What Higher Education Institutions Need to Know to Comply With the FTC’s Safeguards Rule
Institutes of higher education have large databases of personal information, and many have research facilities housing intellectual property that could have high street value. However, colleges and universities may not be aware of the specific requirements when it comes to protecting data, making them prime targets for cybercriminals. These hackers break into the school systems or an education technology company they work with, and it’s become even more common due to the increase in online learning and network usage.
One of the most important elements of many institutes of higher learning is the ability to always remain in compliance with federal and state regulations. However, that’s becoming a little more challenging with the introduction of the amendments the Federal Trade Commission (FTC) has made to their Safeguards Rule.
What is the FTC Safeguards Rule?
With the advent of the internet, Congress passed the Gramm-Leach-Bliley Act in 1999. The act requires companies that provide financial services to inform their customers about how their information is shared and allow customers to opt out of sharing their data.
In 2003, the FTC added the Standards for Safeguarding Customer Information – or the Safeguards Rule, for short – to ensure that all Title IV institutions of higher education (i.e., those that process U.S. federal student aid) comply with specific security guidelines. Now, due to recent high-profile data breaches – including nearly 70 ransomware attacks affecting more than 950 schools and colleges in 2021 alone – the FTC has made amendments to the Safeguards Rule to prioritize protecting consumer information.
FTC Safeguards Rule Requirements
Section 314.4 of the Safeguards Rule identifies nine elements that all Title IV institutions of higher education must include in their information security program. They are as follows:
- Designating someone to implement and supervise your information security program. This person can be an employee or can work for an affiliate or service provider.
- Conducting a risk assessment. The assessment must identify risks and threats that could compromise the security of students, staff, and others.
- Implementing safeguards to control risks. This includes:
-Understanding who has access to student and staff information and whether they need it.
-Keeping an inventory of all systems, devices, platforms, and personnel.
-Encrypting student and staff information or securing it through effective alternative controls.
-Assessing your apps, if applicable, and implementing procedures for their security.
-Implementing multi-factor authentication for anyone accessing student or staff information on your system.
-Disposing of student and staff information securely.
-Anticipating and evaluating changes to your information system or network as needed.
-Maintaining a log of authorized users’ activity and watching for unauthorized access.
- Monitoring and testing the effectiveness of your safeguards. Colleges and universities must regularly test procedures for detecting actual and attempted attacks.
- Training your staff. Employees must understand the importance of security and be trained to spot risks and threats.
- Monitoring your service providers. All service providers must have the skills and experience to maintain appropriate safeguards.
- Keeping your information security program current. Adjusting security protocols based on changes to operations or personnel, following risk assessments, or after identifying emerging threats.
- Creating a written incident response plan. Title IV institutes of higher learning are required to have a “what if” plan in place should it experience a security event. This includes the steps your operation will take in the event of an incident, the roles/responsibilities of personnel, processes to fix weaknesses, and more.
- Reporting to your board of directors. Your head of security must report in writing regularly to your Board of Directors or governing body regarding your information security program.
Recent FTC Safeguards Rule Amendments
The Safeguards Rule was amended in January 10, 2022 and become effective in December 2022, to ensure that financial institutions’ practices are taking into account modern technologies.
It added five modifications to make their protection of customer data more robust:
- Security programs must include authentication and data should be encrypted. The rule also requires the risk assessment be set forth in writing. As to particular safeguards, the Final Rule requires that they address access controls, data inventory and classification, encryption, secure development practices, authentication, information disposal procedures, change management, testing, and incident response.
- Financial institutions need to improve their accountability when preparing their annual reports. Periodic reporting to boards of directors or governing bodies is also required in order to ensure their awareness and make it more likely that institutions will receive the required resources and be able to protect consumer information.
- It exempts financial institutions that collect information from less than 5,000 consumers from some of the rule’s original nine requirements — specifically of having a written risk assessment, an incident response plan and preparing the annual report to the board of directors.
- It expands the definition of financial institutions to include entities that conduct activities that are incidental to financial services.
- It includes a glossary of terms related to technology, so that there is clarity regarding data security practices.
Exceptions to the Revised Rule
The final Rule contains exceptions for those organizations that maintain customer information on fewer than 5,000 consumers. The exceptions reduce some of the requirements, however, this should not prevent your dealership from implementing a robust cybersecurity program that not only protects your customers, but also your brand, reputation, and revenue.
How SCA Makes It Easier to Comply with the FTC’s Safeguards Rule
Implementing changes for compliance can be expensive. Since most colleges and universities are focused on controlling costs in order to keep tuition low and attract new students, complying with the new rules – including the upfront and annual recurring costs for hiring a Chief Information Security Officer (CISO) and implementing the required measures – can really break an educational institution’s budget.
At SCA, we know education is your focus, not cybersecurity. With our Centurion ESO Program, we become your CISO and report to your institution’s Board of Directors as required for less than half what it would cost to manage it on your own. We have more than 17 years of experience successfully implementing information security programs. We also specialize in the measures enumerated within the Safeguard Rule, including:
Cybersecurity Risk Assessments
This is the central element of the FTC’s Safeguards Rule. At SCA, we conduct thorough cybersecurity risk assessments — documenting strengths, weaknesses and corrective advice to elevate your cybersecurity program. The outcome prioritizes risks so that you can make risk based decisions about security efforts.
Penetration testing is a reliable way to test security protocols by simulating cyberattacks. This is done to identify exploitable vulnerabilities within your networks and/or applications. They are effective because they reflect the same methodologies cyber criminals use. This enables you to identify whether your current safeguards are working and how fast your response would be in the event of a security breach.
Our penetration testing services are also specifically designed to comply with regulatory and federal industry requirements.
Ensure Compliance With SCA Security
While everyone can install firewalls and conduct regular virus scans, federal compliance requires a more robust approach to cybersecurity. And not only do we have the extensive experience to ensure that you’re keeping track of all requirements, our teams have the specific expertise that’s necessary to comply with industry, state, and federal rules — including the FTC Safeguards Rule.
Contact us to ensure you’re working with someone who understands the ins and outs of these regulations. We’ll become an extension of your team, so that you can focus on educating students while we help you take care of protecting your data.