Students. Faculty. University Health Services. Campus police. Alumni donors. Research centers. Registrars. Disciplinary committees. A modern university runs like a small city. But unlike a city, almost every department in a university handles data subject to the Family Educational Rights and Privacy Act (FERPA).
For CISOs and IT leaders, the challenge isn't just securing the network perimeter; it is ensuring that "education records" (a broadly defined term under FERPA) remain protected as they travel between departments, to parents, and to external service providers.
With the prevalence of remote learning and digital administration, the pressure to protect student privacy while maintaining fluid communication has never been higher. But many universities are facing the compound challenge of legacy systems, shrinking budgets, and increasing cyber threats.
Higher education is struggling to keep up with the responsibility of protecting student data. In 2025 alone, there were high-profile hacks on Harvard University, the University of Pennsylvania, New York University, Princeton University, Dartmouth College, and Columbia University. A 2026 Chronicle of Higher Education article, "Why Cyberattacks in Higher Ed Keep Proliferating," sums it up: "Colleges are constantly being bombarded with cyberattacks. Powered by artificial intelligence, these strikes have become more sophisticated. And there’s only so much that campus IT departments can do."
This post will explore some things IT departments can do in 2026, particularly as it relates to regulated data under FERPA, HIPAA and other compliance requirements.
Why should FERPA (and other data security regulations) be a top priority for university cyber leaders? While financial penalties are a risk, the true cost of a FERPA-related breach often lies in reputation and trust.
Central State University CIO, Showkat Choudhury, summarized the stakes well:
“These students are just 18, 20 years old. They’re just starting their lives. At this early age, if they lost their most securely held information — date of birth, health records, social security numbers — if it’s compromised just one time, that information may float on the web for decades.”
On paper, FERPA seems straightforward. It aims to protect student privacy by safeguarding students’ educational records and the personally identifiable information (PII) they contain. In practice, though, IT leaders face unique governance hurdles:
These "Shadow IT" workarounds are where FERPA compliance goes to die. If security disrupts the workflow, users will work around it, even if it means sharing unprotected data.
Central State University's CIO, Showkat Choudhury, has seen this play out often in university contexts.
“In higher education, we have a trend where employees stay for a long, long time. People start working here and retire after 20, 30 years. During that time, they get used to one type of work. You hear things like, ‘I do things my way. I work like this.’ With Virtru, they can keep those processes. It changes just a little bit, but in a way that’s very doable.”
Excerpt: From the Medical Center to the Athletics Department, Central State University Safeguards Student Data with Virtru
The Solution: Data-Centric Security That Fits the Workflow
To prevent data loss and FERPA violations when data is shared, universities must move from a "perimeter-focused" mindset to a "data-centric" mindset, protecting data at the object level. This means encrypting and governing access to the email or file itself, ensuring it remains secure even if the network is breached or the file is shared with an external email address.
However, for object-level protection to work in a university setting, it must meet three key criteria:
Security tools must integrate into the apps users already use, like Gmail, Outlook, Google Drive, and Microsoft SharePoint/OneDrive. If a user has to log into a separate portal to send a secure message, adoption will plummet.
Modern universities deal with data files that are too large or sensitive for standard email. Virtru Secure Share solves the "large file" problem by enabling the encrypted, access-controlled sharing of files up to 15 GB, without breaking compliance.
Under FERPA, knowing who has access to student records is paramount. IT leaders need the ability to monitor where data travels and manage access even after it has been shared.
Universities often co-mingle FERPA data with HIPAA (medical) and GLBA (financial) data. A rigid security policy may not be effective in allowing your employees to get their jobs done while meeting one or more applicable compliance regulations. You want to empower them to easily meet requirements with granular, customizable controls — or a security safety net that runs in the background to do this automatically (for example, detecting and protecting outbound content that contains a social security number or student ID).
Virtru's email and file security is trusted by hundreds of educational institutions around the globe to support regulations from FERPA to New York Ed Law 2-D, to other state and local privacy regulations like Texas SB 820. Here's what just a few of our higher-ed customers have said about Virtru.
“We had experience with a traditional, portal-based email encryption product, but our users found this mechanism far too cumbersome for our users and their recipients. With Virtru, we found a solution that met our security and compliance requirements, was easy enough to ensure widespread adoption, and gave us the audit and control features we wanted.” - Mark Dieterich, Director of IT and Security, Brown University
“If I sent out an email and said, ‘Virtru is going to be turned off tomorrow,’ I would have a problem on my hands like almost no other on campus. It’s not something we intend to move away from.” -Andy Powell, Director of Information Security, Williams College
"We’ve had very good luck with Virtru. The system is by and large easy to work with, and customer support has been very good." -Dr. Stephen Correia, Associate Professor, University of Georgia Cognitive Aging Research and Education Center
Virtru was founded to eliminate the tradeoff between data protection and ease of use. We provide a seamless layer of encryption that integrates directly into your university's email and file-sharing workflows. We are StateRAMP and FedRAMP authorized, and our data-centric security supports every institution, from small schools to large R1 research institutions with CMMC contracts.
Leading institutions like Brown University rely on Virtru to:
We believe that data privacy is a fundamental right for students and faculty alike, and FERPA ensures that students' data is treated with respect and intention. By implementing easy-to-use, object-level security with granular access control, your university can lead the way in digital privacy while keeping the focus where it belongs: On education.
Is your university's current email and file-sharing workflow FERPA compliant? Contact our team today to learn more about Virtru Email Protection and Secure Share.