With the focus rightly on the challenges presented by COVID-19, it is also important to keep an eye on what is happening in the world of data privacy and security regulation. One such development involves a little known application of a financial services privacy law to the world of higher education.
On Feb. 28, 2020, the Federal Student Aid office (“FSA”) of the Department of Education (the “DoE”) posted an Electronic Announcement, advising all entities with an active Program Participation Agreement with the DoE (“Institutions”) that the DoE will begin strictly enforcing the requirement that each Institution must comply with the data privacy and cybersecurity requirements set forth in 16 C.F.R. Part 314 and administered by the Federal Trade Commission (“FTC”).
Although all Institutions have been subject to these compliance requirements for some time (technical application dates back to 2003, and auditing requirements date back to 2016), enforcement actions by the DoE and FTC in the wake of non-compliant audits have been lacking. No longer. According to FSA, that’s about the change.
Background
The Gramm-Leach-Bliley Act (“GLBA”) requires domestic financial institutions to “protect the security and confidentiality of [their] customers’ non-public personal information.”
Under the GLBA, the FTC was granted rulemaking and enforcement authority to establish technical requirements in furtherance of the same. Accordingly, on May 23, 2002, the FTC published its final Privacy Rule (16 C.F.R. Part 313) and Safeguard Rule (16 C.F.R Part 314).
Whether GLBA applied to higher-education institutions was immediately called into question, and lobbyists sought to exempt colleges and universities from the GLBA outright.
In January 2003, the FTC confirmed that higher-education institutions engaged in processing student financial aid through FSA do constitute “financial institutions” under the GLBA and, therefore, are subject to both the GLBA’s Privacy Rule and Safeguard Rule with respect to managing their customers’ (i.e., students’) non-public personal information. Fortunately, the Privacy Rule expressly provides that higher education institutions that comply with the Federal Educational Rights and Privacy Act (“FERPA”) and its implementing regulations are deemed to be in compliance with the GLBA’s Privacy Rule. See 16 C.F.R. § 313.1. However, no such cross-regulatory relief is provided from the requirements of the Safeguard Rule.
“Enhanced” Audit Requirements
Beginning in September 2016, the FSA and DoE incorporated GLBA compliance checks into its Annual Audit Guide, including general compliance with the GLBA Safeguard Rule. These compliance checks, however, were limited in scope to general acknowledgements of satisfactory conduct, not particularized compliance review. Accordingly, Institutions had little incentive to change their behavior if they had failed to comply with the specific requirements of the GLBA Safeguard Rule.
But a September 2019 letter from the DoE’s Office of Inspector General now makes clear that specific compliance with elements of the GLBA Safeguard Rule will be expected from Institutions, and audits in 2020 and beyond will focus on such compliance.
These “enhanced” requirements will review specifically for the following elements during an audit of an Institution:
- The Institution must designate an individual to coordinate its information security program.
- The Institution must perform a risk assessment that addresses the following three required areas, as described in 16 C.F.R. 314.4(b):
- Employee training and management;
- Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and
- Detecting, preventing and responding to attacks, intrusions, or other systems failures.
- The institution must document a safeguard for each risk identified in Step 2 above.
Best Practices Going Forward
The operative question that an Institution must ask itself is “can my Institution identify how I’m achieving each of the three requirements above?” If the answer is “no,” your next annual compliance audit could present more challenges than normal.
While reviewing your compliance with the GLBA Safeguard Rule requirements, please be aware that FTC is currently reviewing public comments to proposed revisions to the GLBA Safeguard Rule. To stay ahead of the curve, we recommend that Institutions direct a keen eye to their cybersecurity program’s compliance with the current GLBA Safeguard Rule as well as proposed revisions to the same.
Taft manages a host of risk assessment tools and stands ready to help your Institution review of its current compliance performance. If you have questions or concerns related to meeting the requirements above, or any other issues impacting your Institution’s data privacy or security, please contact a member of Taft’s Privacy & Data Security Practice Group or our Higher Education industry group.