Safeguards Rule Comments Deadline Extended to August 2

In late March, EDUCAUSE provided an extensive review of the Federal Trade Commission's (FTC's) proposed changes to its primary information security regulation, the Safeguards Rule. The FTC officially published the notice of proposed rulemaking (NPRM) for the process a few days later, setting a June 3 deadline for the submission of public comments. The EDUCAUSE Policy Team promptly filed a request asking the FTC to extend the deadline for sixty days so that we could more effectively engage with EDUCAUSE members and other higher education stakeholders in developing a response. The FTC recently announced that the deadline to submit public comments had been extended to August 2.¹

EDUCAUSE appreciates the extension of the comment period and plans to make good use of the additional time. However, because the FTC's announcement came only days before the original deadline, the Policy Team had already done extensive work developing an NPRM response. Thanks to the time and effort of individual members, the Policy Advisory Committee, the Higher Education Information Security Council (HEISC) Advisory Committee, and colleagues from NACUBO, ACE, and elsewhere, we have already outlined many key elements of our likely comments. Those include the following:

• The role of higher education institutions in facilitating student financial aid and the way in which relevant laws are written has led the FTC to classify colleges and universities as "financial institutions," which are the entities that must comply with the rule. However, higher education institutions are not financial institutions in a practical sense, and the FTC's proposed additions and revisions to the rule do not effectively account for this reality.
• The significant expansion of Safeguards Rule definitions and requirements will greatly complicate, if not inhibit, the ability of colleges and universities to comply with the rule unless the FTC explicitly and consistently reaffirms throughout the regulation the flexibility and discretion that institutions have in managing the new and revised provisions.
• Many of the proposed changes to the rule appear to assume direct operational control of systems and data at a time when colleges and universities are increasingly moving relevant functions to the cloud. The EDUCAUSE response will highlight several requirements that the FTC should edit to ensure a revised rule does not inhibit the use of cloud services.
• The FTC proposes to require that most institutions comply with the numerous, significant changes listed in the NPRM within six months of the revised rule's official release.
  • EDUCAUSE plans to argue strenuously that the FTC's compliance deadline does not provide adequate time for most colleges and universities to meet the proposed requirements.
  • As an alternative, we will likely recommend that the FTC establish a compliance window of two years, with a deadline of one year for institutions to develop plans to achieve compliance within the two-year time frame.
• The draft text of the revised rule incorporates an exemption for small financial institutions, defined as covered organizations holding customer information on fewer than 5,000 consumers, from several of the new requirements.
  • Given other legal, regulatory, and institutional recordkeeping requirements, colleges and universities that the higher education community would recognize as "small" in traditional terms might easily surpass the FTC's proposed ceiling of 5,000 accounts.
  • EDUCAUSE plans to ask the FTC to define "small" colleges and universities in keeping with the Carnegie Classification system, which would better align the threshold for claiming the proposed exemptions with institutional capacity, or the lack thereof.
• As currently written, the revised rule would introduce an overly broad definition of "information system," which appears to pull into the rule's scope the security of the overall institutional IT environment, not just the systems and data related to the "customer information" that the rule and the law from which it derives, the Gramm-Leach-Bliley Act (GLBA), are intended to address.
  • When combined with a number of proposed requirements, such as data encryption, authorized user monitoring, and continuous network and systems monitoring or annual penetration testing with biannual vulnerability assessments, the definition could add new and significant institution-wide security mandates. The FTC would impose these new mandates without regard for whether they are appropriate to the size and complexity of the institution or the nature and scope of its activities, which the Safeguards Rule would still call for even under the proposed revision.
  • EDUCAUSE will recommend that the FTC revise the definition and the safeguards requirements related to it to clearly limit their scope to systems and data related to "customer information," which for colleges and universities would largely entail student financial aid information.
• EDUCAUSE also finds the FTC's proposed definition of "security event," which mainly informs its new, specific requirement for incident response planning, to be problematic.
  • The definition does not appropriately distinguish between routine security incidents an institution would handle in the normal course of operations and true "security events," such as a major data breach, that may require a full institutional response.
  • As a result, the definition does not exempt encrypted data for which the encryption key has not been compromised from incidents that rise to "security event" status. Information security legislation and requirements, including the law from which the FTC derived its definition, generally provide such an exemption.
  • In addition, the definition does not account for whether an incident "could result in substantive harm or inconvenience to any customer"—a standard inherent in the rule—as an appropriate criterion for determining whether the incident can truly be identified as a "security event" worth the additional focus that the revised rule envisions.
  • Our comments will recommend that the FTC revisit its "security event" definition and the incident response planning requirement related to it with the following factors in mind:
    • Make the "substantial harm or inconvenience" standard a core element of the definition to give it appropriate scope.
    • Explicitly exempt encrypted data for which the encryption key has not been compromised from the definition's scope.
    • Clearly delineate the distinction between routine, low-level incidents and true "security events" in the rule's incident response planning requirement.

The NPRM goes into many other areas of information security planning and response, as do the EDUCAUSE comments currently under development. The points discussed, however, provide a sense for how broad and impactful the FTC's Safeguards Rule changes may ultimately be. With this in mind, the Policy Team will continue to work with EDUCAUSE members and colleagues at other higher education associations to strengthen our planned submission and build support for it across the higher education community. We hope that this will allow EDUCAUSE and higher education in general to inform the FTC's thinking on how to advance the protection of "customer information" by "financial institutions" without triggering the law of unintended consequences and negatively impacting colleges and universities in the process.

Note

1. Standards for Safeguarding Customer Information. 84 Fed. Reg. 101 (May 24, 2019). Federal Register: The Daily Journal of the United States. ↩

---

Jarret Cummings is Senior Advisor for Policy and Government Relations at EDUCAUSE.