Educational Institutions and third parties providing services to these institutions frequently struggle with the cost and complexity of complying with FERPA regulations. The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student “education records”. The law applies to all schools, colleges and universities that receive funds under an applicable program of the U.S. Department of Education. FERPA gives parents certain rights with respect to their children’s education records. These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level.

An “educational record” is defined broadly to include (with some limited exceptions) records that are directly related to a student and that are maintained by an educational agency or institution or a party acting for or on behalf of the agency or institution. A student’s health-related records that are maintained by campus or school health clinics or other healthcare facilities operated by such institutions, may also qualify as education records subject to FERPA.

It is challenging to store and even harder to share this sensitive information in a simple manner within the organization, with students, parents, and other 3rd parties. Organizations frequently face a conundrum: deploy an expensive mishmash of systems that are difficult to use or forgo compliance and assume a substantial financial risk. This blog describes a systematic approach for organizations to simplify compliance and lower the costs to store and share education records.

Understanding FERPA Cybersecurity Requirements

At its core, FERPA requires organizations that handle electronic educational records to:

  1. Ensure the confidentiality, integrity, and availability of records they create, receive, maintain, or transmit.
  2. Identify and protect against threats to the cybersecurity or integrity of the information.
  3. Protect against impermissible uses or disclosures.
  4. Ensure compliance by their workforce.

Be Strategic: Build FERPA Compliance Based on a Cybersecurity Framework

When establishing a compliance program to address Federal Government regulations like FERPA it is helpful to be strategic and follow an established cybersecurity framework instead of a patchwork of disjointed strategies and solutions. The Federal Government is widely requiring adoption of cybersecurity frameworks based on National Institute of Standards Technologies (NIST) especially800-171. Solutions based on this framework benefit organizations because they can streamline their FERPA program by inheriting compliance and help other initiatives such as Gramm–Leach–Bliley Act that regulates student financial aid data or HIPAA because they have significant overlap.

PreVeil for FERPA

PreVeil is an integrated encrypted email and file sharing system used extensively by defense companies for compliance that offers organizations subject to FERPA the same security benefits while also being affordable and easy to deploy and use. PreVeil enables organizations to conveniently store education records and share them with 3rd parties and others within their own organization. PreVeil is built to meet the Federal Government’s leading cybersecurity and risk framework NIST 800-171. We provide customers documentation and third-party audit reports as evidence of compliance. With PreVeil, organizations can achieve and demonstrate broad compliance with the four FERPA objectives outlined earlier.

PreVeil Email enables educational institutions and others they work with to send and receive end to end encrypted messages using their existing email address. PreVeil Email seamlessly integrates with Microsoft Outlook, Gmail, and Apple Mail for a familiar user experience. It also works in a browser and in mobile apps for Apple and Android devices. PreVeil can even automatically encrypt emails whose subject lines indicate they contain educational records. If recipients don’t have a PreVeil account, they can establish one for free in minutes, making it simple for clients and 3rd parties to adopt.

PreVeil Drive is an encrypted file synchronization, storage and sharing system very similar in functionality to OneDrive, Google Drive or Dropbox. However, unlike those, it is fully end-to-end encrypted and can be used to securely share files and folders in compliance with FERPA. Drive supports granular access permissions such as Read only or Edit & Share. Shared data can even be revoked to mitigate 3rd party risk. Organizations benefit from a simple workflow because Drive can be seamlessly integrated with Windows Explorer or Mac Finder for a familiar experience. Parents, health and other education services providers can conveniently access both their secure email and files on computers as well as their mobile devices.

PC Magazine has awarded PreVeil its Editors’ Choice for Best Encrypted Email and Filesharing system for security and ease of use, four years in a row.


Meet the FERPA Security Requirements

PreVeil uses end-to-end encryption, the gold standard of data security to protect educational records. This technology ensures that only the sender and recipients can access data — and no one else, not even PreVeil. It renders attacks on servers useless as information is always encrypted. PreVeil accounts are also impervious to password attacks because it uses unbreakable encryption keys to grant access. It’s also designed so even an attack on an IT administrator will not reveal data. These default security capabilities, in conjunction with PreVeil’s administrative features enable providers to satisfy key safeguards namely:

  1. Access Control: PreVeil enables organizations to limit access to education records not only to authorized persons but also authorized devices.
  2. Audit Controls: PreVeil creates immutable, cryptographic audit logs that record access and other activity, including changes made to FERPA data.
  3. Integrity Controls: Organizations can prove that records have not been improperly altered or destroyed because whenever any changes are made to a file, Drive creates a new cryptographically verifiable version of the changes. This capability also protects the organization from Ransomware attacks.

Secure Mobile Access

PreVeil’s Email and Drive are available as an elegant, encrypted, free app on iOS and Android phones and tablets. Access to the app is secured via biometric authentication or passcodes. Not only does this make it greatly convenient for parents, and other education services providers but also it solves the challenging security and encryption requirements for records on mobile devices since those capabilities are built in by default.

Simple Deployment

PreVeil can be deployed alongside an organization’s existing Office 365, Exchange or GSuite infrastructure without any impact to those systems. While the system is designed for self-deployment, PreVeil’s support team can help set up an organization and train users in an hour.


Providers deploy PreVeil using a low-cost, all-inclusive License that costs $25/month and includes both secure email and files. Clients and others typically access for free by taking advantage of PreVeil’s Express accounts resulting in 75% savings compared to those from large providers.


Get a free quote to learn how PreVeil can help provide a simple path to compliance and protection from cascading financial damages resulting from FERPA violations.