The Federal Trade Commission (FTC) recently amended the Safeguards Rule under the Gramm-Leach-Bliley Act (GLBA). This comprehensive amendment updated data security requirements for financial institutions, including all Title IV institutions of higher education.
Background
The new Safeguards Rule provides schools with specific details on their obligations to protect consumer (student) financial information.
The GLBA is a federal law enforced by the FTC that governs how financial institutions use and collect Personally Identifiable Information of their customers. The specific cybersecurity requirements of the GLBA are set forth in the Safeguards Rule. The U.S. Department of Education, via the Program Participation Agreement, several “Dear Colleague” letters, the FSA Handbook and the audit guide, has made it clear that Title IV schools are considered financial institutions and subject to the legal obligations to protect student information required under the GLBA. As such, Title IV schools must now meet these strengthened security requirements.
This is the first amendment to the Safeguards Rule. Previously, the rule contained general language requiring financial institutions (including schools) to develop, implement and maintain a comprehensive, written information security program containing administrative, technical and physical safeguards. The new Safeguards Rule sets forth specific criteria for what safeguards must be included in an information security program, i.e., security controls such as encryption (while in use and at rest) and multifactor authentication. The new Safeguards Rule provides schools with specific details on their obligations to protect consumer (student) financial information.
What Is New?
Single “Qualified Individual” Responsible for Information Security Program
Under the old Safeguards Rule, one or more individuals could be designated to oversee and implement the information security program. Under the new Safeguards Rule, a single, “Qualified Individual” must be responsible for overseeing and implementing the information security program. The qualifications needed for the Qualified Individual will depend upon the size and complexity of a school’s information system and the volume and sensitivity of the information. The individual may be an employee, a service provider or an affiliate. If using a service provider or an affiliate, the school remains responsible for compliance with the Safeguards Rule and must: (i) designate a senior employee to direct and oversee the Qualified Individual and (ii) require the service provider/affiliate to maintain an information security program that complies with the requirements of the Safeguards Rule.
Written Risk Assessment
Previously, schools were required to conduct a risk assessment that identified reasonably foreseeable internal and external risks and assess the sufficiency of any safeguards in place to control these risks in three key areas: (i) employee training and management, (ii) information systems and (iii) detecting, preventing and responding to attacks. Under the new Safeguards Rule, this assessment must now be in writing. The written assessment must also include criteria for (i) evaluating and categorizing any identified security risks, (ii) assessing the confidentiality, integrity and availability of information systems and customer information (including adequacy of existing controls in the context of the identified risks) and (iii) identifying which risks will be mitigated or accepted. Written risk assessments must be reexamined periodically to evaluate the sufficiency of the mitigations.
Specific Elements for Information Security Program
The new Safeguards Rule also sets forth specific safeguards that must be implemented to control the risks identified in the risk assessment, including:
- Implementing technical and physical access controls to authenticate and limit access to authorized users. Access controls must also limit authorized access only to the extent needed to perform duties and functions, or to customers as needed to access their own information;
- Inventorying and managing all data, personnel, devices, systems and facilities used;
- Encrypting all customer information held or transmitted over external networks and at rest (in storage);
- Adopting secure development practices for in-house-developed software applications and/or procedures for evaluating, assessing or testing the security of externally developed applications;
- Implementing multifactor authentication for individuals who access any information system;
- Adopting policies and procedures to minimize the unnecessary retention of data. Policies must also address secure disposal of customer data no later than two years after the last date used, unless such information is necessary for business operations or is otherwise required to be retained by law or regulation;
- Adopting procedures for change management; and
- Adopting systems to monitor and log the activity of authorized users and detect unauthorized access.
Monitoring and Testing
The new Safeguards Rule sets forth specific requirements for testing the effectiveness of the information security program. Schools must regularly test or otherwise monitor the effectiveness of their program and safeguards through continuous monitoring or periodic penetration testing and vulnerability assessments. Penetration testing is an authorized attack on an information system designed to detect weaknesses in the system. A vulnerability assessment may include systemic scans of information systems for known security vulnerabilities. Absent continuous monitoring, penetration testing must be performed at least once a year and a vulnerability assessment at least twice a year, in addition to when there are material changes.
Security Training and Personnel Requirements
The new Safeguards Rule also updates the employee security training requirement. Security awareness training must be updated to reflect risks identified in the risk assessment. Additionally, ongoing training for security personnel is required. This includes verification that security personnel are taking steps to stay current on emerging threats and countermeasures.
Oversight of Service Providers
The new Safeguard Rule retains the previous requirement for schools to select service providers that maintain appropriate safeguards of consumer financial information and to have oversight of those service providers. The new rule also requires periodic assessment of service providers (and vendors) based on the risk they present and continued adequacy of their safeguards.
Written Incident Response Plan
The new Safeguard Rule requires a written incident response plan. The plan must establish and address the following areas: goals of the plan, internal processes for responding to a security threat, clear definition of roles, external and internal communication, requirements for remediation, documentation and report of security events, and evaluation and revision to the response plan following a security event.
Exemptions
If an institution maintains fewer than 5,000 customers, the following aspects of the new Safeguards Rule do not apply: written risk assessment, written incident response plan and written annual report by a Qualified Individual. Schools that possess information for less than 5,000 customers (based on the data retained, not the current student population) must still have a risk assessment, response plan and annual report―but are exempt from the written component. The exemption would also extend to the requirement for continuous monitoring and penetration testing (general testing/monitoring is still required). All other requirements of the new rule apply.
Timing for Implementation
The key requirements of the new Safeguards Rule, including the requirements detailed in this Alert, are effective December 9, 2022. These requirements are not policies and procedures that can be implemented overnight. Schools should work with legal counsel and an information security professional to draft or revise a comprehensive cybersecurity program to protect student records.
You can review our webinar for further details on this topic.
For More Information
If you have any questions related to this Alert, please contact Michelle Hon Donovan, Jessica S. High, any of the attorneys in the Higher Education Group or the attorney in the firm with whom you are regularly in contact.
Disclaimer: This Alert has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice. For more information, please see the firm's full disclaimer.