The Federal Trade Commission is proposing to significantly expand the information security requirements that organizations covered by its Safeguards Rule, including colleges and universities, must meet. It is also proposing that all covered entities would have to comply with the numerous additional provisions within six months of the FTC finalizing them. EDUCAUSE will work with members to identify the community's concerns and respond to the FTC accordingly.
Earlier this month, the Federal Trade Commission (FTC) announced the pending release of a notice of proposed rulemaking (NPRM) on possible changes to the Safeguards Rule. Adopted by the FTC in 2003 to fulfill its responsibilities under the Gramm-Leach-Bliley Act (GLBA), the Safeguards Rule mandates that covered "financial institutions," which include colleges and universities due to their student financial aid activities, secure "customer information" through implementing information security programs according to specific requirements:
- Designating an individual or individuals to coordinate the institution's security program;
- Conducting a risk assessment to "identify reasonably foreseeable internal and external risks" to the security of customer information, which at a minimum should cover:
- Employee training and management;
- Information systems (including the network);
- "Detecting, preventing, and responding to attacks, intrusions, or other systems failures"; and
- Implementing safeguards to address the identified risks and regularly testing/monitoring those safeguards for effectiveness.
- Vetting third-party service providers to the institution as "capable of maintaining appropriate safeguards" and requiring them to do so by contract; and
- Evaluating and adjusting the security program based on the results of the required testing and monitoring, changes in the institution's operations, or anything else that might substantively impact the program.
Historically, the Safeguards Rule has been known for the flexibility it affords covered entities as to how they meet these few, but comprehensive, requirements. It specifically states that the safeguards an institution implements should be "appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue." The Safeguards Rule NPRM now set for publication, however, departs from that flexibility by substantially increasing the requirements that a covered entity's information security program will have to meet. For example:
- Rather than having an individual or team that coordinates the security program, the revised rule would require each covered entity to have "a qualified individual responsible for overseeing and implementing your information security program and enforcing your information security program" [italics added]. The proposed regulations identify this position as the chief information security officer or CISO, but covered entities would not have to designate their lead information security administrators as CISOs.
- The institution would also be required to base its security program on a risk assessment that specifically delineates the criteria for categorizing risks and assessing the capability of institutional systems to address them, as well as how identified risks will be mitigated, accepted, or otherwise managed. Institutions would also have to conduct additional risk assessments periodically.
- The safeguards that a covered entity incorporates into its information security program would have to include the following specific elements:
- Information system controls that allow only authorized individuals to access customer information;
- Controls on access to physical locations that contain customer information to limit access to authorized individuals;
- Identification and management of relevant "data, personnel, devices, systems, and facilities" based on their relative importance and risk to business operations;
- Encryption of all customer information held or transmitted by the institution, both "at rest" or "in transit over external networks" (unless the CISO approves alternative controls based on the infeasibility of encryption);
- Use of secure development practices for any internally developed apps, and security testing procedures for any externally developed apps utilized to "transmit, access, or store customer information";
- Multifactor authentication for any individual accessing customer information (unless the CISO approves in writing "the use of reasonably equivalent or more secure access controls");
- "Audit trails within the information security program designed to detect and respond to security events";
- Procedures for the secure disposal of customer information "in any format" once it is no longer needed for any legitimate business purpose (unless retention is required by law or "targeted disposal" is infeasible);
- Change management procedures; and
- Monitoring of authorized users on relevant systems to detect unauthorized access and/or tampering with customer information.
- Institutions would be required to implement either continuous monitoring of relevant information systems for attacks or intrusions, or annual penetration testing with biannual vulnerability assessments, again using their risk assessments as a guide.
- The proposed rule mandates specific personnel policies, including:
- Security awareness training based on the institutional risk assessment;
- Use of "qualified information security personnel" to execute the information security program;
- Security updates and training for the institution's information security personnel; and
- Verification that information security personnel are maintaining "current knowledge of changing information security threats and countermeasures."
- Covered entities would also be required to develop a written plan for security incident response that specifically identifies:
- The plan's goals;
- The institution's internal response processes, with clear definitions of roles, responsibilities, and decision-making authority;
- Provisions for internal and external communications/information sharing;
- Requirements for remediation of any identified vulnerabilities in systems/controls;
- Requirements for documenting and reporting on incidents and response activities; and
- Procedures for post-incident review and revision of the response plan.
- The final new provision the FTC proposes to add to the Safeguards Rule is a requirement for the CISO to report annually to the institution's governing board about its information security program; that report must specifically address:
- The status of the program and the institution's compliance with the rule; and
- "Material matters" such as risk assessment/management/control decisions, service provider arrangements, test results, security incidents and responses, and recommendations for program changes.
Many of the FTC's proposed additions to the Safeguards Rule might seem like generally good ideas consistent with effective information security practices. However, institutions that haven't already implemented many or most of these measures, or that aren't at least well down the path to doing so, might face significant compliance challenges given that the FTC currently intends for many of the new provisions to take effect six months from the new rule's effective date. Covered entities "that maintain customer information concerning fewer than five thousand consumers" would be exempt from a few major requirements—the written risk assessment, continuous monitoring or penetration testing/vulnerability assessment, the written incident response plan, and annual governing board reporting. Even small colleges and universities may fall on the wrong side of that limit, though, depending on the number of years for which they maintain student financial aid records.
With these concerns in mind, EDUCAUSE is actively preparing to submit comments highlighting the need for the FTC to more effectively account for the higher education context in its proposed Safeguards Rule changes. When the rule was first established sixteen years ago and for most of the time since then, higher education institutions only had to answer to the FTC regarding compliance. For the past few years, however, colleges and universities have increasingly had to concern themselves with Safeguards Rule compliance in relation to their eligibility to participate in Federal Student Aid (FSA) programs, per the Program Participation Agreements that FSA requires them to sign. The rapid, broad increase in compliance requirements that the FTC proposes therefore has major implications for higher education institutions that might lack the resources to implement them in such a limited time frame.
Additionally, it may be fair to ask whether the extent of the proposed changes effectively stymies the ability of institutions to meet the rule's requirements in ways that are "appropriate to [their] size and complexity, the nature and scope of [their] activities, and the sensitivity of any customer information at issue." Two of the five FTC commissioners cited this question as a significant reason for their dissent from the commission's ruling on the pending NPRM text. EDUCAUSE will reflect further on this issue as it engages members and higher education stakeholders in other areas to inform its comments, which likely won't be due to the FTC until late spring.
Jarret Cummings is Senior Advisor for Policy and Government Relations at EDUCAUSE.
© 2019 Jarret Cummings. The text of this work is licensed under a Creative Commons BY-NC-ND 4.0 International License.