The Federal Student Aid office (FSA) at the Department of Education is not doing enough to protect student privacy, according to an audit by the Government Accountability Office. The GAO found that FSA has failed to hold schools accountable for their lax data security practices that have resulted in numerous data breaches, and has not assessed the privacy risks for its own electronic records system. FSA collects personal information on students and their families to evaluate schools that receive federal student aid. The FSA claims that the FTC can manage privacy protection. EPIC has done extensive work to protect student privacy including a 2014 complaint to the FTC about a massive data breach that impacted students in Maricopa County. The FTC failed to act even though Maricopa county violated the FTC Safeguards Rule by failing to protect students' financial information. EPIC also urged Congress to strengthen student privacy protections following a FAFSA data breach. In 2012 EPIC sued the Department of Education for weakening student privacy protections. EPIC has proposed a Student Privacy Bill of Rights.