The Federal Trade Commission (FTC) has proposed adding a reporting requirement to its Safeguards Rule. EDUCAUSE and its partners recommend that the FTC adopt a few revisions (e.g., delaying the public release of any Safeguards Rule security event report for one year from the submission date).
The Federal Trade Commission (FTC) published its long-awaited revisions to the Safeguards Rule in early December 2021 while giving covered entities, such as colleges and universities, until December 2022 to achieve compliance with the many new provisions of the Rule.Footnote1 At the same time, the FTC also proposed a new Safeguards Rule reporting requirement. Comments on the proposal were due by February 7.Footnote2
EDUCAUSE worked with member representatives to analyze the FTC's proposed provision. Our findings formed the basis of public comments jointly submitted to the FTC by the American Council on Education (ACE), EDUCAUSE, and several other groups.Footnote3 We determined that, in general, the proposal from the FTC strikes a reasonable balance between meeting its needs as a regulator and minimizing the reporting burden on institutions. A covered entity would only be required to report security events for which it has determined a misuse of customer information (primarily student financial aid information in the case of higher education) involving one thousand or more consumers has occurred or is reasonably likely to occur. Also, the entity would only have to report a few general elements:
- The name of and contact information for the organization
- A description of the types of information involved
- The date or date range of the event (if identified)
- A general description of the event itself
While the proposed reporting standard and structure would be workable overall, the FTC raised several questions indicating that it could conceivably take the final version of the regulation in some problematic directions from the higher education perspective. With that in mind, EDUCAUSE and its partner associations provided a few specific points for the FTC to consider, with the goal of keeping the final provision largely within the initial parameters identified in its rulemaking notice.
The FTC clearly indicates in its rulemaking proposal that it wants to make the reports it would receive as a result of the new reporting provision publicly available, and it specifically asks if it should do so. The response from higher education associations argues that the information submitted under the proposed requirement would suit the needs of the FTC as a regulator that is trying to identify where it may need to work with a covered entity on possible compliance issues. It would be too high level, though, to provide meaningful information to students, parents, and other stakeholders and could conceivably raise anxiety among individual members of the campus community about whether their personal information might be involved. Given the likelihood that the public availability of the reports could generate undue concern among institutional stakeholders, EDUCAUSE and its partners suggested that posting all submitted reports to a national, publicly available web page might be counterproductive. If the FTC decides to proceed with such a plan, however, we asked it to consider delaying the public release of any Safeguards Rule security event report for one year from the date of submission. This would ensure that institutions have time to remediate the underlying event fully and communicate with all affected stakeholders before the general public release of the report in question.
The FTC also asked if the proposed requirement should explicitly exclude events involving encrypted information from reporting, which would be consistent with the New York state regulations from which the overall revisions to the Safeguards Rule were drawn. The higher education groups noted that the reporting standard for the new requirement would generally lead to that result regardless, given that institutions would not consider encrypted data subject to misuse or likely misuse in the absence of some reasonable indication of the encryption having been compromised. Thus, we recommended that the FTC clearly state in the final regulation that entities are not required to report events involving encrypted information so long as no reasonable basis exists for thinking that the encryption involved is or is likely to be compromised.
Another key point that we raised concerns whether a covered entity should be allowed to delay reporting to the FTC if a law enforcement agency requests that it not share information about an event unless or until law enforcement gives its approval to do so. EDUCAUSE and its partner associations argued that if enacted, a Safeguards Rule reporting requirement should allow a covered entity to respect the wishes of law enforcement agencies and delay reporting at their request, given the general importance to cybersecurity of identifying and prosecuting bad actors to the extent possible. We noted, however, that the FTC could provide a way via its reporting process for a covered entity to inform the FTC that the entity is subject to such a request and provide contact information for the law enforcement agency or agencies in question. This would allow the FTC to negotiate with law enforcement as necessary about the conditions under which an entity could fulfill its normal reporting responsibilities sooner rather than later if the FTC thought a particular case warranted it.
Given the track record of the FTC concerning its rulemaking leading to the recently revised Safeguards Rule, EDUCAUSE members should assume that the FTC will adopt a Safeguards Rule reporting requirement that is similar to its proposed regulation. It is also highly likely that reports submitted under the new provision will become publicly available, although EDUCAUSE and its partners remain hopeful that the FTC will adopt a delay in providing public access to security event reports as we requested. The proposed Rule indicates that the FTC's final regulation will likely defer compliance for six months from the date of its official publication. With the early December compliance deadline for the new requirements, the FTC could issue the final version of its reporting provision in time for it to take effect at roughly the same time as the overall set of new Safeguards Rule mandates. Whether the FTC can achieve such a goal remains to be seen, but EDUCAUSE will continue to update members on any new developments with the proposed Safeguards Rule reporting requirement as they become available.
Notes
- Jarret Cummings, "Policy Analysis: Revised, Highly Prescriptive FTC Safeguards Rule," EDUCAUSE Review, December 2, 2021. Jump back to footnote 1 in the text.
- Jarret Cummings, "Cyber Incident Reporting Under the Safeguards Rule?" EDUCAUSE Review, December 8, 2021. Jump back to footnote 2 in the text.
- American Council on Education, et al., letter to the Federal Trade Commission, "Request for Public Comment on Supplemental Notice of Proposed Rulemaking, 'Standards for Safeguarding Customer Information' (Safeguards Rule, 16 CFR 314, Project No. P145407), December 9, 2021—Proposed Security Event Reporting Requirement," February 7, 2021. Jump back to footnote 3 in the text.
Jarret Cummings is Senior Policy Advisor at EDUCAUSE.
© 2022 Jarret Cummings. The text of this work is licensed under a Creative Commons BY-NC-ND 4.0 International License.