With the focus rightly on the challenges presented by COVID-19, it is also important to keep an eye on what is happening in the world of data privacy and security regulation. One such development involves a little known application of a financial services privacy law to the world of higher education.

On Feb. 28, 2020, the Federal Student Aid office (“FSA”) of the Department of Education (the “DoE”) posted an Electronic Announcement, advising all entities with an active Program Participation Agreement with the DoE (“Institutions”) that the DoE will begin strictly enforcing the requirement that each Institution must comply with the data privacy and cybersecurity requirements set forth in 16 C.F.R. Part 314 and administered by the Federal Trade Commission (“FTC”).

Although all Institutions have been subject to these compliance requirements for some time (technical application dates back to 2003, and auditing requirements date back to 2016), enforcement actions by the DoE and FTC in the wake of non-compliant audits have been lacking. No longer. According to FSA, that’s about the change.


Continue Reading Higher Education Institutions Must Be Prepared: “Enhanced” Cybersecurity Audits are Coming

Last summer, New York Governor Andrew Cuomo signed into law the Stop Hacks and Improve Electronic Data Security (SHIELD) Act. The SHIELD Act’s data breach notification requirements are already effective and the law’s data security requirements go into effect on March 21. Any company that does business in New York or has customers in New York needs to understand what the law requires.

New York, like many other states, has a data breach notification law that requires businesses to notify consumers when a breach occurs. The SHIELD Act goes further than New York’s previous law, both in its definition of what type of information is covered and in reaching companies that may not have any connection to New York except for having information about New York residents in their database. The SHIELD Act:


Continue Reading The SHIELD Act: What You Need to Know About New York’s New Data Breach Notification Law