Policy Analysis: Revised, Highly Prescriptive FTC Safeguards Rule

When the Federal Trade Commission (FTC) proposed to revise the Safeguards Rule (the Rule) in 2019, EDUCAUSE joined with the American Council on Education (ACE) and several other associations to submit comments asking for a number of changes and clarifications.^Footnote1 Those comments derive largely from an analysis (written by EDUCAUSE members and staff) of the FTC's proposed revisions to the Rule.^Footnote2 In light of the initial comments that the FTC received, including ours, the agency held an online listening session during the summer of 2020. Among the select stakeholder panelists the FTC invited to participate were a few EDUCAUSE member CIOs and CISOs. However, the FTC did not provide any insights into how the feedback it received on its proposed rulemaking might influence the form that its revised cybersecurity regulations would take. The agency released the latest version of the Safeguards Rule on October 27.^Footnote3 This version is largely unchanged from the FTC's original draft. (Note: The pre-publication draft originally made available by the FTC on October 27, 2021, was replaced by a pre-publication version posted to the online version of the Federal Register on December 8, 2021. The references and links to the pre-publication draft of the revised Rule have been updated to reflect the December 8 version in the online Federal Register since that is the pre-publication form of the document still available. The same is true for the supplemental notice of proposed rulemaking regarding a possible Safeguards Rule reporting requirement. The December 8 version of that document is the pre-publication version still available, so relevant references and footnotes have been updated accordingly.)

Given the extensive edits, clarifications, and changes that we requested,^Footnote4 the FTC's decision not to substantially revisit its regulatory proposal is disappointing. That said, the analysis of public comments provided with the FTC's pre-publication copy of the new Rule contains an important acknowledgment from the agency that sets the context for interpreting and applying the numerous provisions with which colleges and universities will now have to comply:

Although the Final Rule has more specific requirements than the current Rule, it still provides financial institutions the flexibility to design an information security program that is appropriate to the size and complexity of the financial institution, the nature and scope of its activities, and the sensitivity of any customer information at issue.^Footnote5

This statement is significant because it is relevant to a point that EDUCAUSE and our higher education association partners pressed throughout our comments on the proposed Rule. We consistently noted that many provisions lacked sufficiently specific guidance to assure a college or university that it had achieved compliance, an issue that we summarized as follows:

The proposed revised Rule, however, specifies many of the details of those elements while adding more provisions and requirements, but without providing effective guideposts for compliance. That leaves colleges and universities with many questions about whether the proposed Rule's provisions are appropriately limited to the data and functions it covers and how institutions will effectively be able to determine if they are in compliance regardless.^Footnote6

The statement from the FTC quoted above directly addresses this concern.^Footnote7 In my view, it reaffirms that an effective approach to the requirements of the Safeguards Rule, including all of its new provisions, remains a matter of discretion for the covered entity in question based on its size and complexity, the nature and scope of its activities, and the sensitivity of the customer information it handles. The Rule identifies the elements that an institution's information security program must include; however, it leaves the determination of how the institution should address those elements (for the most part) to the covered entity, with the understanding that the institution will make those decisions based on, and reasonably justified by, its particular context.

From a compliance standpoint, institutions may view this level of discretion as a double-edged sword based on understandable concerns about their decisions being second-guessed by regulators at some point in the future. Given the FTC's position as reflected in the acknowledgment from the agency quoted above and its analysis of public comments on the proposed revisions to the Rule, institutions may best respond by adopting an approach that EDUCAUSE asked the FTC to affirm explicitly in the Rule or its related guidance (which it apparently declined to do in favor of reaffirming the extent of institutional discretion):

[W]e would urge the FTC to explicitly state in the Rule and subsequent guidance what we believe the proposed revised Rule implies—that institutions may achieve compliance through providing reasonable explanations in their information security program documentation for the choices they make in fulfilling the given provisions.^Footnote8

In other words, the discretion to determine what constitutes an appropriate way to fulfill a given requirement based on an institution's size and complexity, the nature and scope of its activities, and so forth carries with it the responsibility of ensuring that the measures adopted by the institution are appropriate given what it is, what it does, and what options it may reasonably have available to it as a result.

