EDUCAUSE Comments: Proposed FTC Safeguards Rule Changes

Abstract

On August 2, 2019, EDUCAUSE joined the American Council on Education (ACE) and several other higher education presidential and professional associations in submitting comments on changes proposed by the Federal Trade Commission (FTC) to its Safeguards Rule. The Safeguards Rule, established by the FTC in 2003 due to the Gramm-Leach-Bliley Act (GLBA), mandates that organizations legally defined as “financial institutions” take certain steps to ensure the security and integrity of “customer information.” Higher education institutions fall under that definition due to their role in facilitating student access to federal financial aid.

In Spring 2019, the FTC presented proposed changes to the Safeguards Rule that would dramatically expand the nature and scope of its requirements. The EDUCAUSE Policy Team worked with Higher Education Information Security Council (HEISC), EDUCAUSE Policy Advisory Committee (EPAC), and other EDUCAUSE members on a range of responses that would ultimately form the basis of the associations’ comments. Key points included:

  • The FTC’s proposed six-month grace period before the new requirements would take effect would not allow enough time for institutions to comply; it should instead allow institutions two years to achieve compliance with a one-year deadline for developing a plan to do so.
  • The exception from certain requirements for “small institutions” should include a definition of “small institution” for colleges and universities based on Carnegie Classification to ensure that the exception is appropriately applied in the higher education context.
  • Many provisions of the FTC proposal should be revised to account for institutional adoption of cloud services, which affects when, where, and how affected institutions would be able to establish compliance with the new requirements.
  • The FTC should revise many other provisions to ensure their scope is limited to systems and data covered by the Safeguards Rule; this would allow the FTC to avoid asserting authority over institutional information security in general, which at higher education institutions extends well-beyond the “customer information” under the FTC’s purview.

Download Resources