Professional Services+ Collaborative
Higher Ed Institutions Need to Comply with New Cyber Rule
New FTC rule addresses how higher ed institutions safeguard students’ info
May 26, 2023
Article | Released on May 15, 2023
Background
The Federal Trade Commission enacted the Standards for Safeguarding Customer Information—known as the Safeguards Rule—in 2003 to ensure that entities covered by the rule protect customer information. After public comment, the FTC amended the rule in 2021 to keep pace with current technology. The revised version, which takes effect June 9, preserves the flexibility of the original rule and provides more specific guidance for businesses, including institutions of higher education (IHEs). The rule addresses core data security principles that all covered organizations must implement.
Why the change?
The rule change comes in response to increasing concerns about the vulnerability of sensitive personal information to data breaches, identity theft, and other cyber threats. Data breaches at organizations entrusted with personally identifiable information continue to proliferate, reinforcing the need for the U.S. Department of Education to work with IHEs to combat cybersecurity threats and strengthen cybersecurity infrastructure. Ensuring information confidentiality, security, and integrity depends on cooperation among the department, IHEs, and other entities, including state grant agencies, lenders, contractors, and third-party servicers.
To whom does the rule apply?
The new Safeguards Rule applies to a wide range of entities, including IHEs that offer government financial aid services to students. It applies to financial institutions under the FTC’s jurisdiction and is not subject to the enforcement authority of another regulator under section 505 of the Gramm-Leach-Bliley Act (GLBA). When entering into a Department of Education Program Participation Agreement (PPA), the institution agrees to comply with the Standards for Safeguarding Customer Information, 16 C.F.R. Part 314, issued by the FTC, as required by the GLBA.
Why is this important to my organization?
Per the PPA, any breach of the security of student records and information displays a potential lack of administrative capability. As cyber events become more frequent, it is critical that organizations maintain an information security program and ongoing compliance monitoring to meet insurance requirements and establish a defense in the event of legal proceedings.
What does the new rule cover?
The new rule requires IHEs to implement comprehensive information security programs to protect students' personal and financial data from unauthorized access or misuse. IHEs must evaluate and update their existing policies, procedures, and systems to align with the new requirements. This may include updating their data security practices, conducting risk assessments, and training employees on SFA data-security best practices.
The Safeguards Rule identifies nine program elements and eight safeguard controls that an organization’s information security program must include:
Program elements | Safeguard controls |
Board reporting and oversight | Periodic access reviews |
Qualified information-security owner | Periodic inventory of consumer data |
IT risk assessment | Encryption of customer data |
Security training | Evaluation of application security |
Information-security program | Multifactor authentication |
Incident response plan | Secure disposal of consumer data |
Monitoring of service providers | Log maintenance |
Program maintenance | Change management |
When does the rule take effect?
The new rule takes effect June 9, 2023, and IHEs must respond promptly to ensure compliance with the new requirements.
What are the breach reporting requirements?
Department of Education
Per the Student Aid Internet Gateway Participation Agreement, a state grant agency shall submit a report in writing of any use, disclosure, or re-disclosure of institutional student information records (ISIR) data or Free Application for Federal Student Aid (FAFSA) filing status information within one business day after the agency learns of such unauthorized use, disclosure or redisclosure to:
U.S. Department of Education, Federal Student Aid, 830 First St. NE, Union Center Plaza, Room 32E1, Washington, DC 20202, or via e-mail at FAFSACompletion@ed.gov.
The report must identify the following:
- (i) The nature of the unauthorized use, disclosure or re-disclosure
- (ii) The ISIR data or FAFSA filing status information used, disclosed, or re-disclosed
- (iii) The person or entity, if known, that made the unauthorized use or received the unauthorized disclosure or re-disclosure
- (iv) What the agency has done or will do to notify affected FAFSA applicants and to mitigate any deleterious effect of the unauthorized use, disclosure, or re-disclosure
- (v) What corrective action the agency has taken or will take to prevent future similar unauthorized use, disclosure, or re-disclosure
Federal Trade Commission
The FTC provides a guide detailing what businesses must do in the event of a data breach. Noncompliance with the rule could result in costly fines, litigation, and damage to the institution's reputation, including criminal penalties
How can I get assistance?
To support the development and implementation of an information security program, an IHE may wish to engage a consulting firm with experience in data security and regulatory compliance. A consulting firm can provide customized guidance and support to help ensure that a program is comprehensive and complies with the new rule.
NIST 800-171 standards
The Department of Education will issue future guidance on the information security standards provided in National Institute of Standards and Technology (NIST) Special Publication 800-171. Until then, the department encourages IHEs to incorporate the NIST standards into the written information security program required under the GLBA as soon as possible. Compliance with GLBA requirements is not the same as compliance with NIST 800-171. The current information-security requirements that institutions must meet are the GLBA Safeguards Rule requirements at 16 C.F.R. Part 314.
This article was written by John MacDonald and originally appeared on 2023-05-15. Reprinted with permission from RSM US LLP.
© 2024 RSM US LLP. All rights reserved.
https://rsmus.com/insights/industries/nonprofit/higher-ed-institutions-need-to-comply-with-new-cyber-rule.html
RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent assurance, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit rsmus.com/about for more information regarding RSM US LLP and RSM International.