Higher Ed Institutions Need to Comply with New Cyber Rule

Article | Released on May 15, 2023

Background

The Federal Trade Commission enacted the Standards for Safeguarding Customer Information—known as the Safeguards Rule—in 2003 to ensure that entities covered by the rule protect customer information. After public comment, the FTC amended the rule in 2021 to keep pace with current technology. The revised version, which takes effect June 9, preserves the flexibility of the original rule and provides more specific guidance for businesses, including institutions of higher education (IHEs). The rule addresses core data security principles that all covered organizations must implement.

Why the change?

The rule change comes in response to increasing concerns about the vulnerability of sensitive personal information to data breaches, identity theft, and other cyber threats. Data breaches at organizations entrusted with personally identifiable information continue to proliferate, reinforcing the need for the U.S. Department of Education to work with IHEs to combat cybersecurity threats and strengthen cybersecurity infrastructure. Ensuring information confidentiality, security, and integrity depends on cooperation among the department, IHEs, and other entities, including state grant agencies, lenders, contractors, and third-party servicers.

To whom does the rule apply?

The new Safeguards Rule applies to a wide range of entities, including IHEs that offer government financial aid services to students. It applies to financial institutions under the FTC’s jurisdiction and is not subject to the enforcement authority of another regulator under section 505 of the Gramm-Leach-Bliley Act (GLBA). When entering into a Department of Education Program Participation Agreement (PPA), the institution agrees to comply with the Standards for Safeguarding Customer Information, 16 C.F.R. Part 314, issued by the FTC, as required by the GLBA.

Why is this important to my organization?

Per the PPA, any breach of the security of student records and information displays a potential lack of administrative capability. As cyber events become more frequent, it is critical that organizations maintain an information security program and ongoing compliance monitoring to meet insurance requirements and establish a defense in the event of legal proceedings.

What does the new rule cover?

The new rule requires IHEs to implement comprehensive information security programs to protect students' personal and financial data from unauthorized access or misuse. IHEs must evaluate and update their existing policies, procedures, and systems to align with the new requirements. This may include updating their data security practices, conducting risk assessments, and training employees on SFA data-security best practices.

The Safeguards Rule identifies nine program elements and eight safeguard controls that an organization’s information security program must include:

Program elements	Safeguard controls
Board reporting and oversight	Periodic access reviews
Qualified information-security owner	Periodic inventory of consumer data
IT risk assessment	Encryption of customer data
Security training	Evaluation of application security
Information-security program	Multifactor authentication
Incident response plan	Secure disposal of consumer data
Monitoring of service providers	Log maintenance
Program maintenance	Change management

When does the rule take effect?

The new rule takes effect June 9, 2023, and IHEs must respond promptly to ensure compliance with the new requirements.

What are the breach reporting requirements?

Department of Education

Per the Student Aid Internet Gateway Participation Agreement, a state grant agency shall submit a report in writing of any use, disclosure, or re-disclosure of institutional student information records (ISIR) data or Free Application for Federal Student Aid (FAFSA) filing status information within one business day after the agency learns of such unauthorized use, disclosure or redisclosure to:

U.S. Department of Education, Federal Student Aid, 830 First St. NE, Union Center Plaza, Room 32E1, Washington, DC 20202, or via e-mail at FAFSACompletion@ed.gov.

The report must identify the following:

• (i) The nature of the unauthorized use, disclosure or re-disclosure
• (ii) The ISIR data or FAFSA filing status information used, disclosed, or re-disclosed
• (iii) The person or entity, if known, that made the unauthorized use or received the unauthorized disclosure or re-disclosure
• (iv) What the agency has done or will do to notify affected FAFSA applicants and to mitigate any deleterious effect of the unauthorized use, disclosure, or re-disclosure
• (v) What corrective action the agency has taken or will take to prevent future similar unauthorized use, disclosure, or re-disclosure

Federal Trade Commission

The FTC provides a guide detailing what businesses must do in the event of a data breach. Noncompliance with the rule could result in costly fines, litigation, and damage to the institution's reputation, including criminal penalties

How can I get assistance?

To support the development and implementation of an information security program, an IHE may wish to engage a consulting firm with experience in data security and regulatory compliance. A consulting firm can provide customized guidance and support to help ensure that a program is comprehensive and complies with the new rule.

NIST 800-171 standards

The Department of Education will issue future guidance on the information security standards provided in National Institute of Standards and Technology (NIST) Special Publication 800-171. Until then, the department encourages IHEs to incorporate the NIST standards into the written information security program required under the GLBA as soon as possible. Compliance with GLBA requirements is not the same as compliance with NIST 800-171. The current information-security requirements that institutions must meet are the GLBA Safeguards Rule requirements at 16 C.F.R. Part 314.

This article was written by John MacDonald and originally appeared on 2023-05-15.
2022 RSM US LLP. All rights reserved.
https://rsmus.com/insights/industries/nonprofit/higher-ed-institutions-need-to-comply-with-new-cyber-rule.html

RSM US Alliance provides its members with access to resources of RSM US LLP. RSM US Alliance member firms are separate and independent businesses and legal entities that are responsible for their own acts and omissions, and each is separate and independent from RSM US LLP. RSM US LLP is the U.S. member firm of RSM International, a global network of independent audit, tax, and consulting firms. Members of RSM US Alliance have access to RSM International resources through RSM US LLP but are not member firms of RSM International. Visit rsmus.com/about us for more information regarding RSM US LLP and RSM International. The RSM logo is used under license by RSM US LLP. RSM US Alliance products and services are proprietary to RSM US LLP.

Hylant is a proud member of RSM US Alliance, a premier affiliation of independent accounting and consulting firms in the United States. RSM US Alliance provides our firm with access to resources of RSM US LLP, the leading provider of audit, tax and consulting services focused on the middle market. RSM US LLP is a licensed CPA firm and the U.S. member of RSM International, a global network of independent audit, tax and consulting firms with more than 43,000 people in over 120 countries.

Our membership in RSM US Alliance has elevated our capabilities in the marketplace, helping to differentiate our firm from the competition while allowing us to maintain our independence and entrepreneurial culture. We have access to a valuable peer network of like-sized firms as well as a broad range of tools, expertise, and technical resources.

For more information on how ​Hylant can assist you, please call 800-249-5268.