The Federal Trade Commission (FTC) is seeking public comments on whether to require institutions that are subject to its Safeguards Rule, which includes colleges and universities, to report certain security events to it.
When the Federal Trade Commission (FTC) released the text of its revised Safeguards Rule (the Rule) on October 27, it also issued a supplemental notice of proposed rulemaking on whether to make a further revision to the Rule.Footnote1 The potential change that the FTC is seeking comments on concerns the possibility of the agency requiring covered entities, which include colleges and universities, to report security events to it that are related to "customer information" as defined by the Rule.
More specifically, the proposed addition to the Safeguards Rule would mandate that an institution report a security event to the FTC when the institution:
- determines that "misuse of customer information has occurred or is reasonably likely;" and
- "at least 1,000 consumers have been affected or reasonably may be affected."
Institutions would have to report "as soon as possible, and no later than 30 days after the event" via a webform on the FTC website. The report would have to include the following elements:
- The name of and contact information for the institution
- A description of the types of information involved in the event
- The date or date range of the event (if possible)
- A general description of the security eventFootnote2
As currently envisioned, this requirement would take effect six months after it is published in the Federal Register. This timing would most likely put its effective date in roughly the same timeframe as the full set of new mandates in the revised Safeguards Rule, which are set to go into effect one year after the revised Rule is published in the Federal Register.
In the higher education community comments on the 2019 rulemaking notice that led to the recently released new version of the Rule, EDUCAUSE joined the American Council on Education (ACE) and other association partners in arguing against the idea of adding incident reporting to the Safeguards Rule.Footnote3 We noted at the time that colleges and universities must already manage a slew of state and federal breach reporting requirements, and it wasn't clear what additional value would be realized by adding one for the FTC to the mix, especially given the additional burden that having yet another cybersecurity reporting requirement would place on institutions.
The current FTC proposal appears likely to lessen EDUCAUSE members' concerns, at least to some extent. The factors that would trigger a report under this provision seem reasonably limited. A one-thousand record threshold for reporting is not ideal from a higher education perspective, but the need for an institutional determination that "misuse [of the customer information in question] has occurred or is reasonably likely" should limit the range of relevant incidents significantly—especially given the new Safeguards Rule requirement that institutions encrypt all customer information at rest or when it is being transmitted over external networks.
One of the questions the FTC has asked for public comments on is whether the proposed reporting provision should specifically exclude events involving encrypted data. The FTC is also seeking public comments on whether:
- the one-thousand consumer record threshold and the thirty-day deadline for reporting are appropriate;
- the categories of information to be reported are sufficient;
- covered entities should be able to delay reporting based on a request from a law-enforcement agency related to an ongoing investigation;
- institutional reports should be made public (as the proposed requirement currently envisions);
- the FTC should not impose its own reporting requirement and only ask institutions to share reports that they are already required to make under other laws and regulations;
- institutions should have to provide notice to consumers when they submit a report to the FTC; and
- the FTC should have a Safeguards Rule incident reporting requirement at all.
On the issue of requiring incident reporting in the first place, the FTC's lack of specifics about how it would make use of the reports it receives supports questioning why the requirement should be imposed. The FTC states that such reporting would raise its awareness of "security events that suggest a financial institution's security program does not comply with the Rule's requirements" and thus help it enforce the Rule.Footnote4 In addition, the FTC notes that making reports publicly available, as currently proposed in its draft text of the new provision, would "assist consumers by providing information as to the security of their personal information in the hands of various financial institutions."Footnote5 On this latter point, though, the level of information an institution would be required to report, which the FTC appropriately proposes to keep at a high level to avoid placing an excessive burden on institutions, would be too general to be useful to an individual consumer. At the same time, such general reports may potentially serve as fodder for media coverage that could raise serious-yet-unwarranted concerns across an institution's "consumer" and "customer" populations. Regarding incident reporting to facilitate regulatory enforcement, the FTC provides no basis for understanding the objective standards that might lead to an enforcement action resulting from a required report. If the agency intends to use institutional reports as the basis for legal action to enforce the Rule, as compared to using them to inform future improvements to the Rule, then it should make clear what factors in a report could lead to enforcement concerns, especially since compliance with Safeguards Rule requirements does not and cannot guarantee that an organization will avoid a security event.
In other words, the FTC knows that an institution may follow the Rule's mandates without fail and still encounter a compromise of covered information. The commission should therefore be able to say, for example, whether it has a de facto threshold above the initial reporting level of one thousand consumer records that may trigger enforcement action or what the grounds are for further FTC scrutiny based on a required report. As currently written, the proposed reporting requirement provides covered institutions with no indication of when the submission of otherwise general information could trigger a deeper FTC review. That unnecessarily raises the stakes for the proposed measure and may render it counterproductive as institutions seek to minimize all risks associated with a report since they will have little, if any, information about what the reporting risks for a given report might be.
EDUCAUSE members and staff will work together to explore these concerns and others that may arise from their collaborative efforts. If submitting comments on this rulemaking seems warranted, EDUCAUSE will also engage with its association partners to invite broader participation and support in a response to the FTC's proposal. Comments will most likely be due in January 2022, with the FTC having no set timetable for finalizing and issuing a Safeguards Rule reporting requirement thereafter if it chooses to do so.
- Federal Trade Commission, "FTC Strengthens Security Safeguards for Consumer Financial Information Following Widespread Data Breaches," October 27, 2021; Federal Trade Commission, "16 CFR Part 314: Standards for Safeguarding Customer Information (Supplemental Notice of Proposed Rulemaking)," pre-publication copy, (October 27, 2021). Jump back to footnote 1 in the text.
- Ibid, 20. Jump back to footnote 2 in the text.
- American Council on Education, et al., letter to the Federal Trade Commission, "Request for Public Comment on Notice of Proposed Rule-Making, 'Standards for Safeguarding Customer Information' (Safeguards Rule, 16 CFR 314, Project No. P145407)," August 2, 2019, 15. Jump back to footnote 3 in the text.
- Federal Trade Commission, "16 CFR Part 314: Standards for Safeguarding Customer Information (Supplemental Notice of Proposed Rulemaking)", pre-publication copy, (October 27, 2021), 6. Jump back to footnote 4 in the text.
- Ibid, 15–16. Jump back to footnote 5 in the text.
Jarret Cummings is Senior Policy Advisor at EDUCAUSE.
© 2021 Jarret Cummings. The text of this work is licensed under a Creative Commons BY-NC-ND 4.0 International License.