Higher Education

New federal IT requirements coming to higher ed, Educause says

Speakers at Educause's conference warned of looming changes to web accessibility requirements and cyber incident reporting at universities.

By Lindsay McKenzie

October 28, 2022

The U.S. Capitol building sits in Washington D.C., on January 18, 2017. (Mark Reinstein / Corbis via Getty Images)

There are some big changes on the horizon for universities’ IT policies, relating to cybersecurity, data privacy, and web accessibility, speakers at the Educause 2022 conference in Denver, said on Thursday.

One change is coming after the Federal Trade Commission published its revised Safeguards Rule last Dec. 9, with a one-year deadline to come into compliance with new cybersecurity protections and requirements. Higher education IT leaders should be working toward meeting that rule’s long list of requirements, said Jarett Cummings, senior adviser for policy and government relations at Educause. Those include appointing a person or team to coordinate an institutional information security program, conducting a risk assessment and developing information-security controls.

“The good news is that historically speaking the FTC doesn’t view higher education as a significant compliance priority,” Cummings said. “So while there’s a December deadline for compliance from the FTC, I think institutions can expect that there will be some breathing room to continue working on fully implementing all the provisions of the Safeguards Rule.”

Whether there will be new cyber incident reporting requirements remains to be seen, Cummings said. A notice of proposed rulemaking also published last December would require institutions to report to the FTC data breaches affecting at least 1,000 people. Cummings said Educause and the American Council on Education are currently seeking clarification on how this rule would affect colleges and universities.

“We still do not have an indication of when the FTC is going to finish analyzing all those comments and produce a final regulation,” Cummings said. “It does seem likely, however, that there will be a reporting requirement at some point.”

Cyber incident reporting

There’s also the Cybersecurity and Infrastructure Security Agency’s Cyber Incident Reporting for Critical Infrastructure Act, or CIRCIA, which applies to entities that fall under the Department of Homeland Security’s list of “critical infrastructure” sectors. While these reporting requirements will not apply to higher education institutions, earlier iterations of this legislation would have required colleges to report cyber incidents within 72 hours alongside all other federal contractors, a requirement that sparked concern in higher ed, Cummings said.

“While this regulation will not directly impact higher education, that does not mean colleges and universities will avoid facing federal cyber incident reporting requirements in the future,” wrote Katie Branson, a policy consultant for Educause and partner with the lobbying firm Ulman Public Policy. “For example … other legislation introduced last year, specifically the Federal Information Security Modernization Act, sought to establish federal contractor and grantee responsibilities to their respective federal agencies for reporting security incidents involving agency data or systems.”

Data and accessibility rules

While efforts to create a comprehensive federal data-privacy standard through the American Data Privacy and Protection Act have stalled, discussions will continue at the state and federal level, Cummings said. Since “future laws are often built on the bones of past bills,” Cummings advised higher ed IT leaders to look at how a bill like the ADPPA would affect them, and particularly how it might complicate FERPA compliance.

“It’s unlikely that we’re going to see a Privacy and Protection Act move to the floor in either chamber in this Congress, but should this provision occur, that’s something we’re going to be working with the rest of the higher education community to try and help the relevant congressional committees understand how problematic it would be for higher education to have confusion created around student records privacy,” Cummings said.

Potential changes to web accessibility requirements, both from the Justice Department and the Education Department’s Office for Civil Rights, are also coming down the pike — “we just don’t know yet how,” Cummings said. The civil rights office announced this year it plans to update requirements under Section 504 of the Rehabilitation Act and a public rulemaking process is expected to begin next spring. The DOJ is expected next year to pursue updates to accessibility requirements for state and local government websites under Title II of the Americans with Disabilities Act, which also applies to public colleges and universities.

“I do expect that there will be some significant parallels between the two sets of regulations,” Cummings said. “But it’s really hard to anticipate without seeing the proposed rulemaking for either case.”