The FTC Safeguards Rule will be applied to Title IV institutions based on an upcoming change to the rule that will add higher education institutions to the scope and impose requirements on institutional cybersecurity programs.
The Federal Trade Commission (FTC) has been preparing to amend the GLBA Safeguards Rule for protection of customer data. The Safeguards Rule is one of the three sections of the Gramm-Leach-Bliley Act (GLBA) of 1999 that also includes a Financial Privacy Rule and Pretexting Provisions.
This new rule will apply to those Title IV Higher Education Institutions with exceptions for institutions that handle less than 5,000 consumer records and the exceptions will only apply to some of the requirements. The exceptions being specifically- having a written risk assessment, an incident response plan and preparing the annual report to the board of directors. If you are exempt, we will still recommend you conduct those activities.
Educause, an association for Higher Education IT leaders, has been following the topic closely and has published an analysis from the initial proposal and later joined with the America Council on Education (ACE) and other associations and responded with comments from the industry on the proposed reporting requirements.
While this originally applied to financial institutions, the FTC has proposed changes to the Safeguard rule that adds Higher Education institutions into scope via the financial aid processing. Due to increasing data breaches that includes a growing number of ransomware attacks, the FTC is amending this rule to include more entities in an effort to prioritize the protection of consumer information. Throughout 2022 the FTC has proposed changes and sought commentary to be included in the final rule publication.
Deadline to be in compliance with the Safeguards Rule: June 9, 2023
Entities subject to meeting the Safeguards Rule requirements, as defined in Section 314.4 of the Code of Federal Regulations (this is the Elements section of the broader Standards for Safeguarding Customer Information of Part 314), must ensure these nine elements are included and conducted as part of the information security policy. Nine elements summarized from the current version of Section 314.4:
FortifyData can assess, contextualize and prioritize the cybersecurity risk of a higher education institution, to also include service providers (third parties).
Our platform can conduct the risk assessments for the institutions and the service providers (third parties) to meet the Safeguard Rule and the benefits are:
Expect that temporary or permanent suspension from the Department’s systems as well as the consideration for fines or other administration actions.
It is expected that the compliance check for the Safeguards Rule will be a part of the federal single audit process as part of the Title IV Program Participation Agreement (PPA).
Non-compliance with the Safeguards Rule will be included in the Institution’s audit report with the findings referred to the FTC as well as the Federal Student Aid’s Postsecondary Institution Cybersecurity Team. From the Department of Education, Enforcement of Cybersecurity Requirements under the Gramm-Leach-Bliley Act:
“Federal Student Aid’s Postsecondary Institution Cybersecurity Team (Cybersecurity Team) will also be informed of findings related to GLBA, and may request additional documentation from the institution in order to assess the level of risk to student data presented by the institution or servicer’s information security system.
If the Cybersecurity Team determines that the institution or servicer poses substantial risk to the security of student information, the Cybersecurity Team may temporarily or permanently disable the institution or servicer’s access to the Department’s information systems. Additionally, if the Cybersecurity Team determines that as a result of very serious internal control weaknesses of the general controls over technology that the institution’s or servicer’s administrative capability is impaired or it has a history of non-compliance, it may refer the institution to the Department’s Administrative Actions and Appeals Service Group for consideration of a fine or other appropriate administrative action by the Department.”
Additionally, The Department of Education Office of Federal Student Aid (FSA) has further published additional guidance on the definition of ‘customer information’ to apply to a higher education setting. Educause has a good writeup on the FSA guidance, enforcement actions and the reiteration that NIST SP 800-171 requirements for controlled unclassified information (CUI) should be followed, if not already, and that institutional compliance with NIST SP 800-171 will eventually be required.