EDUCAUSE Comments: FTC Safeguards Rule Proposed Reporting Requirement

Abstract

EDUCAUSE joined the American Council on Education (ACE) and eleven other higher education associations in submitting comments to the Federal Trade Commission (FTC) regarding its proposal to add a reporting requirement to the FTC Safeguards Rule. The FTC’s proposed regulation would require covered entities, including colleges and universities, to report security events to the FTC when an entity has determined that the misuse of customer information (e.g., student financial aid information) has occurred or is reasonably likely to do so and the data of at least 1,000 consumers is involved.

The higher education groups stated that the proposed regulation strikes an appropriate balance between institutions’ compliance responsibilities and the burden that would be involved in meeting the reporting requirement. They encouraged the FTC, however, not to adopt a broader reporting threshold, but to allow for a delay in reporting at the request of law enforcement and to explicitly exclude from reporting events involving encrypted data where no reasonable basis exists to think that the encryption has been compromised.