The Federal Trade Commission (FTC) held a workshop on July 13, 2020, to get expert feedback on proposed Safeguards Rule changes. The FTC will take written input as well through August 12. EDUCAUSE members should consider providing examples of problems that the proposed changes might cause for their institutions.
In March 2019, I reviewed the extensive array of changes that the Federal Trade Commission (FTC) has proposed to make to its Safeguards Rule, a regulation that derives from the Gramm-Leach-Bliley Act (GLBA).1 EDUCAUSE joined with several higher education associations to submit comments to the FTC about its proposals, highlighting the numerous ways in which the potential new requirements needed further refinement to avoid creating substantial problems for colleges and universities.2
After reflecting on the stakeholder feedback about the proposed changes to the Safeguards Rule, the FTC decided to host a public workshop to gather more information about the potential impacts of its proposals on covered organizations. The event page for the workshop highlights some of the key discussion points, such as the general costs and benefits of the new security requirements and the particular financial and operational challenges that organizations might face if the FTC's mandates on continuous network monitoring, penetration testing/vulnerability assessments, data encryption (in transit and at rest), and multifactor authentication were imposed.
The EDUCAUSE community was well-represented at the workshop, with a member CISO or CIO serving on all but one panel (which focused on small businesses). As the archived videos of the panels demonstrate, EDUCAUSE members did a great job reflecting on the topics from the unique perspective of the higher education community. The first video sets the context for the event and includes recorded panel discussions on general costs and benefits and small business issues. The second video showcases the panels on continuous monitoring and penetration testing/vulnerability assessments, proposals for institutional governance in relation to information security, and possible challenges with encryption and multifactor authentication.
The FTC will accept written comments via the Regulations.gov website through August 12. Comments are supposed to relate to the workshop topics, but the original issues that were slated for discussion at the event address a more comprehensive, but still related, array of topics. Consider those issues to be "on the table" when commenting about the challenges that the FTC's Safeguards Rule proposals may present for your institution. You should also feel free to expand into other areas of the Safeguards Rule that have been identified for possible revision, since all of those areas ultimately impact the cost/benefit analysis of the dramatic expansion in requirements that the FTC has put on the table. (For more information, see the references linked in the endnotes.)
At this point, examples and stories about the negative effects that the proposed changes to the Safeguards Rule will have on individual institutions will likely have the greatest impact on the FTC's thinking. With that in mind, EDUCAUSE urges members to submit concerns directly to the FTC on or before August 12. In particular, if you think that your institution will have significant difficulty with funding and/or implementing continuous monitoring, penetration testing/vulnerability assessments, encryption of relevant data in transit and at rest, or multifactor authentication for relevant systems, don't hesitate to highlight those problems for the FTC. Likewise, if you find the FTC's proposals for institutional governance and human resources requirements to be too intrusive or unworkable for your institution, now is the time to indicate why and what more reasonable alternatives might be. In the meantime, EDUCAUSE will continue to work with its higher education partners to stress to the FTC the importance of maximizing institutional flexibility and discretion in relation to Safeguards Rule compliance.
For more information about policy issues impacting higher education IT, please visit the EDUCAUSE Review Policy Spotlight blog as well as the EDUCAUSE Policy web page.
Notes
- Jarret Cummings, "FTC Announces Proposed Changes to the Safeguards Rule," Policy Spotlight (blog), EDUCAUSE Review, March 29, 2019. ↩
- Jarret Cummings, "Higher Ed Community Responds to Proposed Safeguards Rule Change," Policy Spotlight (blog), EDUCAUSE Review, August 14, 2019. For additional details about how EDUCAUSE contributed to the higher education community's response, see Jarret Cummings, "Safeguards Rule Comments Deadline Extended to August 2," Policy Spotlight (blog), EDUCAUSE Review, June 7, 2019. ↩
Jarret Cummings is Senior Advisor for Policy and Government Relations at EDUCAUSE.
© 2020 Jarret Cummings. The text of this work is licensed under a Creative Commons BY-NC-ND 4.0 International License.