Data Security: K-12 and Higher Education

The Department of Education is committed to helping the education community better safeguard the security of student data in schools at all levels. While FERPA does not require institutions to adopt specific security controls, it does require the use of “reasonable methods” to safeguard student records (34 CFR § 99.31). Despite this requirement, hundreds of educational data breaches happen every year. Not only does the disclosure of this information potentially violate FERPA, but disclosures can expose students to a host of negative consequences such as identity theft, fraud, and extortion.

This page is a portal to recent PTAC guidance and best practice resources for the educational community to use to enhance the security of their information systems. While these resources are principally geared to K-12 agencies and institutions, the security principles are the same regardless of grade level. Post-secondary institutions should refer to the FSA Cyber Security page for additional requirements.


In the Enterprise


Data Security and Management Training: Best Practice Guidance

Identity Authentication Best Practices

Data Destruction Best Practices

Data Security Checklist

Data Security Threats: Education Systems in the Crosshairs


Online Apps & the Cloud


Protecting Student Privacy While Using Online Educational Services

Protecting Student Privacy While Using Online Educational Services: Model Terms of Service

Cloud Computing FAQ


Title IV Participating Institutions are subject to Gramm Leach Bliley Act (GLBA) data security requirements and, pursuant to the Participation Agreement, are required to report data breaches to FSA. Information specific to these requirements can be found on the FSA Cyber Security page

Cyber Advisory - New Type of Cyber Extortion / Threat Attack

W 2 Phishing Scam

What Parents Need to Know about their Student's Data