I used the word "regulators" above, not "the FTC," because the Office of Federal Student Aid (FSA) at the US Department of Education (ED) has made compliance with the FTC Safeguards Rule a requirement of the Title IV Program Participation Agreement (PPA) that institutions must sign to participate in federal student financial aid programs.^Footnote9 As a result, institutions are ultimately responsible to the FTC directly for complying with the Safeguards Rule, but a determination by FSA that an institution is not complying with the Safeguards Rule may affect its Title IV eligibility and therefore the ability of the students enrolled at the institution to get federal student loans and other forms of federal financial aid.

It remains unclear how FSA will address the changes in the FTC's cybersecurity regulations. Conversations between EDUCAUSE and FSA representatives about the issues that have occurred since the FTC unveiled its rulemaking notice in 2019 did not produce any indication of how FSA would incorporate Safeguards Rule revisions into its compliance expectations. For now, the Safeguards Rule audit objective that FSA had incorporated into the federal single audit process still focuses on confirming a few high-level objectives from the previous version of the Rule:

• That an institution has appointed a person or team to coordinate its information security program
• That it has conducted a relevant risk assessment
• That it has developed information security controls based on its identified risks^Footnote10

FSA will have to work with the Office of Management and Budget to alter the audit objective in light of the FTC's revisions to the Rule, if and when it chooses to do so, and that process will take time.

Meanwhile, EDUCAUSE intends to work with its members and association partners to engage with FSA to understand its Safeguards Rule compliance and audit objective plans as they take shape. We hope such discussions will also provide the opportunity for member representatives to share information about the practical issues and difficulties that different approaches to FSA compliance in this area might present. In this regard, FSA is better positioned to understand the problems that the revised Rule creates for colleges and universities and to tailor its compliance interests to the higher education context.

Turning to the revised Rule itself, even with the understanding that how an institution fulfills a given requirement remains discretionary, the long list of new requirements is still eye-opening. Also, the FTC is now requiring the adoption of several measures that EDUCAUSE argued in 2019 should continue to fall under institutional discretion. In the review that follows, I highlight what I consider to be key points in the revised Rule. I encourage EDUCAUSE members involved in their institution's compliance with the Safeguards Rule to review the revised regulations in their entirety (see pp. 109–128 for the text of the new Rule itself), as some parts of the Rule may be more central to your institution's needs and interests than the ones I identify below.

In addition to releasing the revised Safeguards Rule, the FTC also announced that it would conduct a supplemental rulemaking on the issue of whether to require entities covered by the Rule to report relevant cyber incidents to the FTC.^Footnote11 The higher education comments on the proposed Rule that EDUCAUSE helped to develop in 2019 raised questions about the value of such a reporting requirement, especially as it relates to the burden that the requirement would create for covered entities such as colleges and universities. The new FTC rulemaking notice indicates the agency's desire to minimize the potential burden of Safeguards Rule incident reporting, which may, in turn, lessen higher education's concerns about a proposed requirement. I will be writing a supplemental article in which I review the need to consider whether EDUCAUSE and the higher education community should submit comments on the FTC's proposed incident reporting requirement and, if so, the direction those comments should take. (Note: The review of the rulemaking notice regarding a possible Safeguards Rule reporting requirement was posted on December 8, 2021. EDUCAUSE joined several associations in submitting comments about the proposed reporting requirement to the FTC on February 7, 2022. An article reviewing the higher education submission, with a link to the comments themselves, was posted on March 3, 2022.)

The Revised FTC Safeguards Rule: Key Provisions by Section

Please note that the Code of Federal Regulations (CFR) reference for the Safeguards Rule is 16 CFR 314. To find the Safeguards Rule regulations, enter "16 CFR 314" in the search bar on the Electronic Code of Federal Regulations web page.

Section 314.5—Effective Date

Keep in mind that most of the new requirements added to the Rule will not take effect until one year after the date of their publication in the Federal Register. (Note: The revised Safeguards Rule was officially published in the Federal Register on December 9, 2021, and it identifies December 9, 2022, as the compliance deadline for the new requirements incorporated into the revised Rule.) With that in mind, I will take the second-to-last section, Section 314.5—Effective Date, out of order since it identifies the following sections as falling under the one-year compliance deadline:

