The Safeguards Rule and Its Possible Changes

min read

The EDUCAUSE Policy Team has produced a pair of brief videos with companion slide decks to help members understand the basics of the Safeguards Rule and the implications of the changes that have been proposed by the Federal Trade Commission.

Colleges and universities have had to comply with the Safeguards Rule, administered by the Federal Trade Commission (FTC), since the early 2000s. Established as a result of the Gramm-Leach-Bliley Act (GLBA), the Safeguards Rule sets basic information security requirements for financial institutions under FTC jurisdiction.1 Those requirements are focused on protecting the privacy of the "customer information" that the financial institutions hold. Higher education institutions aren't considered financial institutions in the traditional sense, but they fall under the legal definition of "financial institution" as set by GLBA, primarily as a result of their student financial aid activities.

Up to this point, colleges and universities generally have not had major concerns about following the Safeguards Rule. The current requirements are fairly broad, but there are relatively few of them, and they leave significant room for institutional discretion in determining how best to comply. Last year, however, the FTC proposed to change all of that by putting forward a plan to dramatically expand the requirements of the Safeguards Rule, both in number and reach.2

EDUCAUSE joined with several other leading higher education associations to submit a formal response to the FTC regarding the proposed changes, and we remain hopeful that those comments will lead to substantial revisions in the final FTC regulations.3 While the higher education community as a whole waits to see what the new version of the Safeguards Rule will look like, the EDUCAUSE Policy Team has produced a pair of brief videos, accompanied by short PowerPoint slide decks, to help EDUCAUSE members understand the Safeguards Rule and how it might change, as well as what those changes would likely mean for colleges and universities. Members may also find the videos and slides useful in their efforts to explain the pending changes and their potential impacts to campus colleagues.

In "Safeguards Rule, Part 1: Changes," Katie Branson, senior associate at Ulman Public Policy, and I discuss what the Safeguards Rule is and how the FTC may dramatically expand the compliance requirements that institutions will have to meet. In "Safeguards Rule, Part 2: Concerns," Branson and I review the problems that the higher education association community sees in the proposed changes from the FTC and the recommendations from the community to the FTC on how to appropriately resolve those issues.

These knowledge resources represent the Policy Team's first foray into producing videos, so we welcome member feedback on both content and format. If you have thoughts or suggestions, please share them with me at [email protected].

For more information about policy issues impacting higher education IT, please visit the EDUCAUSE Review Policy Spotlight blog as well as the EDUCAUSE Policy page.


  1. U.S. Federal Trade Commission, "Safeguards Rule," 16 C.F.R. Part 314 (2002).
  2. Jarret Cummings, "FTC Announces Proposed Changes to the Safeguards Rule," Policy Spotlight (blog), EDUCAUSE Review, March 29, 2019.
  3. Jarret Cummings, "Higher Ed Community Responds to Proposed Safeguards Rule Change," Policy Spotlight (blog) EDUCAUSE Review, August 14, 2019.

Jarret Cummings is Senior Advisor for Policy and Government Relations at EDUCAUSE.

© 2020 Jarret Cummings. The text of this work is licensed under a Creative Commons BY-NC-ND 4.0 International License.