Continue your mission
A cybersecurity-focused breakdown of the Family Educational Rights and Privacy Act: what education records are protected, which disclosure exceptions create technical access-control obligations, why FERPA's "reasonable methods" standard requires the same controls as any serious security program, and how state-level overlays (SOPPA, NY Ed Law 2-d) and ed-tech vendor contracts operationalize student data protection.
The Family Educational Rights and Privacy Act (FERPA), enacted in 1974, is a federal law that grants parents (and eligible students over 18) specific rights over education records maintained by educational institutions that receive federal funding. Every public K-12 school, school district, and virtually every college and university in the United States is covered. Private schools that accept federal Title IV funding, including private universities with federal student loan programs, are covered as well.
For cybersecurity professionals, FERPA is often underestimated relative to HIPAA or GLBA because it does not prescribe a specific list of technical controls. This underestimation is a mistake with significant consequences. FERPA creates binding obligations around how education records are stored, accessed, disclosed, and shared with third parties. Those obligations map directly to access control architecture, encryption practices, data classification policies, vendor contract management, and incident response. Organizations that dismiss FERPA as a legal or registrar issue and exclude it from the security program have a compliance gap that state enforcement, federal funding conditions, and expanding state-level education privacy laws will eventually expose.
FERPA maps to two PDM domains. Risk Governance and Assurance (RGA) governs the compliance posture, the disclosure policy framework, and the audit capability to demonstrate that access to education records was lawful. Data Protection and Sovereignty (DPS) governs the technical controls: where education records live, who holds the keys, how they are protected, and what happens when an unauthorized disclosure occurs. Both domains must be engaged simultaneously for FERPA compliance to be substantive.
---
FERPA was enacted during the Watergate era, when congressional concern about government overreach into personal records was high. The primary mechanism is a funding condition: any educational agency or institution that receives federal education funding from the U.S. Department of Education must comply with FERPA or risk losing that funding. Because almost all U.S. educational institutions receive some form of federal funding, the practical reach of FERPA is nearly universal in American education.
Parents hold FERPA rights for students under 18. When a student turns 18 or enrolls in a postsecondary institution (whichever comes first), the student becomes an "eligible student" and rights transfer to the student. This handoff has operational implications for systems that manage parental access portals in higher education; a parent's ability to see a student's records requires either a FERPA waiver signed by the student or a documented dependency exception under the Internal Revenue Code.
The Department of Education enforces FERPA through the Student Privacy Policy Office (SPPO). Enforcement historically focused on systemic non-compliance rather than individual violations, and the SPPO's primary remedy is requiring the institution to come into compliance rather than imposing financial penalties. However, state attorneys general, state education agencies, and private plaintiffs have pursued FERPA-related actions under state law analogs, and the reputational and operational cost of a FERPA violation (particularly involving large-scale unauthorized disclosure or a breach affecting student records) is substantial.
---
Education records are records, files, documents, and other materials that are: directly related to a student, and maintained by an educational agency or institution, or by a party acting for or on behalf of the institution.
Records within FERPA's scope include:
Records outside FERPA's scope include:
The default rule is that educational institutions may not disclose personally identifiable information from education records without prior written consent of the parent or eligible student. The consent must specify what records will be disclosed, for what purpose, and to whom.
This default rule creates the access-control obligation: systems containing education records must enforce the default restriction, permit disclosure only when a valid consent or exception applies, and log every access with enough context to demonstrate its legal basis.
FERPA includes 14 exceptions permitting disclosure without prior consent. Four of them generate the most significant technical implementation requirements:
School Officials with Legitimate Educational Interest. Employees, contractors, consultants, volunteers, and other parties under the direct control of the institution who have a legitimate educational interest in the records may access them without student consent. The key operational requirements: the institution must specify in its annual notification what it means by "school official" and "legitimate educational interest," and it must use "reasonable methods" to ensure that access is limited to parties who actually have that interest.
This exception is the basis for every internal system that school employees use to access student records (student information systems, LMS platforms, advising portals). The technical implementation must enforce that access is role-based and scoped to legitimate educational interest. A custodian with a school login should not have access to grade records. An adjunct instructor should not have access to records for students not in their sections.
Directory Information Exception. Institutions may designate certain categories of student information as "directory information" and disclose that information without consent unless the student has opted out. Directory information categories typically include: name, address, phone number, email, dates of attendance, enrollment status, degrees awarded, major field of study, participation in recognized activities and sports, weight and height of athletic team members, and photograph.
