(November 18, 2016 – Jarret Cummings) EDUCAUSE joined with the National Association of College and University Business Officers (NACUBO) to address questions raised by the Federal Trade Commission (FTC) about potential updates to the Safeguards Rule established under the Gramm-Leach-Bliley Act (GLBA). While GLBA was passed well over a decade ago primarily to address information security and privacy concerns at financial institutions, colleges and universities fall under its scope, too, due to their role in providing access to federal student aid (and particularly federal student loans). At the time regulations were being written to implement GLBA, NACUBO secured the FTC’s agreement that FERPA compliance by colleges and universities would count as compliance with the GLBA Privacy Rule. Higher education institutions would still have to comply directly with the requirements of the Safeguards Rule, however, which include steps such as having a comprehensive information security program and a designated coordinator to ensure its ongoing implementation and maintenance.
As part of the FTC’s periodic review of its regulations, the Commission released a request for comments (RFC) to get input on possible changes to “modernize” the Safeguards Rule. To this point, one of the Rule’s key features has been the flexibility it grants to covered organizations to take information security measures consistent with their specific contexts. In other words, the Rule tells an affected entity that it must take certain broad-based information security steps, but the organization itself decides how to pursue those steps based on what it determines is “appropriate to [its] size and complexity, the nature and scope of [its] activities, and the sensitivity of any customer information at issue” (16 CFR 314.3(a)). In its recent RFC, however, the FTC asked whether it should deviate from this path and consider specifying the particular elements of what will count as a “comprehensive information security program,” as well as the specific information security standard(s) and breach notification provisions such programs should include.
EDUCAUSE and NACUBO responded by highlighting the wisdom of the FTC’s original thinking in allowing for context-dependent approaches to complying with the Safeguards Rule. The association’s comments stressed the highly diverse nature of the higher education community, spanning community colleges, comprehensive universities, liberal arts colleges, research-intensive institutions, and so forth. Given this diversity, EDUCAUSE and NACUBO noted that their member institutions must continue to have the flexibility to implement information security programs that reflect the totality of the data they manage and associated risks they face, not just those relevant to GLBA — their unique data and risk-management issues, as opposed to one-size-fits-all regulatory mandates, should continue to dictate the security standards and plan elements higher education institutions choose. Supplanting context-dependent security requirements with rigid regulatory provisions would, in the associations’ view, undermine the very information security the Rule seeks to achieve, and it would do so not just for the information the Rule seeks to secure, but for all of the data institutions manage.
NACUBO and EDUCAUSE submitted their response by the comment deadline of November 7, 2016. Shortly thereafter, the FTC extended the comment period to November 21, 2016, most likely due to the limited number of responses (eight) the Commission had initially received. The associations will watch for developments emerging from the FTC’s evaluation of the Safeguards Rule as it proceeds. Our hope is that the Commission will accept our recommendation to avoid degrading the Safeguards Rule’s inherent flexibility, and to instead enhance the guidance and resources it makes available to affected entities, with the goal of facilitating not only greater compliance, but improved information security generally. EDUCAUSE and NACUBO will continue working toward that end.
Jarret Cummings is director of policy and government relations at EDUCAUSE.