Think about compliance - whether in your organization or beyond, and the litany of regulations from PCI to GLB to CA SB 1386 and more come to mind. Are these initiatives helping your organization stay out of the headlines? You could be a retailer or a healthcare provider but what if your organization was four or more regulated organizations in one? Would you be more “secure?”

If you're not a member of a compliance team in higher education, you probably don't think of universities and colleges. With students and faculty now back to school, IT managers at universities are faced with complying with multiple regulations that affect industries beyond just education.

A bank? A health care organization? A retailer? These are all roles that institutions serve, in addition to the primary function of providing education.

  • The bank : As many of us know, universities and colleges are involved in the business of lending and collecting money. While not the bank itself, universities facilitate loans and disperse funds. Among compliance requirements, this means universities fall under the Gramm-Leach-Bliley Act (GLBA) and must protect the privacy of customers (students
  • The health care provider : Almost all higher education institutions with students living on campus have a health center and are faced with protecting patient data under HIPAA.
  • The retailer : Not only can you buy your books with a credit card, but you can also pay your tuition. This all means that as every other merchant that accepts credit cards, universities and colleges must meet the requirement of the Payment Card Industry (PCI) Data Security Standard (DSS).
  • The educational institution : Last but certainly not least, institutions provide educational services. And in the end, this means students receive grades. The Family Educational Rights and Privacy Act (FERPA) controls who can access student grades. If grades are being distributed or stored electronically, they must be secured.

Beyond these federal compliance requirements, universities and colleges must comply with state data breach notification such as California SB 1386. In over 30 states, if a lost laptop, flash drive or tape has personally identifiable information stored unencrypted, the impacted individuals will need to be notified. And this means unhappy parents, alums, and boards of directors.

While an interesting case study in compliance, these examples help illustrate an important point. While most institutions are compliant with GLB, PCI, HIPAA, FERPA and other regulations, the number of institutions involved in data breaches does not seem to be on the decline. It's this point that makes higher education a lesson for all organizations.

Compliance sets a bar that's important for auditors and government, but when it comes to really protecting our businesses, agencies, and institutions, a higher bar for defending data must be set. Many organizations, including universities and colleges, are starting to protect data wherever it goes, utilizing a strategy called enterprise data protection.

This unique strategy offers a new evolutionary layer of technologies that manages data, controls data access, detects data at risk, and protects data. With it, security is built in, starting with data creation and following data as it is modified, transferred, stored, and archived. At the core of this approach is the protection of data using encryption, everywhere it goes. Encryption serves to provide the encompassing protection layer that obscures data from unauthorized access. If encrypted data is somehow lost or stolen, it remains useless.

By defining a strategy for Enterprise Data Protection, protecting, identifying, controlling access, and managing data, these organizations are ready to meet the bumps along the way related to compliance and keep their organizations out of the headlines.

- Kevin Bocek is a Sr. Manager of Product Marketing for PGP Corporation.