FTC Updates to “Safeguards Rule” Has Impacts for Higher Education Institutions
On December 9, 2021, the Federal Trade Commission (FTC) published a final rule amending the requirements for safeguarding customer information under the Gramm-Leach-Bliley Act (GLBA) (the Safeguards Rule). The Safeguards Rule has long established cybersecurity standards under which customer information must be maintained by financial institutions, which include all higher education institution that participate in the federal student financial aid programs authorized by Title IV of the Higher Education Act of 1965, as amended (Title IV). Importantly, all Title IV institutions whether public, private nonprofit or for-profit must comply with GLBA cybersecurity requirements as a condition of Title IV participation. Consequently, postsecondary institutions should be aware of the below key elements of the updated Safeguards Rule:
- Designation of a single qualified individual for program oversight. The amended Safeguards Rule requires institutions to concentrate the ultimate oversight and implementation of their information security (IS) program in one qualified individual (QI). Previously, oversight responsibility could be shared among individuals in multiple roles. If the QI is not an employee of the institution, but instead is employed by an “affiliate” or a third-party vendor, the institution nonetheless retains all compliance obligations under the Safeguards Rule, must direct the QI to maintain an IS program that complies with all applicable requirements, and must designate a “senior member” of institutional personnel to direct and oversee the non-employee QI.
- Foundational role of written risk assessment to IS program. An institution’s IS program must be based on a written risk assessment that identifies “reasonably foreseeable internal and external risks to the security, confidentiality, and integrity” of the student (consumer) information it holds. While risk assessments have long been required, specific written documentation had not been mandatory until now. The written assessment must evaluate and protect against the risk of unauthorized disclosure, misuse, alteration, destruction or other forms of data compromise, and must be periodically re-evaluated to ensure its sufficiency and the sufficiency of the safeguards undertaken to protect the institution’s IS program and underlying information. The written risk assessment must at least include three specified elements:
- Criteria to evaluate and categorize the IS risks and threats the institution faces;
- Criteria to assess the quality of current IS system and underlying data integrity; and
- Descriptions of how identified risks will be mitigated, accepted, or otherwise assessed, and how the IS program will analyze and address such risks.
- Design of IS safeguards to control the specific array of assessed risks. In light of the written risk assessment, institutions must design and implement safeguards that eliminate, mitigate or otherwise account for the identified risks. While the Safeguards Rule previously required institutions to design and implement safeguards that were generally responsive to issues identified in the institution’s risk assessment, the updated Safeguards Rule goes further by adding more detailed requirements as to what the safeguards should be designed to address. The updated Safeguards Rule lists eight (8) specific types of safeguards that institutions must undertake, including:
- Review of physical or other access to information, including review of authorized users;
- Evaluation of the data, personnel, devices, and systems on which the institution conducts its business, and their necessity in light of the IS risk they may present;
- Encryption of all customer information, whether static or in transit;
- Development of secure in-house applications to reduce risk to consumer information;
- Implementation of two-factor authentication;
- Development of secure data disposal procedures;
- Adoption of change management policies; and
- Implementation of procedures and controls to monitor and log authorized user activity.
- Testing, monitoring and iterative evaluation. Institutions are already obligated to regularly monitor their internal controls, procedures and other systems to detect and defend against actual and attempted intrusions into their information systems. The revised Safeguards Rule adds minimum required frequencies at which at two types of testing must be conducted unless the institution provides “continuous monitoring” of the systems at issue. At a minimum, institutions must conduct “vulnerability assessments” (namely systemic scans designed to detect weaknesses previously identified by the institutional risk assessment) at least every six months and must conduct “penetration testing” (namely an intentional attempt by the institution to breach its IS for risk assessment purposes) at least annually. Based on the results of such testing and monitoring, as well as any material changes in the institution’s operations, the revised Safeguards Rule requires institutions to periodically re-evaluate and adjust their IS program components.
- Ensure IS personnel training and continuing education. Institutions must implement policies that provide “security awareness” training to IS personnel, including general security updates and training to address specifically identified security risks to the institution’s information systems. Institutions must also verify that “key” IS personnel are engaged in processes to keep their knowledge and skills up to date on matters of information security threats and available countermeasures. These requirements add specificity to the existing training requirement for IS personnel.
- Oversight and assessment of service providers. To the extent that institutions contract with vendors who assist in the preparation, maintenance, and use of the institution’s IS and its underlying data, institutions must take “reasonable steps” to select vendors who have the capacity to safeguard such data and must contractually require that the vendors do in fact safeguard that data. Under the amended Safeguards Rule, institutions must now also “periodically assess” those vendors, the IS risks they present and the continued adequacy of each vendor’s safeguards.
- Written incident response plan. Each institution must now create and maintain a written response plan that helps the institution “promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability” of the consumer information within its control. The written response plan must include:
- Stated goals, including the nature of response and recovery;
- The institutional processes required to respond to the security event;
- The roles, responsibilities, and decision-making authority assigned to institutional processes or personnel involved in the described response;
- Internal and external communications plans; and
- Documentation and subsequent evaluation of all IS security incident response activities, among other things.
- Mandatory reporting to board of directors. On at least an annual basis, the QI overseeing the institution’s IS program must now make a written report to the board of directors or analogous governing body. If no such body exists, the report must be made to the applicable senior institutional officer to whom the QI reports. The report must at least include:
- The overall status of the IS program, including its compliance with the updated Safeguards Rule; and
- Other material matters relating to the IS program generally, including recommendations for changes or improvements.
- Effective date. The formal effective date of the amended Safeguards Rule is January 10, 2022. However, due to the length of time required to implement many of the described provisions, the effective date of most above-described elements is December 9, 2022. This later effective date includes the provisions relating to board reporting, the written incident response plan, personnel training, the design of risk-assessment-specific safeguards and the designation of a QI.
- Limitations on pertinent institutional size. For institutions maintaining few than 5,000 consumer records — a definition that includes but is not limited to total student body population, and which includes any retained data of applicants, incoming freshmen, program graduates or other students — certain provisions of the updated Safeguards Rule do not apply. Specifically, those institutions are not required to have the QI report to the board of directors, nor to maintain a written risk assessment or incident response plan, nor to conduct the periodic penetration testing or vulnerability assessments that larger institutions must undertake.
This summary of the amended Safeguards Rule should not be construed to constitute legal advice. For many higher education institutions, implementation of the amended Safeguards Rule will require coordination and alignment with other applicable privacy and data security requirements. Please do not hesitate to contact the authors if you have any questions regarding these or other education regulatory matters.