Abstract
Over the last few months, Federal Student Aid (FSA), an office of the U.S. Department of Education, has sent compliance letters on breach notification and information security program reporting to various EDUCAUSE member institutions. There are two versions of the letter. One asserts a range of reporting requirements with which an institution should comply based on a data breach or suspected breach. The other addresses the same issues but also notes an alleged institutional failure to self-report to FSA about the purported incident or suspected incident, potentially creating additional compliance concerns. EDUCAUSE has made scans of the generic versions of each letter available via the EDUCAUSE Library.