Family Educational Rights and Privacy Act (FERPA)

Most have heard of HIPAA, GPDR, and other compliance regulations and best practices that govern data privacy and security for healthcare, personally identifiable information, and other forms of sensitive data. However, when it comes to educational institutions, the Family Educational Rights and Privacy Act (FERPA) helps define the requirements and protect the privacy of student education records. So, what requirements are defined by FERPA, and what tools can educational institutions use to protect student education records?

What is the Family Educational Rights and Privacy Act (FERPA)?

What is FERPA? FERPA is a federal law that came into existence in 1974 that protects the privacy of student education records. It helps to give parents certain rights regarding their children’s education records. The rights over their data transfer to the student once they turn 18. When a student reaches the age of 18 or attends a school beyond the high school level, they are known as an “eligible student.”

Who is required to comply with FERPA? The law applies to all schools that receive funds from applicable programs of the U.S. Department of Education. It helps to serve the purpose of giving parents or eligible students control over their educational records and helps to prevent educational institutions from disclosing (inadvertently or intentionally) personally identifiable information (PII) without the consent of an eligible student

FERPA compliance is essential for educational institutions receiving funding from the U.S. Department of Education. Therefore, failure to comply with FERPA for those institutions or schools that fall into this category could mean they lose funding due to noncompliance.  

Rights of parents and eligible students

What are the rights given to parents or eligible students? They have the following rights as defined by FERPA:

  • They have the right to inspect and review records maintained by the school.
  • They can request corrections for records they believe to be inaccurate or misleading. They can also pursue a formal hearing if the educational institution decides not to change the record
  • They can stop the release of any personally identifiable information (PII)
  • They can request a copy of the educational institution’s policy concerning access to academic or educational records
  • Educational institutions must have written consent from a parent or eligible student before releasing any information from a student’s education record

FERPA best practices to protect student data

One of the other benefits of FERPA is it helps to establish best practice security guidelines for protecting student data. For example, FERPA regulations require educational agencies and institutions to use reasonable methods to identify and authenticate the identity of parents, students, school officials, and other parties before disclosing or permitting access to PII.

What reasonable methods are required by FERPA for disclosures of PII from education records? While there are no specific requirements mandated or defined as part of the reasonable methods, several best practice recommendations come into play. These include:

  • Conducting privacy risk assessments to discover threats to confidential student PII data
  • Select authentication levels based on the risk to the data
  • Develop a process to manage any secret authenticating information or passwords throughout their creation, use, and disposal.
  • Enforce password policies to reduce the risk of password misuse, including encrypting stored passwords, locking out accounts with suspicious activity

Bolstering Active Directory password security

Like many enterprise organizations, many educational institutions are using Microsoft Active Directory as their identity and access management solution for both student and faculty logins. However, while Active Directory Domain Services (AD DS) provides many robust capabilities, it lacks the built-in tools to protect against common types of password risks. These include incremental passwords, leetspeak passwords, complex but easy-to-compromise passwords, and even breached passwords in the environment.

Specops Password Policy is a cybersecurity solution that allows organizations to bolster the password security posture in their Active Directory environment. In addition, it provides an automated way to proactively carry out continuous risk assessments of Active Directory environments to find password risks.

Schools and educational institutions that fall under FERPA compliance requirements greatly benefit from the password protections offered by Specops. Since most data breaches are often linked to compromised credentials, finding password risks before attackers do can help prevent exposure of confidential student information. Note the following features of Specops Password Policy:

  • Create custom Active Directory password filters
  • Prevent the use of more than 4 billion compromised passwords with Breached Password Protection
  • Gain visibility to already-compromised passwords in your environment
  • Provide intuitive automated feedback to end-users to prevent unnecessary calls to the helpdesk
  • Length-based password expiration
  • Customizable email notifications
  • Block user names, display names, specific words, consecutive characters, incremental passwords, and password reuse, including parts of passwords
  • Granular, GPO-driven targeting for any GPO level, computer, user, or group population
  • Passphrase support
  • Multi-language support
  • Use Regular Expressions to customize requirements further

Increase helpdesk security

FERPA regulations require parents or eligible students to provide a signed and dated written consent before an educational agency or institution discloses personally identifiable information (PII) from education records, except as provided in §99.31 of the regulations (34 CFR §99.30).

Further, as mentioned, the FERPA regulations require educational agencies and institutions to use reasonable methods to identify and authenticate the identity of parents, students, school officials, and other parties before disclosing or permitting access to PII (34 CFR §99.31[c]). These requirements help to ensure that educational agencies and institutions protect the privacy of education records and do not violate FERPA by disclosing education records to the wrong party.

Simple password reset operations provided by the helpdesk can also be vulnerable to attacks from cybercriminals who call the helpdesk, impersonating a user who needs their account password reset or changed. This type of attack can place accounts of faculty, staff, and students at risk of compromise.

Specops Secure Service Desk allows organizations to eliminate password reset calls to the IT service desk. The solution enables users to securely reset their Active Directory passwords from anywhere, using any device. End-users can initiate the password reset process from any browser, mobile device, or right from the Windows logon screen on their workstations. With security features like multi-factor authentication and geo-blocking, the Specops Secure Service Desk password reset solution is consistent with the high level of security required by FERPA and other compliance regulations.

With the Specops Secure Service Desk, helpdesk technicians can verify the identity of any faculty, staff, or student requesting a password reset to ensure their identity and avoid inadvertently giving login information to an attacker.

Concluding thoughts

Data privacy and protecting personally identifiable information (PII) is becoming vital for organizations across many business sectors and verticals. The Family Educational Rights and Privacy Act (FERPA) helps to protect confidential student data from exposure or breach. It includes many best practices that help secure the digital information systems used to house student records.

However, educational organizations must bolster the security of all underlying supportive systems used to provide access to this information, including authentication and authorization systems like Active Directory Domain Services. Specops has a wide range of solutions that help bolster the security of Active Directory passwords and helpdesk operations to help protect student data and account information from a breach.

(Last updated on July 25, 2022)

brandon lee writer

Written by

Brandon Lee

Brandon Lee has been in the industry 20+ years, is a prolific blogger focusing on networking, virtualization, storage, security & cloud, and contributes to the community through various blog posts and technical documentation primarily at

Back to Blog

Related Articles

  • NIST password standards and requirements

    The National Institute of Standards and Technology (NIST) sets the information security standards for federal agencies. Through its Special Publication (SP) 800-series, NIST helps organizations meet regulatory compliance requirements such as HIPAA, and SOX. The recent update to the NIST password standards (SP) 800-63-3 flips the script on widely accepted password policies, challenging its effectiveness…

    Read More
  • Password Policies and Guidelines

    Using a password policy is an important part in enhancing your organization’s password security. Cyberattacks continue to explode around the world with a variety of techniques to compromise corporate passwords. To defend against these attacks, organizations employ password policies to enforce secure passwords and use them to protect enterprise data. What is a password policy?…

    Read More
  • The role of passwords in HIPAA compliance

    Healthcare is a high value target for hackers given the nature of the data and its poor security stance – ranking the sixth lowest, in security performance across industries. Passwords are the first line of defense against cyberattacks and poorly chosen passwords can result in unauthorized access. The Health Insurance Portability and Accountability Act (HIPAA)…

    Read More