The Department of Education has just announced a new policy that subjects third parties to up to “criminal penalties that include a fine of not more than $20,000, imprisonment for not more than five years, or both, beginning one day after the date of publication of this notice.”
The notice says:
(a) A person or entity may be granted access to, and use and share, the Department’s assets, data, information resources, and information systems (collectively, the Department’s information systems) only if the person or entity is an “authorized user” under paragraph (b) and only to the extent otherwise authorized pursuant to this section.
(b) A person or entity may be granted access to the Department’s information systems as an authorized user if the person or entity has a bona fide “need to know” the information or data contained in the Department’s information systems and they are–
(1) A student, borrower, or parent;
(2) A guaranty agency, eligible lender, eligible institution, or a third-party organization acting on behalf of a guaranty agency, eligible lender, or eligible institution that complies with Federal law and requirements applicable to the Department’s information systems; or
(3) A licensed attorney representing a student, borrower, or parent, or another individual who works for a Federal, State, local, or Tribal government or agency, or for a nonprofit organization, providing financial or student loan repayment counseling to a student, borrower, or parent, if—
(i) The attorney or other individual has never engaged in unfair, deceptive, or abusive practices, as determined by the Department;
(ii) The attorney or other individual does not work for an entity that has engaged in unfair, deceptive, or abusive practices (including an entity that is owned or operated by a person or entity that engaged in such practices), as determined by the Department;
(iii) System access is provided only through a separate point of entry issued to the attorney or other individual; and (iv) The attorney or other individual has written consent from the relevant student, borrower, or parent to access the system.
(c) To access the Department’s information systems, an authorized user must—
(1) Read, understand, and sign the information system-specific Rules of Behavior;
(2) Have valid and current access authorization issued by the Department;
(3) Access the Department’s information systems using an access device issued by the Department to the authorized user, and may not use an access device issued by the Department to a student, borrower, or parent. A student, borrower, or parent, including through a power of attorney, may not authorize a third party to use their access device; and
(4) Comply with the terms of service, information security standards, and Code of Conduct.
(d) No person or entity may access the Department’s information systems for the purpose of assisting a student in managing loan repayment or applying for any repayment plan, consolidation loan, or other benefit authorized under title IV of the HEA, except as permitted under this “Acceptable Use of Systems.”
What Does This Cover
It appears to cover any student loan assistance company that is selling any assistance with federal student loan programs. It specifically identifies people covered by this new criminal exposure by saying:
“For purposes of this system, unauthorized access includes, but is not limited to—
(a) Any access by an employee or agent of a commercial entity, or other third party, who is not the individual user, for purposes of commercial advantage or private financial gain (regardless of whether the commercial entity or third party is providing a service to an authorized user of the system); and
(b) Any access in furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States or any State.
If system monitoring reveals information indicating possible criminal activity, such evidence may be provided to law enforcement personnel. These Rules of Behavior identify responsibilities and expectations for all individuals accessing Federal Student Aid (FSA) systems.”
How Will You Know if This Applies to Your Student Loan Access?
The new rule appears to be easy to comply with because systems covered by this rule should provide the following notification.
“This Code of Conduct identifies the acceptable rules of behavior for accessing the Department’s information systems. Upon accessing the Department’s information systems, all users will receive a notification warning banner similar to the following that requires them to acknowledge and agree to the Code of Conduct prior to being allowed further access:
“You are accessing a U.S. Federal Government computer system intended to be solely accessed by individual users expressly authorized to access the system by the U.S. Department of Education. Usage may be monitored, recorded, and/or subject to audit. For security purposes, and in order to ensure that the system remains available to all expressly authorized users, the U.S. Department of Education monitors the system to identify unauthorized users. Anyone using this system expressly consents to such monitoring and recording. Unauthorized use of this information system is prohibited and subject to criminal and civil penalties. Except as expressly authorized by the U.S. Department of Education, unauthorized attempts to access, obtain, upload, modify, change, and/or delete information on this system are strictly prohibited and are subject to criminal prosecution under 18 U.S.C. 1030, and other applicable statutes, which may result in fines and imprisonment. This system may contain Personally Identifiable Information (PII), as defined by the Privacy Act of 1974, or other Controlled Unclassified Information as defined by 32 CFR 2002.”
Entities That Can Legally Access Consumer Student Loan Information
Third parties that are allowed to access federal student loan data systems must have their “own unique User ID, password, or credentials; at no time is a third party authorized to use another individual’s unique User ID, password, or credentials. A user may not authorize a third party to use their User ID, password, or credentials, including through a power of attorney.”