Federal Trade Commission

With the focus rightly on the challenges presented by COVID-19, it is also important to keep an eye on what is happening in the world of data privacy and security regulation. One such development involves a little known application of a financial services privacy law to the world of higher education.

On Feb. 28, 2020, the Federal Student Aid office (“FSA”) of the Department of Education (the “DoE”) posted an Electronic Announcement, advising all entities with an active Program Participation Agreement with the DoE (“Institutions”) that the DoE will begin strictly enforcing the requirement that each Institution must comply with the data privacy and cybersecurity requirements set forth in 16 C.F.R. Part 314 and administered by the Federal Trade Commission (“FTC”).

Although all Institutions have been subject to these compliance requirements for some time (technical application dates back to 2003, and auditing requirements date back to 2016), enforcement actions by the DoE and FTC in the wake of non-compliant audits have been lacking. No longer. According to FSA, that’s about the change.


Continue Reading Higher Education Institutions Must Be Prepared: “Enhanced” Cybersecurity Audits are Coming

With this year’s high profile breach at a large consumer reporting agency and credit cards ringing up balances during this holiday season, I have been fielding numerous calls from people in both a professional and personal capacity on what they should be doing to “truly” protect their identity and their credit accounts. I often find myself reiterating some of the basics of the laws in place to protect you and to empower you to safeguard your credit information. So, I thought a quick post sharing that information might be timely, helpful and possibly buy you some peace of mind.

  1. No one will care more about your privacy and security than you. Let me begin by reiterating a common mantra of mine: No one will care more about your privacy and security than you. While the law can provide a remedy and some protections, it will never move faster than you, nor will it know as much about your individual situation as you do. In truth, the law is your last remedy when dealing with information security-related issues. That said, there are protections and tools available to you at the federal and state level of which you might be able to avail yourself.
  2. Federal and state law. At the federal level, the privacy and security of your information stored by consumer reporting agencies (“CRAs”) is regulated under the Fair Credit Reporting Act (“FCRA”). The FCRA regulates the use of consumer report information, or any information that might be used to determine your eligibility for something, such as a loan, apartment rental, job, license, etc. As this information includes sensitive details such as your social security number, date of birth, as well as details of your financial and professional history, the FCRA assigns many duties and obligations to CRAs and users of consumer reports. On top of that, many states have their own version of a fair credit reporting act that mirrors the federal law. In some cases, the state act provides more restrictions and protection on the use of personal information than the federal version.


Continue Reading Just Chill: Why the Credit Security Freeze May be Your Best Defense in the Data Breach Era