Colleges and universities handling federal financial aid will soon be required to step up their student data protection standards to meet the requirements of the Federal Trade Commission’s updated Safeguards Rule.
By June 9, 2023, colleges and universities will be expected to have completed a series of prescriptive actions to improve their cybersecurity and protect sensitive student information.
These actions include designating a “qualified individual” to oversee institutional information security, conducting a written risk assessment, composing a written incident response plan, increasing oversight of service providers, offering security training to staff and taking steps to control access to student information.
While these requirements were initially set to come into force by December 6, 2022, the FTC granted a six-month extension in November.
One of the difficulties for higher education institutions preparing to meet the requirements of the Safeguards Rule is that it may not always be clear when it should be applied, said James T. Shreve, a partner at the law firm Thompson Coburn.
The Safeguards Rule, part of the Gramm-Leach-Bliley Act, also known as the Financial Services Modernization Act, was designed to address how financial institutions should securely handle customer information and is not tailored to address how colleges handle student financial information, Shreve said.
“If you’re a bank or lender or security firm, most of what you do, maybe all of what you do, is financial in nature, so the Safeguards Rule applies to the whole enterprise,” said Shreve, who chairs his firm’s cybersecurity practice. “In higher education, your student lending program is a much smaller part of the overall operation.”
While colleges are considered financial institutions by the FTC because they handle student financial data, it is not clear how institutions should “fence-in” the data that is, or is not, subject to the updated Safeguards rule requirements, said Shreve.
“It’d be great to get some insight from the FTC on this, but I don’t think we’re going to,” he said.
Among some of the more challenging protections for higher education institutions to implement is the requirement that student financial data be encrypted not only when it is being transferred between systems, but also when it is “at rest.”
Requiring institutions to store encrypted data can make it more cumbersome to work with, potentially slowing down systems that need to access this information regularly, Shreve said.
Additionally, new requirements for continuous monitoring can be “very expensive, and create enormous data logs,” he said.
“If you’re tracking what everybody is doing all the time, that is an enormous amount of data that you’re creating,” Shreve said.
He said there will likely be many institutions not in 100% in compliance by June 9, but the good news is that the FTC “can’t necessarily go after everybody.” Though he did recommend institutions “have a plan.”
“Look at all the control requirements you have to put in place, look at what you’re already doing and thing about things that you can do before the deadline,” Shreve said.
Documenting what can’t be done right now and setting a timeline for each item’s completion is a good fall-back option, he said, so “if the FTC comes, or the Department of Education looks at you, you have a plan for how you’re working to get into compliance.”