By Bre Payton | Watchdog.org
If you have a federal student loan, your private information is in danger.
And it seems the federal government really doesn’t give a damn.
If you slip into default on your promised repayments, the Federal Student Loan Administration gives your data to a pool of private companies that collect the debt.
Some of those companies are not required to adhere to federal data security standards.
A September Department of Education Inspector General report details these and other security vulnerabilities the FSA has been basically ignoring since 2011.
“It’s too bad that when we all try so hard to protect this information ourselves that the banks and government practically make it openly available to hackers on the Internet in many cases,” said an international Internet security expert who asked to remain anonymous because his company has banking clients.
What security standards?
Students with loans granted through the Federal Family Education Loan Program have their information kept by agencies that are not required to adhere to federal security standards.
While no new loans are being issued under FFELP, loans already given out are being managed by 30 different credit agencies.
“As of the date of the audit, there was no official plan to make sure that agencies adhere to FISMA (federal security) requirements,” the OIG said in an email to Watchdog.org.
That’s unwise, said Khaliah Barnes, director of the Student Privacy Project and administrative law counsel for the nonprofit Electronic Privacy Information Center.
“If you can’t protect it, don’t collect it,” Barnes said.
They have a plan, sort of
But not to worry. The Federal Student Aid has a plan to develop a plan to rectify deficiencies.
“FSA has developed a detailed project plan to adequately assess and, where applicable, develop corrective action plans for all guaranty agency systems to help identify and rectify deficiencies in compliance with FISMA (federal security standards),” said a Department of Education spokesman, who agreed to speak only on background.
The Education Department spokesman didn’t give any details about what their plan-within-a-plan is.
But the OIG didn’t seem too thrilled in page 10 of its report that the FSA was going to use audits conducted by the agencies themselves.
$34 billion in bad debt
Private collection agencies handle most loans in default — currently managing $34 billion worth of bad student-loan debt.
The agencies have an increased risk of having data compromised because they share information with other agencies, borrowers and third-party data providers.
Contractors took up to 301 days after deadline to fix security vulnerabilities. Most were fixed an average of 71 days after the deadline, the report states on page 5.
But contractors didn’t suffer any consequences.
“Identifying and resolving security deficiencies in a very timely manner is what it is all about,” the Internet security expert said. “If it is not timely, generally it is too late.”
The Privacy Act gets overlooked by the FSA
When the audit was conducted last year, the FSA hadn’t asked contractors to prove they were training employees on the requirements under the Privacy Act, page 6 of the report details:
“The Department has no assurance that PCAs (private contractors) provided their employees and subcontractors with all the required training necessary to carry out their responsibilities in compliance with information security requirements that are necessary to protect Department systems and data.”
“Individuals turn over so much information,” EPIC’s Barnes said. “As the government contracts more and more out, it’s imperative that there are oversight mechanisms in place.”
When Watchdog.org asked the FSA if they were ensuring contractors adequately trained employees, a Department of Education spokesman said:
“FSA has continued to review and strengthen procedures used to verify PCA employee compliance with all information security training requirements.”
While the FSA continues to “review and strengthen procedures,” they’re contracting $34 billion worth of student debt to private collection agencies.
“Responsibility lies on whatever entity has been entrusted with the information,” Barnes said. “If they decide to contract out, they should be sure there’s an oversight mechanism in place to protect the information.”
This story was updated Jan. 29, at 11:48 a.m.