FAC Explorer

Finding 1154797 (2024-002)

Material Weakness Repeat Finding
Requirement
J
Questioned Costs
-
Year
2024
Accepted
2025-09-23
Audit: 367160
Organization: Samuel Merritt University (CA)
Auditor: Hood & Strong LLP

AI Summary

  • Core Issue: The University did not report a data breach to the Department of Education as required, failing to notify them on the day of detection.
  • Impacted Requirements: Compliance with the Student Aid Internet Gateway Agreement, which mandates immediate reporting of actual or suspected data breaches.
  • Recommended Follow-Up: Update policies and procedures for handling cybersecurity incidents to ensure compliance with reporting requirements for personally identifiable information (PII).

Finding Text

2024-002 – Data Breach Reporting Assistance Listing Number: Various – U.S. Department of Education – Student Financial Assistance Cluster Criteria Under the University’s the Student Aid Internet Gateway Agreement, institutions must report actual data breaches as well as suspected data breaches. Institutions must report on the day that a data breach is detected or even suspected. Condition The University failed to report a data breach to the Department of Education, either on the day of detection or at any subsequent time. The breach involved a social engineering attack that happened to the institution’s third-party company, a platform provider, which led to the compromise of user accounts where attackers gained access to the personal identifiable data (PII) of five individuals employed by the University. One of those individuals had user access to the student information system at the time of the breach. Cause The University lacked policies, procedures, and guidelines around handling cybersecurity incidents relating to the Department of Education reporting requirements. Effect The breach was reported internally to management and actions were taken to identify the cause and reporting was made to the individuals concerning the breach however the Department of Education was not notified as required. Questioned Costs There were no questioned costs related to this finding. Recommendation The University should update policies, procedures, and guidelines around handling cybersecurity incidents relating to personally identifiable information (PII), in regards to the Department of Education reporting requirements. Responsible Personnel Marcus D Walton Deputy Chief Operating Officer & CIO

Corrective Action Plan

Planned Corrective Action The University acknowledges the omission in reporting the third-party platform-related data breach to the Department of Education. Although the breach was internally addressed and affected individuals were notified, the external reporting protocol was not followed. In response, the University is revising its cybersecurity incident response policy to incorporate specific guidance on reporting suspected or confirmed data breaches to the Department of Education in accordance with the Student Aid Internet Gateway Agreement. Staff responsible for incident response and information security will receive training on these updated procedures. The Deputy COO together with the Deputy CFO will be responsible for ensuring timely notifications are made. The University will enhance its vendor risk management procedures, ensuring that all third-party service providers handling sensitive data are conducting compliance training with their employees and reprimanding employees not following policy. The University will meet monthly with third-party service providers handling PII to discuss ongoing compliance trainings and document how the provide is staying current on managing threats. Implementation Date -Policy Update & Staff Training: October 31, 2025 Responsible Personnel Marcus D Walton Deputy Chief Operating Officer & CIO

Categories

Reporting

Other Findings in this Audit

  • 1154796 2024-001
    Material Weakness Repeat
  • 1154798 2024-003
    Material Weakness Repeat

Programs in Audit

ALN Program Name Expenditures
84.268 Federal Direct Student Loans $71.23M
93.364 Nursing Student Loans - Outstanding As of January 1, 2024 $3.25M
93.342 Health Professions Student Loans, Including Primary Care Loans/loans for Disadvantaged Students - Outstanding As of January 1, 2024 $1.72M
93.364 Nursing Student Loans - Issued During the Year $1.13M
93.178 Nursing Workforce Diversity $722,110
93.732 Mental and Behavioral Health Education and Training Grants $639,022
84.063 Federal Pell Grant Program $611,393
84.033 Federal Work-Study Program $491,088
84.007 Federal Supplemental Educational Opportunity Grants $160,109
93.342 Health Professions Student Loans, Including Primary Care Loans/loans for Disadvantaged Students - Issued During the Year $147,021
84.116 Fund for the Improvement of Postsecondary Education $75,246
84.038 Federal Perkins Loan Program - Outstanding As of January 1, 2024 $70,132
16.582 Crime Victim Assistance/discretionary Grants $49,507