The opt-out mechanism is a technical requirement. Students must be provided an annual opportunity to opt out of directory information disclosure, and systems must enforce that opt-out status consistently across all disclosure channels, including alumni directories, public-facing databases, and responses to third-party inquiries.
Court Orders and Lawfully Issued Subpoenas. Records may be disclosed pursuant to a court order or subpoena, but the institution must make a reasonable effort to notify the parent or eligible student in advance of compliance unless the court has ordered confidentiality.
Health and Safety Emergencies. In genuine health or safety emergencies, institutions may disclose information from education records to appropriate parties to protect the health or safety of the student or other individuals. This exception is narrow and must be documented: the institution must determine that an articulable and significant threat exists and that the information disclosed is necessary to meet the emergency.
---
The most operationally significant FERPA development of the past decade is the proliferation of education technology vendors receiving student data under the school official exception. Every time a school district deploys Google Workspace for Education, Microsoft 365 Education, a learning management system (Canvas, Schoology, Blackboard), a student assessment platform, or a parent communication app, it is disclosing education records to a third party acting as a contractor under the school official exception.
The institution retains FERPA liability for the contractor's handling of those records. The contractor must: be under the direct control of the institution with respect to the use and maintenance of the records, use the records only for authorized purposes, and not further disclose the records without appropriate authorization. These requirements must be embedded in the contract (a data sharing agreement or data processing agreement), and the institution must monitor compliance.
When ed-tech vendors have breached student data, FERPA investigations have examined whether the school had adequate contract language, whether the vendor's security practices were assessed before deployment, and whether the institution had visibility into how student data was actually used by the vendor. The common failure pattern is a school signing a vendor's standard terms of service that permit the vendor to use student data for product development, advertising, or sale to third parties, none of which are authorized purposes under FERPA.
FERPA is a federal floor. Many states have enacted student data privacy laws that go substantially further in their technical requirements:
SOPPA (Student Online Personal Protection Act, Illinois). Imposes specific security obligations on operators of websites, online services, or mobile applications directed toward K-12 students. Requires operators to maintain a comprehensive security program, prohibits targeted advertising based on student data, and requires data deletion upon contract termination.
New York Education Law 2-d. Requires educational agencies to contract with third-party contractors (ed-tech vendors) using a required data security and privacy addendum. Requires contractors to implement encryption, limit data access to authorized users, provide breach notification within 10 calendar days, and return or destroy student data at contract end. Requires contractors to publish a data security and privacy plan.
California Student Privacy laws (SOPIPA, AB 1584). Prohibit ed-tech vendors from using student data for advertising, building profiles for non-educational purposes, or selling student data. Require vendors to maintain reasonable security procedures and provide for data deletion.
These state laws are enforceable by state attorneys general independently of the Department of Education's FERPA enforcement, and they impose obligations on ed-tech vendors directly, not just on schools.
Campus health clinics at K-12 schools and at many higher education institutions are not HIPAA-covered entities. Their health records are education records under FERPA. This means that the HIPAA minimum necessary standard, individual access rights, and breach notification requirements do not apply; FERPA's rules do. For cybersecurity teams managing campus health record systems, this jurisdictional question must be resolved before applying the wrong compliance framework.
---
FERPA does not enumerate specific technical controls the way HIPAA's Security Rule or the GLBA Safeguards Rule do. But the "reasonable methods" standard for controlling access to education records, combined with the audit documentation requirements inherent in managing a compliant disclosure program, maps to a well-defined set of technical obligations:
Data Classification. Education records must be identified and classified as such across all systems that hold them. A student information system is obvious. Less obvious are the email archives containing grade communications, the file shares holding assessment results, the LMS activity logs, and the cloud storage buckets used by faculty. Without a data classification program that identifies where education records reside, the institution cannot ensure that appropriate access controls apply.
Role-Based Access Control. Access to education records must be constrained to users with a documented legitimate educational interest. This requires RBAC implementation in every system holding education records, with roles defined at a granularity sufficient to enforce the legitimate interest standard. Course instructors should see only their students' records. Counselors should see only their assigned caseload. Administrators should have access scoped to their functional responsibilities.