• 314.4(a)—Designate a "qualified individual" to oversee, implement, and enforce the institution's information security program.
• 314.4(b)(1)—Produce a written risk assessment about the institution's customer information that includes a now-mandated set of criteria and requirements.
• 314.4(c)(1)-(8)—"Design and implement safeguards to control the risks you identity through risk assessment," including the following:
  • Technical and physical access controls to ensure only authorized access
  • An inventory of all relevant parts of the IT environment and management of the same consistent with their business priority and the institution's risk strategy
  • Encryption of all customer information in transit over external networks and at rest
  • Procedures for securely developing internal applications and assessing the security of externally developed applications used in relation to customer information
  • Multi-factor authentication for any individual accessing any information system
  • Procedures for the secure disposal of customer information that is no longer needed for business operations or another legitimate business purpose
  • Change management procedures
  • Measures to monitor and log the activities of authorized users and to detect their unauthorized access or use of or tampering with customer information
• 314.4(d)(2)—Implement continuous monitoring of "information systems" (as defined in 314.2) or annual penetration testing with vulnerability assessments at least every six months.
• 314.4(e)—Establish policies and procedures to ensure that your staff receives security awareness training, that you hire qualified information security personnel and provide ongoing professional development for them, and that key members of your information security staff maintain their knowledge of current threats and responses.
• 314.4(f)(3)—Periodically assess the information security risks that your institution's service providers present and the adequacy of the safeguards they deploy to ensure that they are following the provisions of the Rule.
• 314.4(h)—Establish a written incident response plan, including a set of specific elements, for the customer information that the institution controls.
• 314.4(i)—Require your institution's "qualified individual" to submit a written report on key aspects of the information security program to the institution's governing board at least once per year.

All other aspects of the revised Rule take effect thirty days from its publication in the Federal Register, but those aspects essentially concern the current requirements of the Safeguards Rule with modest text edits to accommodate the range of new requirements that will go into effect next year. In other words, the thirty-day deadline for the rest of the revised Rule ensures that covered entities continue to comply with pre-existing requirements while preparing to comply with the new ones. (Note: The revised Rule officially took effect on January 10, 2022; as mentioned, though, the FTC has deferred compliance with the new requirements added to the Safeguards Rule until December 9, 2022.)

Section 314.2—Definitions

• The FTC greatly expands the definitions section—largely to incorporate key terms from its Privacy Rule directly into the revised Safeguards Rule. These terms are important for understanding what the Safeguards Rule covers.
  • For example, where the current regulation includes only the definition of "customer information," the revised Rule includes definitions of terms ("consumer," "customer," "nonpublic personal information," "personally identifiable financial information," and so forth) that are central to understanding what "customer information" actually means.
  • EDUCAUSE and its partners specifically requested that the FTC add all relevant definitions from the Privacy Rule to the new Safeguards Rule to make it easier for institutions to understand what "customer information" they need to protect under the Rule, so this change, even at the expense of the Rule's brevity, is greatly appreciated.
  • That said, IT leaders and professionals will likely be well served by working with institutional legal counsel as well as their business offices, registrars, and financial aid colleagues to walk through the interlocking chain of definitions that have to be explored to reach a full understanding of exactly what institutional data constitutes "customer information."
  • Since institutions currently must comply with the existing version of the Safeguards Rule, most, if not all, probably already have a good handle on the scope of "customer information." However, with all of the relevant definitions now being included in the Rule itself, evaluating the new compliance requirements presents a good opportunity to review the previous determinations to ensure nothing has been missed.
• "Authorized user"

  In the revised Rule, the FTC added "customer" to the definition's list of people who might be considered "authorized users" to make clear that the Rule's requirements for multi-factor authentication and user activity monitoring and logging, for example, extend to "customers" that can access their information via the institution's systems.

  Depending on how an institution already allows students to access their financial aid and institutional account information, the Rule's new security requirements may or may not pose problems. However, institutions will have to review those requirements in light of students' (or parents') access to account information and make sure all of the required measures are in place in ways that are appropriate to the institution's size, complexity, and so forth.

• "Encryption"

  In commenting on the proposed Rule, EDUCAUSE and its partners suggested that the FTC add to the definition of "encryption" to link the potential new encryption requirement under the Rule to "industry standards," which would give institutions a frame of reference for complying with the requirement. Instead, the final version of the revised Rule includes a reference to "current cryptographic standards" as an appropriate measure to secure an associated encryption key.

  From a compliance standpoint, I think the end result is the same. In deciding what form of encryption to deploy to meet the Rule's requirement, institutions should document how the method(s)/tool(s) that are chosen reflect current encryption standards and approaches.

