FTC’s ‘Safeguards Rule’ cybersecurity proposal may burden higher ed

The Federal Trade Commision extended the deadline on comments for a notice of proposed rulemaking earlier this month that will leave higher education stakeholders until Aug. 2 to weigh in on new proposed cybersecurity requirements for their institutions. The changes, first announced by the FTC in March, would impose stringent new regulations on all financial institutions, including colleges and universities, thanks to their financial aid activities, that many in higher education are saying would be difficult or impossible to fully comply with.

The FTC is proposing expansion a 2003 regulation called the Safeguards Rule, designed to ensure the safekeeping of data and networks in institutions handling consumer financial data. Under the new requirements, colleges and universities would be directed to implement comprehensive cybersecurity programs that extend far beyond what most higher education institutions have committed to today.

Among the new provisions of the Safeguards Rule, colleges and universities would be required to employ an official or team of officials dedicated to the implementation and regulatation of their cybersecurity programs, as opposed to simply being required to “coordinate” such programs today. They would also be required to implement many new controls on data privacy, including end-to-end encryption for all data and multi-factor authentication for any service that touches “customer” information. They would also be required to either instate continuous networking monitoring or conduct annual penetration testing along with biannual vulnerability assessments. These are just a few of the many new requirements the commission’s notice proposes.

And while groups such as Educause, a nonprofit that advocates for the use of information technology in higher education, support the idea of improved cybersecurity in the nation’s colleges and universities, how these regulations are being advanced would create a “burden” on those pursuing compliance, the group says.

The timeline outlined by the FTC would be particularly difficult for higher education to comply with, said Jarret Cummings, Educause’s senior adviser for policy and government relations.

“The broad expanse of requirements creates a real potential burden for colleges and universities, particularly given the FTC is proposing for most of those requirements to take effect for most institutions six months after the final regulations are published.”

Six months, Cummings said, would likely not be enough time for institutions — even those that already have cybersecurity governance upgrades underway — to comply with the FTC’s many proposed rule changes. How much of a burden, he said, would depend on how sophisticated a given institution’s cybersecurity posture is. Some are further along than others, but many colleges and universities’ cybersecurity programs lag behind those in the private sector or those run by their local governments, as they struggle to find adequate technical talent.

Previously, institutions that fell under the Safeguards Rule were permitted some flexibility in how they adhered to its standards. It required institutions’ implementations only to be “appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue.” And given that schools must already comply with Family Educational Rights and Privacy Act, which regulates much of the same activity, Cummings said, it was long thought that while higher education institutions technically fall under the Safeguards Rule, they weren’t expected to act the same as banks do.

But under the new proposal, higher education groups say much of that flexibility would be gone. Cummings said the FTC is taking a one-size-fits-all approach, despite the many obvious differences between a community college, for example, and Goldman Sachs.

“It’s so broad and has so many requirements that I don’t think they’re balancing the reality of what these institutions are expected to do,” Cummings said.

One major concern Educause has raised so far in its comments to the FTC is how the regulations might impede adoption of cloud computing technologies. More services and teaching tools are being deployed from the cloud, and the group says these new regulations could discourage the adoption of new tools that are designed to aid student learning.

The FTC is listening, however. Just before the previous June 3 public-comment deadline, the commission agreed to extend it to August 2, at the request of the education nonprofit. At its most basic, Educause’s critique of the proposal, as outlined in its public comment, is that “higher education institutions are not financial institutions in a practical sense, and the FTC’s proposed additions and revisions to the rule do not effectively account for this reality.”