FERPA (the Family Educational Rights and Privacy Act) regulations, unlike HIPAA or PCI DSS, do not specifically...
require that information be encrypted. However, they do require that educational institutions be able to limit access to student data to those who are authorized to view it, such as professors and academic advisors. FERPA also requires institutions provide students (and their parents, if the student is under 18) with information on who accessed their records and when. As a result, many institutions have mandated the use of encryption as an access control mechanism.
This is where things get interesting; many educational institutions have forbidden professors from discussing grades and other FERPA-protected information over email. However, other institutions permit such discussions as long as the conversations take place over university-controlled systems. So, while strictly speaking it is permitted to email unencrypted FERPA data, many institutions opt not to take any chances. The best thing I can tell you is to approach this issue with caution and to discuss this with the legal team before setting any official policy.
For more information:
Dig Deeper on Email and Messaging Threats-Information Security Threats
Related Q&A from David Mortman
While IT security consultancies can be helpful when trying to find flaws in an information security management framework, there are ways to do it ... Continue Reading
PCI DSS audits can be a lot easier if the scope is narrow. Learn how to consolidate and store sensitive data in order to best reduce PCI DSS security... Continue Reading
When hiring an information security team member, how important is a certification in information security? Learn how to talk to executives about ... Continue Reading