On February 9, 2023, the Department of Education Office of Federal Student Aid (“FSA”) issued an electronic notice regarding the Federal Trade Commission’s Final Rule amending the Standards for Safeguarding Customer Information (“Safeguards Rule”) under the Gramm-Leach-Bliley Act (“GLBA”). The amendments to the Safeguards Rule, which go into effect on June 9, 2023, include updated data security requirements for financial institutions, including all Title IV institutions of higher education and servicers.
As set forth in the FSA’s electronic notice, the Department of Education (“Department”) will be responsible for enforcing the amendments to the Safeguards Rule for postsecondary institutions that participate in federal student aid programs. Any finding of noncompliance will be resolved by the FSA as part of its final determination of an institution’s administrative capability. A finding of noncompliance with the GLBA will have the same effect on participation in Title IV programs as would any other determination of noncompliance. Additionally, if the FSA’s cybersecurity team determines the institution poses a substantial security threat, it may temporarily or permanently disable the institution’s access to FSA application systems.
Below we address the background, requirements, and enforcement of the new Safeguards Rule, as well as some steps Title IV institutions can take to ensure they comply with the new regulations.
The new Safeguards Rule provides financial institutions with specific details on their obligations to protect consumer (i.e., student) financial information. As described in the Program Participation Agreements of postsecondary institutions participating in the Title IV financial aid programs, several “Dear Colleague” letters, and the FSA Handbook, Title IV schools are considered “financial institutions” subject to the legal obligations to protect student information set forth in the GLBA and Safeguards Rule. Therefore, when the new Safeguards Rule goes into effect in June 2023, it will vest the Department with the authority to oversee and enforce stringent privacy, security, and reporting requirements for Title IV schools. Critically, the FSA has indicated that GLBA compliance will also be a part of its annual audit program.
NEW CYBERSECURITY OBLIGATIONS FOR TITLE IV SCHOOLS
Whereas the previous iteration of the Safeguards Rule generally required financial institutions—including Title IV schools—to develop, implement, and maintain a comprehensive, written information security program containing administrative, technical, and physical safeguards, the new rule sets forth nine specific elements that must be included within all Title IV schools’ information security program. These new requirements include:
- Conducting a risk assessment. This assessment should be written and should identify reasonably foreseeable risks to the security, confidentiality, and integrity of information obtained as a result of providing a financial service to a past or present student, and assess whether the safeguards that the school has in place are sufficient.
- Designing, implementing, and testing safeguards. Using information from the risk assessment, Title IV schools must design and implement safeguards to protect against the risks identified. Schools must regularly test these safeguards to confirm they function as intended.
- Preparing a written information security program (“WISP”). Schools must have a WISP that documents and assesses the safeguards protecting against the reasonably foreseeable risks to the security, confidentiality, and integrity of information obtained as a result of providing financial services to a past or present student.
- Designating a Qualified Individual for oversight. The new Safeguards Rule mandates that schools designate a Qualified Individual who will be responsible for developing, implementing, maintaining, and enforcing the safeguards and information security program.
Title IV schools with student information for more than 5,000 individuals have additional requirements—such as developing and maintaining an incident response plan and having the Qualified Individual regularly report on their information security programs.
ENFORCEMENT OF THE NEW SAFEGUARDS RULE
Any GLBA findings identified through a compliance audit or any other means after the effective date of the new Safeguards Rule will be resolved by the Department as part of its final determination of an institution’s administrative capability. GLBA-related findings will have the same effect on an institution’s participation in the Title IV programs as any other determination of noncompliance.
If the Department determines that a Title IV school is not in compliance with the new Safeguards Rule, it will require the institution to develop or revise its information security program and provide the Department with a corrective action plan specifying its Safeguards Rule compliance timeline, even if no data breaches have occurred and no security systems have been compromised. Repeated noncompliance may result in an administrative action by the Department, which could impact the institution’s participation in Title IV programs.
The Department’s recent notice does not address enforcement in cases where there has been a data breach or system compromise. However, the FSA cybersecurity team typically conducts thorough investigations of cyber incidents that occur at Title IV schools and servicers.
NEXT STEPS FOR TITLE IV SCHOOLS
Current guidance from the Department indicates that NIST 800-171 provides the framework for the measures that are expected under GLBA. If they have not already, Title IV schools and servicers should work with legal counsel and cybersecurity experts to ensure compliance with NIST 800-171 in preparation for the new Safeguards Rule taking effect on June 9, 2023.
The new Safeguards Rule will add another layer of complexity to the byzantine legal requirements for postsecondary institutions, but compliance can be achieved through careful planning and the appropriate guidance. Although postsecondary institutions share some common challenges, each faces unique risks. Safeguards should be tailored appropriately to ensure the measures implemented fit the institution’s needs. By working closely with experienced privacy counsel to conduct risk assessments and develop the corresponding safeguards, engaging in useful practical testing, and refining safeguards, postsecondary institutions can help ensure their programs fit their needs and comply with the requirements of the Safeguards Rule.