If You’re Not Using MFA, You’re Not Complying with Educational Data Protections

Health data and financial data are often at the center of data security discussions. Often forgotten but no less important in this discussion is educational data generated by students, which in the US and Canada is also subject to regulation.

What are the requirements for the protection of this kind of data in North America? Let’s take a look.

Educational Data in the US: FERPA

In the United States, educational records held by any organization receiving federal funds are governed by the Family Educational Rights and Privacy Act (FERPA).

In today’s world of digital teaching and digital testing, educational data is also subject to regulation and protection. © Pixabay / Pexels

Virtually every primary, secondary, and postsecondary educational organization in the country is bound by FERPA, along with countless companies that work with or support such organizations.

Because FERPA dates to 1974, it isn’t particularly technology-centric, but that doesn’t mean it has nothing to say about security—or about the measures required to protect electronic data. And amendments since its implementation have continued to add detail.

What FERPA Says

FERPA requires explicit, recorded consent for the transmission or release of any personal educational data. Organizations should require multiple forms of identification either when releasing or transmitting records in person or when electronic accounts are first created.

How about subsequent logins, after an account is created?

More recent amendments to FERPA in 34 CFR § 99.30  specify that electronic consent for the release of data is acceptable if an electronic "signature" and its accompanying record:

  • Identify and authenticate a person with standing to release or transmit such data as the source of the electronic consent

  • Indicate such person's approval of the information contained in the electronic consent

To comply with FERPA, in other words, educational data custodians must authenticate the established identity of the person logging in to and using the electronic system in question.

The US Department of Education (DoE) further says that such organizations "must have procedures in place to establish the same level of identity authentication assurance" (emphasis added) required for non-electronic delivery.  

Multiple forms of strong ID are required when data is released in person, and the US DoE says the same requirement applies online.

FERPA: Yes, It Effectively Requires MFA

Given that students, families, and workers are generally required to present multiple forms of identification when accessing records in person, the DoE says that under FERPA, "[s]ingle-factor authentication may not be reasonable…for protecting access to highly sensitive information."

Instead, the use of "multiple authentication factors of different types" is strongly recommended, particularly "authentication factors that are harder to guess or falsify." DoE refers organizations to NIST 800-63  for guidance on digital identity authentication.

As we outlined in Plurilock's™ 2019 Authentication Guidelines,  NIST 800-63 makes the following recommendations for authentication:

  • The use of strong-and-long passwords like passphrases

  • Adding to these true out-of-band multi-factor authentication (MFA), rather than SMS codes or other in-band MFA

In plain talk?

For all practical purposes, in the US educational logins and the records that they contain need to be protected by strong, out-of-band MFA for FERPA compliance.

If your organization is a custodian of educational data for an institution that receives any federal funding, this means you.

Educational Data in Canada: PIPEDA, FIPPA, and Other Acts

The picture for educational data is somewhat murkier in Canada than it is in the US, but a careful reading leads to similar conclusions.

PIPEDA is fairly clear about electronic data security practices but has been held by the Office of the Privacy Commissioner (OPC) of Canada to apply only to commercial activity.  Educational institutions or custodians of educational data that hold this data in the course of commercial activity are subject to the PIPEDA guidelines we've previously discussed.  

But what about non-commercial educational data, activity, and organizations? In that case, the OPC defers to provincial regulations. The most consequential of these is the Freedom of Information and Protection of Privacy Act (FIPPA), which governs this kind of data in Ontario and British Columbia.

In Canada, the release of educational data is based on identity. For compliance, you need to be able to authoritatively identify the right person—and exclude the wrong ones. © Pixabay / Pexels

The Importance of Reading Between the Lines

FIPPA does not make particular reference to authentication practices. However, it outlines cases in which disclosure of such information is permitted.  For example, personal data may be disclosed to:

  • "[T]he person to whom the information relates"

  • "[A]n officer, employee…or agent of the institution…in the performance of their duties"

  • To law enforcement agents or organizations for law enforcement purposes

  • To various outlined government figures with legitimate access purposes

This is a subset of the cases outlined in which disclosure is permitted, but the key thing to note about all of them is that they are based on the identity of the party requesting disclosure.

The right people may access the data in question; others may not.

Educational Data in Canada: Yes, MFA Is Required

There are over 773 million sets of credentials already circulating freely on the dark web,  and the vast majority of data breaches currently result from compromised credentials.  

Nearly a billion sets of stolen credentials freely circulate on the dark web. Usernames and passwords are no longer enough to establish identity. © panumas / Pexels

What this means in the real world is that identity simply isn't established by usernames and passwords alone. That someone at a login prompt can provide a "legitimate" username and password combination in no way authenticates the identity of that someone.

Given that both PIPEDA and FIPPA are explicit about the protection of data against disclosure except to particular identified individuals, and that identity can't practically be established in today's world by using usernames and passwords, there is only one reasonable conclusion about compliance.

In Canada today, both PIPEDA and FIPPA both effectively require the use of strong MFA for clear educational data privacy compliance.

Don't be fooled by the fact that MFA isn't explicitly mentioned—any reasonable interpretation of the acts in light of today's cybersecurity landscape leads to the aforementioned conclusion.

The Wiggle Room Is in Implementation

None of the acts in the US or Canada spell out the particular technologies that are to be used to protect educational data from unauthorized disclosure—that is left as an exercise to organizations themselves.

For this reason, there is room for organizations to find authentication technologies that suit their workflows, needs, and practical constraints. A wide variety of options exist,  including affordable solutions like Plurilock that require no additional hardware and impose no new workflows or delays on users.  

Regardless of the solution that your organization selects, the basic reality is clear—in North America, if you're the custodian of educational data, you need to be using MFA for data privacy compliance. ■

See Plurilock in action