Education Department Shuts Access To Student Loan Database

Call it "Database Dilemmas 101." When the Department of Education took the unprecedented step last week of shutting off access to its database of college student loan information, it was an object lesson in the potential problems inherent in allowing partners and third parties access to your customer data.

Education Secretary Margaret Spellings said the department was temporarily suspending access to its National Student Loan Data System--a database of information on 60 million student borrowers at more than 20,000 schools--by lenders, loan holders, and servicers, and guaranty agencies. The federal agency's concern: Some of the 7,500 loan company employees with access to the system were mining information to market products and services to borrowers and their families.

Spellings signaled the move in an open letter to Sen. Edward Kennedy, D-Mass., chairman of the Senate Health, Education, Labor and Pensions Committee, who had sent her a letter earlier in the week urging the shutoff. "Lenders are apparently using this information to aggressively market to students," Kennedy wrote, prompted by his committee's investigation of the student loan industry and several published reports. "The privacy of every borrower must be a top priority for the department."

While access to the database is suspended, the department and its Office of Inspector General will review how the database is being used--or misused--by loan companies and whether it needs to cut off access permanently to certain companies. Loan borrowers and university officials continue to have access during the review period.

The secretary's move follows months of concern over misuse. In February, members of the National Direct Student Loan Coalition queried Theresa Shaw, chief operating officer of the Education Department's Office of Federal Student Aid, on their concerns that students using direct loans were being inundated with mass mailings for loan consolidations. Shaw said the office was aware that some student loan companies had been pinging the National Student Loan Data System several thousand times per minute, and that this "was indicative of a concerted effort to retrieve the database's information for other than its intended purpose," says Craig Munier, the coalition's chairman and director of scholarship and financial aid for the University of Nebraska-Lincoln.

So far, cease and desist orders have been communicated to two lenders, one school, and three state guaranty agencies regarding compliance with certain sections of the Higher Education Act that prohibit the distribution of unsolicited loan applications to enrolled students or their parents, unless the potential borrower has used that loan provider in the past, an Education Department spokeswoman says.

OUTSIDE LOOKING IN
The Education Department created the database in 1993 to help universities and lenders share information on student loans. The system is populated with information from schools and agencies that guarantee loans, as well as from the Direct Loan, Pell Grant, and other Education Department programs. Access is granted solely to determine the eligibility of an applicant for federal student aid or to facilitate the collection of federal student loans and grant overpayments. "This information may not be used for any other purpose, including the marketing of student loans or other products," Spellings wrote.

Being shut out from the system hurts some companies more than others. USA Funds, a guarantor of student loans made through the Federal Family Education Loan Program, uses the system to check on default rates. The company hopes guarantors will be able to use the system sooner than lenders, since most of the scrutiny seems to be on the latter, says a spokesman.

One significant player, SLM Corp., known as Sallie Mae, denies any wrongdoing. "Sallie Mae does not use NSLDS to target borrowers with loans held by competitors for the purpose of building marketing campaigns," asserts a spokesman. Sallie Mae is the largest provider of federally guaranteed student loans.

The database flap is another black eye for the $85 billion student loan industry, which has come under scrutiny in recent weeks. Sallie Mae, Citibank, and eight universities are part of a landmark multimillion-dollar settlement brokered by New York Attorney General Andrew Cuomo to crack down on shady student loan practices, including financial ties between lenders and schools, preferred lender status granted by some schools, and college employees sitting on lender advisory boards. Sallie Mae and the others agreed to the attorney general's College Loan Code of Conduct, which New York legislators want turned into a state law.

The Education Department defends its record in policing the student loan database. Spellings said in her letter that, since 2003, the Office of Federal Student Aid has invested more than $650,000 in improved system security and monitoring tools and processes to better protect student information. That has led to more than 52,000 user IDs being revoked. Most of those were dropped because of inactivity, yet 261 user IDs were pulled because of suspicious activity--246 belonged to lenders, loan holders, guaranty agencies, and servicers that collect, monitor, and report loan payments, and 15 to schools.

Since February 2006, the National Student Loan Data System has been managed by Applied Engineering Management, which does IT work for many government agencies, including the Air Force, Navy, State Department, and Smithsonian. Last April, AEM touted in a press release that employees overseeing the student loan database had received CMMI (Capability Maturity Model Integration) Level 3 certification, the highest level in a software project-management rating system developed at Carnegie Mellon University.

While the Education Department finds itself in a unique situation, there are a number of measures that businesses can and do take to avoid a similar mess when their data must be shared with contractors and business partners. The first step is deciding exactly what data a user needs to access and then tagging sensitive information within a database, much as the military does with its "classified" and "top secret" designations. Such tags can be referenced in a user's directory profile and used by access management software to determine who sees what data and what they can do with it. Companies also should review data and system access lists regularly to remove names of employees--either their own or third parties'--who no longer need access or no longer work for the company.

Once access is granted, companies can restrict data use by installing data-leak prevention or content monitoring software that determines when confidential data is being sent out via E-mail or file transfer. Other measures include blocking documents from being printed and carried out the front door.

Some companies go even further. When data broker Acxiom negotiates with a prospective customer, it researches the company to ensure that it's legitimate and really needs the information it's asking Acxiom to provide, global privacy officer Jennifer Barrett says. Acxiom also conducts on-site visits to customer locations to ensure that their IT and physical security controls are up to par. "If their security isn't as good as we'd like it to be, we might give them access to a truncated number, such as the last digits of a driver's license rather than the whole number," Barrett says.

Acxiom has adjusted its internal approach to security, too. This includes no longer printing complete numbers that relate to accounts or payments on documents. "We're getting more sophisticated about how much information someone needs to do their task," Barrett says.

The amount of information needed by companies accessing the student loan database apparently depends on what they consider their task--facilitating loans or marketing them.

Top image by Viktor Koen