• "Information system"

  As previously mentioned, one of the key definitional changes from the proposed Rule to the Final Rule is the addition of references to "containing customer information or connected to a system containing customer information" in the definition of "information system." As a result, the definition now clearly links systems and related technology covered by the revised Rule's requirements to the customer information for which institutions are responsible under the Safeguards Rule. However, as also noted previously, the addition of "connected to a system containing customer information" likely pulls a much greater degree of an institution's IT environment into the scope of the Rule's requirements than a college or university would find helpful or, in many cases, justified.

  This definitional change may point the way, though, to how an institution can modify its IT environment to segregate its "customer information" (with student financial aid and account information likely drawing the lion's share of concern) to limit the extent of the environment that will fall under the Rule's new requirements, such as continuous monitoring or annual penetration testing or biannual vulnerability assessments. There is little doubt, however, that the FTC did not take into account our points about the extent to which student financial aid information might reasonably be distributed across institutional systems and, therefore, the difficulty that the scope of compliance in the revised Rule might pose for a college or university.

Section 314.4—Elements [of a Safeguards Rule-Compliant Information Security Program]

• "Qualified individual" to oversee/enforce the information security program [314.4(a)]

  The revised Rule follows the proposed Rule in moving from requiring that an employee or employees be designated to coordinate the institution's information security program to mandating that a single "qualified individual" be appointed to oversee, implement, and enforce the program. In our comments on the proposed Rule, we argued that the decision of whether to have individual or team leadership of an institution's information security program should remain a matter of institutional discretion given the great variety of institutional contexts. The FTC determined, however, that streamlining and ensuring accountability by having a single head of the information security program trumped other considerations.

  That said, we also noted in our comments on the proposed Rule that the FTC's repeated reference to a chief information security officer in this context, which the agency intended to be just an example, would likely be interpreted as a mandate that all institutions might not be able to address within the anticipated timeframe for achieving compliance. With our feedback and similar comments from other stakeholders in mind, the FTC adjusted its text in the final rule so that it only refers to the need for an institution to appoint a "qualified individual" to lead the information security program. What constitutes being "qualified" will remain subject to institutional discretion based on the institution's size and complexity, the nature and scope of its operations, and so forth.

