Federal regulators have enhanced their requirements that colleges and universities have a comprehensive cybersecurity program in place. If they don’t, they may be unable to participate in Title IV programs and award federal financial aid. That is the result of the June 9 effective date for the Federal Trade Commission’s (FTC) updated rule on safeguarding consumer information, a component of the Gramm-Leach-Bliley Act (GLBA).
The U.S. Department of Education has made clear that the Safeguards Rule, as it’s commonly called, applies to all postsecondary institutions that participate in financial aid programs under Title IV of the Higher Education Act.
“Institutions and servicers are required to develop, implement, and maintain a written, comprehensive information security program,” according to an Office of Federal Student Aid (FSA) announcement. “The FTC’s regulations require that the information security program contains administrative, technical, and physical safeguards that are appropriate to the size and complexity of the institution or servicer, the nature and scope of their activities, and the sensitivity of any student information.”
Those requirements are the latest—but by no means the only—example of how cybersecurity and data privacy have become mission-critical for college and university leaders.
Take the case of a college we represented last year after a cybersecurity breach. The college initially handled the breach through its insurance broker and thought it was resolved. Months later, the college received notice that the U.S. Department of Education was putting it through a program review for Title IV compliance. The department’s reason for the program review: concerns with how the college prepared for and responded to the data breach. In other words, what started with a breach turned into an audit of its entire financial aid program.
The result of a Title IV compliance review could include fines, submitting technically perfect requests to the department for reimbursement and even losing eligibility for financial aid. Fortunately, the college successfully made it through the review, but it required significant time and resources from its leaders, staff and counsel.
It was also before the additional compliance burden of the updated Safeguards Rule. The FSA translated that rule into nine elements that colleges and universities must include in their information security program, such as:
- Designate one person responsible for overseeing and implementing the security program. For institutions maintaining information on 5,000 or more students, that person is required to report on the security program “regularly and at least annually to those with control over the institution.”
- Base the program on a risk assessment that identifies “reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information.”
- Test or otherwise monitor the effectiveness of the safeguards implemented “regularly.” From there, institutions must evaluate and adjust their programs in light of the results, changes to their operations or vendor arrangements, and “any other circumstances that it knows or has reason to know may have a material impact on the information security program.”
- Establish an incident response plan for cybersecurity breaches if the institution maintains information on 5,000 or more students.
As part of its Safeguards Rule announcement, the FSA also encouraged institutions to “begin incorporating” controls published by the National Institute of Standards and Technology: NIST 800-171. Those controls include technical components in areas such as access permissions, network integrity, encryption and vulnerability scanning.
Colleges in some states will already be familiar with NIST. North Carolina’s community college system, for example, requires its institutions to adhere to standards based on the NIST framework. Given that various American industries have adopted that framework and that the Department of Education has said it will issue guidance on NIST compliance, it is a wise investment for colleges and universities to begin budgeting and planning for NIST controls.
In navigating all of the above, college and university leaders may find it especially valuable to partner with experienced lawyers at the intersection of cybersecurity and higher education. There are nuances that insurance counsel, for example, may not be able to provide guidance on. All institutions would benefit from proactive planning on how federal and state requirements are evolving, as well as what to do the minute a breach occurs.