Skip to main content
> FERPA

Family Educational Rights and Privacy Act

Protecting student education records and ensuring parental access rights

Governing Body: U.S. Department of Education
Established: 1974 (regulations updated periodically) Last Updated: 2011 (significant regulatory amendments) Scope: United States
100,000+
Institutions

// What is FERPA?

FERPA protects the privacy of student education records, giving parents rights over their children's records until the student turns 18 or attends postsecondary education. The law applies to all educational institutions receiving federal funding, from elementary schools through universities.

While FERPA predates modern cybersecurity concerns, its requirements have significant implications for data protection. Student information systems, learning management platforms, and educational technology vendors must all comply with FERPA's disclosure restrictions and security expectations.

The Department of Education has increasingly emphasized cybersecurity in FERPA guidance, recognizing that data breaches constitute unauthorized disclosures. Institutions must implement reasonable security measures protecting education records from unauthorized access.

// Inside the Regulation

FERPA establishes rights for parents and eligible students regarding education records, while restricting institutional disclosure without consent. The regulation defines education records broadly and imposes security obligations protecting those records.

1

Education Records Definition

34 CFR § 99.3

Understanding what FERPA protects is essential for compliance. Education records encompass more than grades and transcripts.

Covered Records

Records directly related to a student maintained by an educational institution or party acting for the institution, in any medium.

Directory Information

Certain information (name, address, enrollment status, etc.) may be disclosed without consent if properly designated and noticed. Students can opt out.

Exclusions

Sole possession records, law enforcement records, employment records (non-student status), treatment records, and post-attendance alumni records.

2

Disclosure Restrictions

34 CFR § 99.30-99.39

FERPA prohibits disclosure of education records without consent, with specific exceptions for legitimate educational purposes.

Consent Requirement

Written consent required before disclosing personally identifiable information from education records, specifying records, purpose, and recipient.

School Official Exception

Disclosure permitted to school officials with legitimate educational interest, including contractors performing institutional functions.

Health and Safety Emergency

Disclosure permitted to appropriate parties in health or safety emergencies, with documentation of threat and parties contacted.

De-identified Data

Information with all personally identifiable information removed may be disclosed, but institution must reasonably determine student cannot be identified.

3

Security Requirements

While FERPA doesn't specify technical controls, it requires institutions to protect records and treats breaches as unauthorized disclosures.

Reasonable Methods

Institutions must use reasonable methods ensuring school officials access only records in which they have legitimate educational interest.

Physical Security

Physical safeguards protecting record storage locations from unauthorized access.

Electronic Security

Technical safeguards protecting electronic records including access controls, authentication, and transmission security.

Third-Party Agreements

Contracts with service providers must include FERPA compliance provisions and restrict further disclosure.

4

Breach Response

Data breaches involving education records constitute unauthorized disclosures requiring institutional response.

Documentation

Record breaches involving education records including affected records, cause, and remediation steps.

Notification Considerations

While FERPA doesn't mandate breach notification, state laws and institutional policy typically require notification of affected individuals.

Remediation

Address vulnerabilities causing the breach and strengthen controls preventing recurrence.

Note: FERPA compliance extends to educational technology vendors through the 'school official' exception, which requires contracts designating the vendor as a school official performing services the institution would otherwise perform. Vendors must maintain direct institutional control over education records.

// Who Must Comply

  • 1 Public K-12 school districts
  • 2 Private schools receiving federal funds
  • 3 Colleges and universities receiving federal student aid
  • 4 State education agencies
  • 5 Educational technology vendors serving covered institutions
  • 6 Testing companies and assessment providers
  • 7 Research organizations accessing education records

// Key Requirements

Access Rights

Provide parents/eligible students access to education records and opportunity to challenge inaccurate information

Disclosure Controls

Obtain consent before disclosing education records except under specific permitted exceptions

Annual Notification

Annually notify parents/students of FERPA rights and directory information policies

Record Security

Implement reasonable security measures protecting education records from unauthorized access

Vendor Management

Ensure contracts with service providers include required FERPA compliance provisions

Disclosure Logging

Maintain records of each disclosure request and whether it was granted

// Enforcement & Penalties

The Department of Education enforces FERPA primarily through administrative remedies. Funding termination is the ultimate sanction, though rarely invoked. The Department typically works with institutions to achieve compliance through corrective action.

Maximum Penalty

Termination of federal funding eligibility

Examples:

  • Compliance agreements requiring institutional remediation
  • Formal findings of FERPA violations with corrective action plans
  • Rare: Funding termination proceedings for systematic non-compliance
  • State law penalties for data breaches involving student records

// Cyber Insurance Impact

Cyber insurers consider FERPA compliance when underwriting educational institutions. Breaches involving student records trigger coverage provisions and may expose compliance gaps. Institutions should ensure cyber policies cover regulatory defense costs and potential penalties under FERPA and related state laws.

// How Breach Craft Helps

We help organizations achieve FERPA compliance through genuine security improvements—not checkbox exercises. Our services address the specific requirements and challenges of FERPA.

Gap Assessment

Measure your security against industry standards.

Learn more

Penetration Testing

Find the gaps before attackers do.

Learn more

Virtual CISO

Executive security leadership on demand.

Learn more

Tabletop Exercises

Practice your incident response.

Learn more

// Related Frameworks

HIPAA NIST CSF

Ready to Strengthen Your Defenses?

Schedule a free consultation with our security experts to discuss your organization's needs.

Schedule Consultation Call Us

Or call us directly at (445) 273-2873