• Risk assessment [314.4(b)]
  • Under the revised Safeguards Rule, institutions will now have to develop a written risk assessment regarding the security of their customer information. The written assessment will have to cover the following elements:
    • The criteria used to evaluate and classify the relevant security risks that the institution has identified
    • The criteria used to assess "the confidentiality, integrity, and availability of your information systems and customer information, including the adequacy of the existing controls in the context of the identified risks or threats you face"
    • The ways in which "identified risks will be mitigated or accepted based on the risk assessment and how the information security program will address the risks"
  • The expanded risk assessment requirement in the revised Rule also mandates that institutions periodically update their risk assessments, with when and how to do so left to institutional discretion based on institutional size, complexity, nature, scope, etc.
• Safeguards [314.4(c)]
  • The revised Rule goes into much greater detail about the types of security measures that institutions will need to implement to address the risks they identify in their risk assessments. In fact, one could interpret the specific requirements introduced as the FTC setting minimum baselines under the assumption that any valid risk assessment would identify the risks requiring the measures that the FTC is now imposing by regulation.
  • Under the revised Rule, institutions must take the following actions:
    • Implement and maintain technical and physical access controls on customer information to limit access to authorized users and limit those users' access to the scope of their authorizations.
    • Inventory and manage "the data, personnel, devices, systems, and facilities" central to their operations in light of their priority and the institution's "risk strategy."
    • Encrypt all customer information "held or transmitted" by the institution when "in transit over external networks or at rest."
      • The FTC had previously raised the possibility of requiring encryption of customer information while in transit over internal networks as well, so this encryption provision could have been even more cumbersome to manage.
      • The provision also allows for institutions to use "effective alternative compensating controls" when necessary if approved by their "qualified individual."
    • Adopt secure development practices for any internally developed applications and security assessment procedures for any externally sourced applications that the institution uses to "transmit, access, or store customer information."
    • "Implement multi-factor authentication for any individual accessing any information system [emphasis added], unless your Qualified Individual has approved in writing the use of reasonably equivalent or more secure access controls."
    • Establish policies and procedures for the secure disposal of customer information "no later than two years after the last date" on which the information was used to serve the customer in question unless it is needed for business operations or "for other legitimate business purposes."
      • The institution may also maintain the data if required by law or regulation, or if it is held in a fashion that makes "targeted disposal . . . not reasonably feasible."
      • In responding to the proposed Rule, EDUCAUSE and its partners argued that "business purposes" might not be understood as the FTC intended in institutions focused on academic purposes, and thus it should use the phrase "legitimate purposes."
      • Since the FTC did not take our suggestion, institutions will have to rely on their discretion based on their size, complexity, nature, scope, etc., to determine what constitutes a "legitimate business purpose" given their operations.
      • Also, this provision assumes that secure disposal of customer information as required will be based on a periodically reviewed and updated institutional data retention policy designed "to minimize the unnecessary retention of data."
    • Adopt change management procedures (presumably for systems, policies, processes, etc., that connect in some meaningful way with customer information).
    • Implement measures to "monitor and log the activity of authorized users" and to detect when they have accessed, used, or tampered with customer information outside the scope of their authorization.
      • The logging aspect of this provision replaces a separate provision in the proposed Rule that would have required the creation of "audit trails . . . to detect and respond to security events."
      • EDUCAUSE member feedback indicated that simply focusing on user logs would be a more accurate and useful way to address the FTC's concern, and it seems that our comment about the issue in relation to the proposed Rule led to an appropriate change.
• Monitoring and testing safeguards [314.4(d)(1) and (2)]
  • Part 1 of this provision requires institutions to test regularly or otherwise monitor the effectiveness of the safeguards established under their information security program "including those to detect actual and attempted attacks on, or intrusions into, information systems" as defined by the Rule.
  • Part 2, however, specifically mandates either continuous monitoring of information systems (again, as defined by the Rule) or annual penetration testing with vulnerability assessments at least every six months and whenever the institution experiences significant operational changes or an incident that "may have a material impact on [the institution's] information security program."
  • In commenting on the proposed Rule, EDUCAUSE and its partners argued that if, when, where, and how these measures might be deployed should be a matter of institutional discretion based on the findings of the institution's risk assessment in light of its size, complexity, nature, scope, etc., especially given the diversity of institutional types and contexts across higher education.
  • In light of how the Rule defines "information system," limiting the reach of this provision across the institutional IT environment will require careful consideration of where and how customer information is stored and used, as well as which systems and data stores have to be connected to systems and databases containing customer information.
• Human resources policies and procedures related to information security [314.4(e)]
  • This aspect of the revised Rule requires institutions to provide security awareness training for their personnel consistent with the results of their risk assessments.
  • Institutions must also do the following:
    • Use qualified information security personnel to manage security risks and "perform or oversee" their information security program, whether such personnel are institutional employees or are supplied by a service provider.
    • Ensure their information security personnel have access to security updates and training that will allow them to address security risks at their institution.
    • Verify that "key information security personnel" are maintaining their professional knowledge of the field (i.e., of "changing information security threats and countermeasures").
• Service provider oversight [314.4(f)]

  The revised Rule adds a requirement that institutions periodically review the information security risks that their relevant service providers pose, including the adequacy of those providers' safeguards.

• Evaluation and revision of the information security program [314.4(g)]

  The FTC changed this section from the proposed rule to the final rule to cross-reference the requirement about reviewing and revising the institutional information security program with the sections on modifying relevant safeguards based on the results of the institution's written risk assessment [314.4(b)(2)] and its continuous monitoring/annual penetration testing (with at least biannual vulnerability assessments) of relevant information systems [314.4(d)].

• Written incident response plan [314.4(h)]
  • The FTC revised this provision slightly in the revised Rule from how it was presented in the proposed Rule.
    • Rather than saying that covered entities have to develop written incident response plans to cover customer information in their "possession," the text now reads that they must have incident response plans for such information under their "control."
    • This edit responds to our comment on the proposed Rule regarding the need to revise this provision to reflect institutional use of cloud services, where the relevant information may actually be possessed by a cloud services provider and not by the institution directly.
    • Whether "control" works better than "possession" in this context remains debatable. We suggested that the text tie the incident response plan to the customer information for which the institution is "responsible," since there is little doubt that the covered entity remains responsible for the security of its data no matter where it is housed, especially in light of the Rule's service provider oversight provision.
    • To that end, regardless of how the text reads, the FTC's intent is clear: The institution's incident response plan regarding covered customer information must account for relevant service providers as well.
    • The provision identifies several specific items that a compliant incident response plan must include, all of which are consistent with standard incident response principles and practices.
    • Institutions with incident response plans that cover customer information should review the list to establish a crosswalk between their plans and the required elements. Those needing to develop such plans should review the list to ensure that their plans cover all the bases.
• Board reporting [314.4(i)]
  • The revised Rule incorporates the proposed Rule requirement that the head of the institution's information security program submit a written report about the program to the institution's governing board at least once a year.
  • The modest edits to the provision in the revised Rule identify the head of the information security program as its "qualified individual" and specify that written reports should be provided to the board "regularly and at least annually."
  • A Rule-compliant board report must include the following elements:
    • A review of the program's overall status and compliance with the Rule
    • "Material matters" about the program, such as:
      • risk assessment and risk management/control decisions;
      • service provider arrangements;
      • results of testing and security events or violations, and management's responses to them; and
      • recommendations for program changes.

