The higher education association response to the Federal Trade Commission's proposed Safeguards Rule change centered around definitions, the expense and level of intrusion of the proposed information security requirements, cloud services, the length of the proposed grace period before the FTC begins enforcing its new requirements, and the exception from some requirements for small institutions.
On August 2, 2019, EDUCAUSE, the American Council on Education (ACE) and several other higher education presidential and professional associations submitted comments to the Federal Trade Commission (FTC) on its proposed changes to the Safeguards Rule. As previously discussed, EDUCAUSE members as well as Policy Team and Cybersecurity Program staff worked intensively to analyze the FTC proposals, identify where they posed problems for higher education institutions, and develop recommendations to resolve those concerns. The comments submitted to the FTC by ACE on behalf of the participating groups relied heavily on the efforts of the EDUCAUSE community, so I would again like to commend EDUCAUSE members and staff for their great (and hard) work throughout this process.
Since the final submission tracks closely with the draft EDUCAUSE analysis and recommendations I reviewed earlier this summer, I won't repeat that detailed discussion here. In essence, the higher education association response to the FTC's notice of proposed rulemaking (NPRM) centered on a handful of key points:
- Higher education institutions may fall under the legal definition of "financial institution" related to the Safeguards Rule, but the functions and activities relevant to that determination form only part of college and university IT environments.
- Since colleges and universities are fundamentally academic institutions, many of the proposed information security requirements would be far too intrusive and expensive unless the FTC revises them to clearly limit their scope to the personal financial information that is the basis for Safeguards Rule compliance.
- Likewise, several provisions are written in ways that fail to account for cloud services; institutions that utilize such services for financial aid and related business processes may have significant difficulty complying with systems access control and audit trail requirements, for example, if the FTC does not make them cloud friendly.
- The proposed six-month grace period before the FTC begins enforcing its new requirements is simply inadequate given the depth and breadth of the likely changes. Colleges and universities should have two years to come into compliance, with a one-year deadline for developing a plan to do so.
- The exception from some requirements for small institutions does not reflect how institutional size is calculated in higher education. The FTC should adopt a "small institution" definition for colleges and universities based on the Carnegie Classification system to ensure that small higher education institutions receive the exception.
The overall expansion of Safeguards Rule requirements presented by the FTC would significantly increase the impact of the regulation on higher education information security, especially given the inclusion of a Safeguards Rule compliance provision in the Federal Student Aid Program Participation Agreement. EDUCAUSE will thus continue to work with its members and other higher education associations to track and respond to further Safeguards Rule developments, with the goal of encouraging the FTC to adopt a final regulation that advances information security while remaining workable in higher education.
Jarret Cummings is Senior Advisor for Policy and Government Relations at EDUCAUSE.
© 2019 Jarret Cummings. The text of this work is licensed under a Creative Commons BY-NC-ND 4.0 International License.