Is Maryland’s New Higher Ed Privacy Law a Harbinger of Things to Come?

The new Maryland law, for example, requires higher education institutions to take actions to ensure sensitive data is properly collected, stored and protected. This isn’t revolutionary: At least 40 states already have one or more laws on the books related to student privacy, but many are currently focused on K–12. It’s only a matter of time before we see more of those laws extend to colleges and universities.

Below are some of the most important data privacy and cybersecurity requirements outlined by Maryland’s new law, but all universities striving to bolster their security posture and prepare for future regulations should consider adopting these practices.

Privacy Governance and Risk Management Programs

The new Maryland law requires universities to have a privacy governance and risk management program in place. This is designed to help institutions comply with important data privacy regulations, protect sensitive information (data encryption is also mandated), and properly manage security risks. The privacy governance and risk management program should also outline procedures and practices to address various types of security threats and help staff act quickly in the event of an attack.

Also under the new law, a university’s privacy governance and risk management program must be periodically reviewed by a third party with information security expertise. While this isn’t yet mandated by federal law, it’s a wise practice for any institution to follow, as privacy regulations and best practices are constantly evolving.

Posting Privacy Notices and Ensuring Data Autonomy

Universities in Maryland are now required to display clear privacy notices on the homepages of their websites. A practice already required in several states, displaying these notices ensures visibility and user consent while helping students and families understand their rights.

Further, the GLBA requires universities to be transparent about information-sharing practices to safeguard things such as bank information, addresses and health records. And under FERPA, students have the right to amend their data and retain some control over the disclosure of certain personally identifiable information from education records.

The Maryland statute takes GLBA and FERPA requirements a step further by requiring a process for individuals to access their own PII and request corrections and deletions. Additionally, under the new law, Maryland institutions can only collect necessary PII and must establish remedies for anyone whose data was affected by a breach.

Be Diligent When Integrating Third-Party Tools

Maryland universities will now be required to include language in contracts with third-party vendors that ensures the contractor complies with the institution’s privacy governance policy. All institutions should consider following this practice, as it establishes clear guidelines for university staff and vendors for handling sensitive data. The Maryland statute also mandates that any third-party vendor employ “reasonable” security controls to make sure data is secure. Additionally, universities are prohibited from disclosing sensitive data to third parties (other than contractors that handle PII) unless the individual consents to that disclosure.

Holding third-party vendors to the same cybersecurity standards and policies as the institution itself ensures that data is better protected. These regulations act as safeguards to help contain and control the ever-expanding data sets that universities must maintain.

KEEP LEARNING: Discover the best data governance strategies for artificial intelligence success.

An Example to Follow

While Maryland universities must comply with all of these new rules as of Oct. 1, institutions across the country should consider employing the same programs and policies to lower the risk of cyberattacks and prepare for future regulations. Whether these new laws end up coming from your state or the federal government, it’s only a matter of time.