Close

See How Your Peers Are Moving Forward in the Cloud

New research from CDW can help you build on your success and take the next step.

Click Here to Read the Report
Oct 17 2024
Management

Is Maryland’s New Higher Ed Privacy Law a Harbinger of Things to Come?

Colleges and universities already take protecting student data seriously, but new regulations could turn accepted best practices into law.
Will Sweeney headshot
by

Will Sweeney is founder and managing partner at Zaviant Consulting.

With the fall semester in full swing, college students aren’t the only ones with homework to do. Higher education institutions in Maryland must comply with the state’s new privacy law, Maryland Code Title 10, Subtitle 13A, as of Oct. 1.

While this law is specific to Maryland, universities outside the state shouldn’t kick their feet up just yet. Many of this law’s requirements are considered data privacy and cybersecurity best practices and could become mandates across more states and perhaps nationally in the coming years.

Title IV universities must already comply with several federal laws concerning data privacy and cybersecurity, including the Gramm-Leach-Bliley Act (GLBA) and the Family Educational Rights and Privacy Act (FERPA), to receive funding. However, many states are passing their own data privacy laws amid a rise in cyberattacks, especially in the higher education sector.

Click the banner to learn why planning today is key to recovering from tomorrow’s cyberattacks.

x-cyberresillience2-static-2024-na-desktop x-cyberresillience2-static-2024-na-mobile

 

The new Maryland law, for example, requires higher education institutions to take actions to ensure sensitive data is properly collected, stored and protected. This isn’t revolutionary: At least 40 states already have one or more laws on the books related to student privacy, but many are currently focused on K–12. It’s only a matter of time before we see more of those laws extend to colleges and universities.

Below are some of the most important data privacy and cybersecurity requirements outlined by Maryland’s new law, but all universities striving to bolster their security posture and prepare for future regulations should consider adopting these practices.

Privacy Governance and Risk Management Programs

The new Maryland law requires universities to have a privacy governance and risk management program in place. This is designed to help institutions comply with important data privacy regulations, protect sensitive information (data encryption is also mandated), and properly manage security risks. The privacy governance and risk management program should also outline procedures and practices to address various types of security threats and help staff act quickly in the event of an attack.

Also under the new law, a university’s privacy governance and risk management program must be periodically reviewed by a third party with information security expertise. While this isn’t yet mandated by federal law, it’s a wise practice for any institution to follow, as privacy regulations and best practices are constantly evolving.

Posting Privacy Notices and Ensuring Data Autonomy

Universities in Maryland are now required to display clear privacy notices on the homepages of their websites. A practice already required in several states, displaying these notices ensures visibility and user consent while helping students and families understand their rights.

Further, the GLBA requires universities to be transparent about information-sharing practices to safeguard things such as bank information, addresses and health records. And under FERPA, students have the right to amend their data and retain some control over the disclosure of certain personally identifiable information from education records.

Will Sweeney headshot
Institutions across the country should consider employing the same programs and policies to lower the risk of cyberattacks and prepare for future regulations.”

Will Sweeney Founder and Managing Partner, Zaviant Consulting

The Maryland statute takes GLBA and FERPA requirements a step further by requiring a process for individuals to access their own PII and request corrections and deletions. Additionally, under the new law, Maryland institutions can only collect necessary PII and must establish remedies for anyone whose data was affected by a breach.

Be Diligent When Integrating Third-Party Tools

Maryland universities will now be required to include language in contracts with third-party vendors that ensures the contractor complies with the institution’s privacy governance policy. All institutions should consider following this practice, as it establishes clear guidelines for university staff and vendors for handling sensitive data. The Maryland statute also mandates that any third-party vendor employ “reasonable” security controls to make sure data is secure. Additionally, universities are prohibited from disclosing sensitive data to third parties (other than contractors that handle PII) unless the individual consents to that disclosure.

Holding third-party vendors to the same cybersecurity standards and policies as the institution itself ensures that data is better protected. These regulations act as safeguards to help contain and control the ever-expanding data sets that universities must maintain.

KEEP LEARNING: Discover the best data governance strategies for artificial intelligence success.

An Example to Follow

While Maryland universities must comply with all of these new rules as of Oct. 1, institutions across the country should consider employing the same programs and policies to lower the risk of cyberattacks and prepare for future regulations. Whether these new laws end up coming from your state or the federal government, it’s only a matter of time.

halbergman/Getty Images

More On

Related Articles