Audit Logging. Every access to, modification of, and disclosure of education records must be logged in a form sufficient to demonstrate the legal basis for the access. The log must capture: who accessed the record, when, from where, and for what apparent purpose. Logs must be retained for a period sufficient to support investigation of alleged unauthorized disclosures. Given that FERPA complaints can be filed with the Department of Education for events that occurred years in the past, log retention of at least three years is a reasonable minimum.
Encryption. While FERPA does not mandate encryption, the "reasonable methods" standard in the context of modern threat environments effectively requires it. Education records held in unencrypted form on laptops, USB drives, or cloud storage without access controls are not protected by reasonable methods. AES-256 at rest and TLS 1.2 or higher in transit are the baseline technical floor. Encryption of backup archives holding education records is required.
Contractor Management and Data Sharing Agreements. Every ed-tech vendor or contractor receiving education records must operate under a written agreement that: limits use to the authorized educational purpose, prohibits disclosure to unauthorized parties, requires adequate security safeguards, provides for data deletion or return at contract end, and addresses breach notification obligations. The institution must maintain a current inventory of all active contractor relationships involving education records.
Opt-Out and Consent Management. Systems must enforce directory information opt-out status across all disclosure channels. Consent records (where a parent or eligible student has authorized specific disclosures) must be maintained in a form that can be produced during a compliance review or investigation.
Breach Detection and Response. While FERPA does not have a federally mandated breach notification requirement equivalent to HIPAA's Breach Notification Rule, unauthorized disclosure of education records is a FERPA violation. State breach notification laws (nearly all states have them) will apply to breaches of student personal information. An incident response plan must address student record breaches specifically, including the notification obligations under applicable state law and the documentation required for any Department of Education investigation.
---
FERPA is a case study in the gap between regulatory intent and operational security reality. The law establishes clear rights and disclosure restrictions. The implementing regulations acknowledge that institutions must use "reasonable methods" to control access. But because FERPA does not enumerate specific controls, educational institutions have historically been slower to build structured security programs around student data than their healthcare or financial services counterparts.
CDA's approach through the Perpetual Compliance Assurance (PCA) methodology addresses this gap directly. PCA does not wait for a compliance standard to enumerate specific controls; it maps the compliance obligation (protect education records, limit access to legitimate educational interest, manage disclosures lawfully) to the technical controls required to meet that obligation, monitors those controls continuously, and surfaces gaps for remediation before they become violations.
Within the PDM, FERPA compliance engages both RGA and DPS simultaneously. RGA owns the compliance posture: the annual FERPA notice, the directory information opt-out mechanism, the contractor data sharing agreement inventory, the disclosure log, and the investigation and complaint response capability. DPS owns the technical architecture: where education records live, who holds access, how they are protected at rest and in transit, and how they are purged at the end of the data lifecycle.
CDA's Sovereign Data Protocol (SDP), "Your data lives where you decide. Period," is directly applicable to the ed-tech contractor challenge. SDP-aligned architectures for education clients specify data residency requirements in vendor contracts, require contractual prohibitions on secondary use, and implement technical controls that verify data stays within authorized boundaries. When a school district tells a vendor that student data must remain in U.S. data centers and may not be used for product development, SDP provides the technical verification layer to confirm that requirement is actually honored.
For K-12 districts in Illinois, New York, California, or any other state with FERPA overlay legislation, PCA tracks compliance against both the federal baseline and the applicable state obligations. New York Education Law 2-d's 10-calendar-day breach notification requirement, for example, is a faster clock than most federal obligations and requires a detection-to-notification capability that must be built before an incident occurs, not assembled during one.
The operational reality for education sector CISOs is that FERPA compliance is not separable from the security program; it is a specification of what the security program must accomplish for one of the institution's most sensitive data categories. Treating it as a registrar's problem or a legal policy document, rather than a security engineering challenge, is the root cause of most FERPA non-compliance.
---
---
---
CDA Theater missions that address topics covered in this article.
A GRC platform is software that centralizes governance, risk, and compliance operations into a single system of record.
Internal audit is an independent, objective assurance function that evaluates whether an organization's controls are designed appropriately and operating effectively.
Board-level cybersecurity reporting is the practice of translating an organization's security posture, risk profile, and material incidents into the language of governance: financial exposure, liability, regulatory standing, and competitive position.
Written by Evan Morgan
Found an issue? Help improve this article.