Section 314.6—Exceptions

• Institutions that maintain customer information on fewer than 5,000 consumers (note the difference between "consumer" and "customer" in the definitions) are exempt from having to:
  • develop a written risk assessment [314.4(b)(1)];
  • implement continuous monitoring or penetration testing/vulnerability assessments of their information systems [314.4(d)(2)];
  • develop a written incident response plan [314.4(h)]; or
  • submit a report about their information security program to their governing board or senior executive [314.4(i)].
• In commenting on the proposed Rule, EDUCAUSE and its partners argued that the threshold for exceptions to the requirements of the Rule for higher education institutions should be set by Carnegie classification, not the number of consumer records managed, as Carnegie classification would provide a more appropriate indicator of institutional size (and therefore institutional capacity to manage the requirements in question). With the FTC declining to accept that recommendation, even the smallest accredited colleges and universities are unlikely to qualify for the exceptions to certain Rule requirements given the length of time for which financial aid and student account information is generally maintained.

Notes

1. Federal Trade Commission, "Standards for Safeguarding Customer Information (Notice of Proposed Rulemaking; Request for Public Comment)," Federal Register, Vol. 84, No. 65, April 4, 2019, pp. 13158-13177; Jarret Cummings, "Higher Ed Community Responds to Proposed Safeguards Rule Change," EDUCAUSE Review, August 14, 2019. Jump back to footnote 1 in the text.↩
2. Please see Jarret Cummings, "Safeguards Rule Comments Deadline Extended to August 2," EDUCAUSE Review, June 7, 2019, for more details. Jump back to footnote 2 in the text.↩
3. Federal Trade Commission, "FTC Strengthens Security Safeguards for Consumer Financial Information Following Widespread Data Breaches," October 27, 2021. Jump back to footnote 3 in the text.↩
4. For details, see Jarret Cummings, "Safeguards Rule Comments Deadline Extended to August 2," EDUCAUSE Review, June 7, 2019, and Jarret Cummings, "Higher Ed Community Responds to Proposed Safeguards Rule Change," EDUCAUSE Review, August 14, 2019. Jump back to footnote 4 in the text.↩
5. Federal Trade Commission, "16 CFR Part 314: Standards for Safeguarding Customer Information (Final Rule)," pre-publication copy, (December 8, 2021): 5. Jump back to footnote 5 in the text.↩
6. American Council on Education et al., letter to the Federal Trade Commission, "Request for Public Comment on Notice of Proposed Rule-Making, 'Standards for Safeguarding Customer Information' (Safeguards Rule, 16 CFR 314, Project No. P145407)," August 2, 2019, 3. Jump back to footnote 6 in the text.↩
7. FTC, "16 CFR Part 314: Standards for Safeguarding Customer Information (Final Rule)," 5. Jump back to footnote 7 in the text.↩
8. American Council on Education et al., letter to the FTC, "Request for Public Comment on Notice of Proposed Rule-Making, 3. Jump back to footnote 8 in the text.↩
9. "Record Keeping, Privacy, and Electronic Processes," in 2021-2022 Federal Student Aid Handbook in PDF Format, (Washington DC: Office of Federal Student Aid, US Department of Education, 2021), 2-218, 2-220. Jump back to footnote 9 in the text.↩
10. Jarret Cummings, "The Safeguards Rule Audit Objective Is Here!" EDUCAUSE Review, July 11, 2019. Jump back to footnote 10 in the text.↩
11. Federal Trade Commission, "16 CFR Part 314: Standards for Safeguarding Customer Information (Supplemental Notice of Proposed Rulemaking)," pre-publication copy, (December 8, 2021). Jump back to footnote 11 in the text.↩

---

Jarret Cummings is Senior Policy Advisor at EDUCAUSE.