Colleges and universities should assess their cybersecurity compliance posture and incident response readiness and harden their networks as soon as possible in light of elevated threats.
Since June 2025, the Cybersecurity and Infrastructure Security Agency (CISA) has cautioned that Iranian government-affiliated actors routinely target U.S. networks and internet-connected devices. The war in Iran and recent Iranian state-sponsored malicious cyber operations suggest U.S. educational institutions may be more vulnerable than usual. They already face a complex web of overlapping federal and state data breach notification requirements, cybersecurity-related risks to Title IV funding eligibility and lasting reputational harm due to cyberattacks.
What do cyberattacks against higher education institutions look like?
According to a report from Comparitech, ransomware gangs claimed credit for 251 attacks on educational institutions in 2025, and more than 3.96 million educational records were breached that year, up from 3.11 million in 2024.
In February 2026, the University of Mississippi Medical Center was the subject of a ransomware attack, necessitating a nine-day shutdown of its non-emergency operations. News outlets reported that the medical center suffered a 20% drop in revenue for the month as a result of the ransomware attack, although losses may be less because some patient care charges were logged on paper during the attack.
In early March 2026, Lehigh Carbon Community College, in Pennsylvania, suffered a data breach that forced the college to close all of its campuses for more than a week. LCCC trustee Mathias Green Jr. confirmed the data breach during a Northern Lehigh School Board meeting. He stated that the college did not know the full extent of the breach. Green added that the school “hired professional people to come in and check the data” and is consulting with its insurance company and legal counsel. The recovery has been sporadic, with LCCC’s main campus partially reopening and several satellite locations — including its Allentown, Tamaqua and Airport sites — remaining closed, with in-person and hybrid classes at the closed sites continuing to be held remotely.
Separately, on March 9, 2026, the Community College of Beaver County College in Pennsylvania disclosed that it was the target of a ransomware attack in which unknown threat actors encrypted all college data and demanded ransom payments. The attack completely blocked the college from accessing its computer systems, including grades, transcripts and all financial information. Soon after the attack, CCBC immediately locked down all IT resources and closed the campus, prohibiting anyone from using computers or logging into the VPN remotely.
What are the cybersecurity regulatory and data breach notification requirements?
If a cyberattack or data breach occurs, an educational institution must complete all data breach reporting requirements as required by the Department of Education’s Federal Student Aid (FSA), the Gramm-Leach-Bliley Act (GLBA), FERPA and state‑specific statutes. While some states exempt institutions that are subject to the GLBA from compliance with state law, others do not, making state-by-state analysis critical. There is some urgency in the reporting requirements because some of the reporting timelines are short. For example, educational institutions must report a data breach to the FSA within 24 hours after the incident is known or identified. If 500 or more consumers are affected, then the GLBA requires separate reporting that must be made immediately. State data breach notification laws vary widely, with notification deadlines ranging from 72 hours to 60 days, and some states simply require notice “without unreasonable delay.”
Educational institutions participating in Title IV federal student aid programs are required to comply with the GLBA and the Federal Trade Commission’s Safeguards Rule, codified at 16 C.F.R. Part 314.
In addition to hardening infrastructure, educational institutions can reduce the risk of cyberattacks by requiring training for students, faculty and staff on cybersecurity; implementing multi-factor authentication for systems; and timely installing patches for software or networks with known vulnerabilities.
The Safeguards Rule also requires educational institutions to oversee their service providers by:
- taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue;
- contractually requiring service providers to implement and maintain such safeguards; and
- periodically assessing service providers based on the risk they present and the continued adequacy of their safeguards.
FSA has previously clarified, through an April 2024 guidance, that the Department and the FSA are not considered “service providers” for purposes of educational institution’s compliance with the GLBA, and therefore institutions do not need to request information security certifications from the Department or the FSA to satisfy the Safeguards Rule.
Is your institution prepared?
The rise in data breach incidents raises important questions for all higher education institutions. Consider whether your institution can answer “yes” to the following:
- Has your institution conducted a risk assessment within the past year?
- Are your institution’s service provider contracts updated to include information security requirements, confidentiality prohibitions on use for the third party’s purposes and indemnification in the event the provider has a breach?
- Does your institution have a written information security program that complies with the federal and/or state laws applicable to your institution?
- Do you know how federal and state data breach notification laws may apply to your institution, and are you cognizant of specific deadlines that may apply?
- Does your institution have a current incident response plan with clear chains of command for quick decision-making?
- Does your cyber insurance policy provide adequate coverage, and do you know your carrier’s incident reporting requirements?
If you answered “no” or if you are unsure of your answers to any of these questions, your institution may have compliance gaps that could prove costly in the event of a cyberattack.
For questions regarding cybersecurity or GLBA, FERPA, cyber insurance review and other data breach regulatory compliance issues, please contact the authors or a member of our Education Industry Team, Higher Education Enforcement & Regulatory Counseling Team, or Data Privacy & Cybersecurity Team.