Data Security: K-12 and Higher Education

The Department of Education is committed to helping the education community better safeguard the security of student data in schools at all levels. While the Family Educational Rights and Privacy Act of 1974 (FERPA) does not require educational institutions to adopt specific security controls, security threats can pose a significant risk for student privacy. Educational institutions should take appropriate steps to safeguard student records.  Breaches of educational data are common and can lead to a violation of FERPA, as well as to a host of negative consequences for students such as identity theft, fraud, and extortion.

This page is a portal to guidance and best practice resources for the educational community to use to enhance the security of their information systems. While these resources are principally geared to K-12 agencies and institutions, the security principles are the same regardless of grade level. Post-secondary institutions should refer to the FSA Cyber Security page for additional requirements.


In the Enterprise


Data Security and Management Training: Best Practice Guidance

Identity Authentication Best Practices

Data Destruction Best Practices

Data Security Checklist

Data Security Threats: Education Systems in the Crosshairs

FSA: Ransomware Fact Sheet 


Online Apps & the Cloud


Protecting Student Privacy While Using Online Educational Services

Protecting Student Privacy While Using Online Educational Services: Model Terms of Service

Cloud Computing FAQ


For Parents


A Parents Guide to Understanding K12 Data Breaches


Title IV Participating Institutions are subject to Gramm Leach Bliley Act (GLBA) data security requirements and, pursuant to the Participation Agreement, are required to report data breaches to FSA. Information specific to these requirements can be found on the FSA Cyber Security page

Cyber Advisory - New Type of Cyber Extortion / Threat Attack

W 2 Phishing Scam

What Parents Need to Know about their Student's Data

Security Best Practices