirements or mandating any fixes when they fail to do so, the report said.
“Because it exercised minimal oversight over [nonfederal] lenders, FSA has limited assurance that they are protecting student aid data consistent with the agency’s requirements,” the report said.
The student aid office claimed in a response to the report that it lacked the legal authority to vet private lenders’ privacy and security controls.
GAO replied that the student aid office could vet those controls without new legal authorities simply by reviewing compliance audits that are already being gathered by other federal agencies.
In the case of federal loan servicers and collection agencies, the student aid office is making assessments of privacy and security controls and mandating some fixes, the office said.
The office is allowing those lenders and collection agencies to do their own continuous monitoring for vulnerabilities, however, and does not have a timeline for when they will be signed up for the office’s own continuous security monitoring program.
The report includes six recommendations to increase cybersecurity requirements for organizations that handle students’ personal information and to raise federal monitoring for how organizations implement those requirements.
In addition to disagreeing with the recommendation to monitor nonfederal loan providers’ security, the student aid office also only partially agreed with recommendations to continuously monitor guaranty agencies’ security and to impose additional security requirements in agreements with nonfederal lenders.