Higher ed institutions need to comply with new cyber rule

Background

The Federal Trade Commission enacted the Standards for Safeguarding Customer Information—known as the Safeguards Rule—in 2003 to ensure that entities covered by the rule protect customer information. After public comment, the FTC amended the rule in 2021 to keep pace with current technology. The revised version, which takes effect June 9, preserves the flexibility of the original rule and provides more specific guidance for businesses, including institutions of higher education (IHEs). The rule addresses core data security principles that all covered organizations must implement.

Why the change?

The rule change comes in response to increasing concerns about the vulnerability of sensitive personal information to data breaches, identity theft, and other cyber threats. Data breaches at organizations entrusted with personally identifiable information continue to proliferate, reinforcing the need for the U.S. Department of Education to work with IHEs to combat cybersecurity threats and strengthen cybersecurity infrastructure. Ensuring information confidentiality, security, and integrity depends on cooperation among the department, IHEs, and other entities, including state grant agencies, lenders, contractors, and third-party servicers.

To whom does the rule apply?

The new Safeguards Rule applies to a wide range of entities, including IHEs that offer government financial aid services to students. It applies to financial institutions under the FTC’s jurisdiction and is not subject to the enforcement authority of another regulator under section 505 of the Gramm-Leach-Bliley Act (GLBA). When entering into a Department of Education Program Participation Agreement (PPA), the institution agrees to comply with the Standards for Safeguarding Customer Information, 16 C.F.R. Part 314, issued by the FTC, as required by the GLBA.

Why is this important to my organization?

Per the PPA, any breach of the security of student records and information displays a potential lack of administrative capability. As cyber events become more frequent, it is critical that organizations maintain an information security program and ongoing compliance monitoring to meet insurance requirements and establish a defense in the event of legal proceedings.

What does the new rule cover?

The new rule requires IHEs to implement comprehensive information security programs to protect students' personal and financial data from unauthorized access or misuse. IHEs must evaluate and update their existing policies, procedures, and systems to align with the new requirements. This may include updating their data security practices, conducting risk assessments, and training employees on SFA data-security best practices.

The Safeguards Rule identifies nine program elements and eight safeguard controls that an organization’s information security program must include:

When does the rule take effect?

The new rule takes effect June 9, 2023, and IHEs must respond promptly to ensure compliance with the new requirements.

What are the breach reporting requirements?

Department of Education

Per the Student Aid Internet Gateway Participation Agreement, a state grant agency shall submit a report in writing of any use, disclosure, or re-disclosure of institutional student information records (ISIR) data or Free Application for Federal Student Aid (FAFSA) filing status information within one business day after the agency learns of such unauthorized use, disclosure or redisclosure to:

U.S. Department of Education, Federal Student Aid, 830 First St. NE, Union Center Plaza, Room 32E1, Washington, DC 20202, or via e-mail at FAFSACompletion@ed.gov.

The report must identify the following:

(i) The nature of the unauthorized use, disclosure or re-disclosure

(ii) The ISIR data or FAFSA filing status information used, disclosed, or re-disclosed

(iii) The person or entity, if known, that made the unauthorized use or received the unauthorized disclosure or re-disclosure

(iv) What the agency has done or will do to notify affected FAFSA applicants and to mitigate any deleterious effect of the unauthorized use, disclosure, or re-disclosure

(v) What corrective action the agency has taken or will take to prevent future similar unauthorized use, disclosure, or re-disclosure

Federal Trade Commission

The FTC provides a guide detailing what businesses must do in the event of a data breach. Noncompliance with the rule could result in costly fines, litigation, and damage to the institution's reputation, including criminal penalties

How can I get assistance?

To support the development and implementation of an information security program, an IHE may wish to engage a consulting firm with experience in data security and regulatory compliance. A consulting firm can provide customized guidance and support to help ensure that a program is comprehensive and complies with the new rule.

NIST 800-171 standards

The Department of Education will issue future guidance on the information security standards provided in National Institute of Standards and Technology (NIST) Special Publication 800-171. Until then, the department encourages IHEs to incorporate the NIST standards into the written information security program required under the GLBA as soon as possible. Compliance with GLBA requirements is not the same as compliance with NIST 800-171. The current information-security requirements that institutions must meet are the GLBA Safeguards Rule requirements at 16 C.F.R. Part 314.