By: Jon Schultz, CPA, and Kimberly Haynes, CPA
Final regulations for the Federal Trade Commission’s amended Standards for Safeguarding Customer Information, C.F.R. Part 314 became effective June 9, 2023. The Safeguards Rule, as it is commonly known, establishes rigorous data security requirements for colleges and universities that handle student financial information.
What is the Safeguards Rule?
The Safeguards Rule is part of the Gramm-Leach-Bliley Act (GLBA, also known as the Financial Services Modernization Act) intended to strengthen consumer data protection practices by financial institutions.
Institutions of higher education (IHEs) that administer federal student financial aid fall into this category as well since they collect and store sensitive financial data from students and parents. The obligation to comply with C.F.R. Part 314 is included in the U.S. Department of Education (ED)’s Program Participation Agreement (PPA) that IHEs sign.
Security program elements
Meeting the updated standards demands a multi-faceted approach to securing information throughout the data lifecycle. The FTC specifies nine elements that must be included in a program for securing student financial data under the Safeguards Rule, which are:
- Designating an individual responsible for oversight, implementation and enforcement of the security program;
- Periodically conducting and documenting formal risk assessments;
- Designing and implementing safeguards based on identified risks ;
- Continual monitoring and regular testing of the effectiveness of controls, including penetration testing and vulnerability assessment;
- Implementing effective staff training to execute the program;
- Providing adequate oversight of security program service providers ;
- Evaluating and adjusting the security program based on the results of risk assessment and testing (elements numbers two and four);
- Establishing a written incident response plan; and
- Providing annual written reports to the board of directors, senior officers or governing body detailing overall compliance and activities related to each element
Smaller IHEs may not have to include all nine elements; there is a limited exception for IHEs that maintain information for fewer than 5,000 individuals (students, parents or others considered consumers under GLBA). IHEs that meet this size limitation may omit elements numbers eight and nine in their information security program and still be deemed fully compliant.
Mandatory safeguards
The safeguards referenced in element number three of the security program requirements are quite broad. Your program will reflect the individual characteristics and risks of your IHEs to some degree, but it must include certain safeguards to adequately secure consumers’ sensitive financial information.
In a 2022 publication entitled FTC Safeguards Rule: What Your Business Needs to Know, the FTC spells out eight required safeguards. (Note that the requirements are relayed verbatim here but the publication itself includes more detailed guidance to help IHEs understand them.)
- Implement and periodically review access controls.
- Know what you have and where you have it.
- Encrypt customer information on your system and when it’s in transit.
- Assess your apps.
- Implement multi-factor authentication for anyone accessing customer information on your system.
- Dispose of customer information securely.
- Anticipate and evaluate changes to your information system or network.
- Maintain a log of authorized users’ activity and keep an eye out for unauthorized access.
Making sense of the new standards
Meeting the Safeguards Rule can be not only challenging but also confusing as IHEs work to incorporate the new standards into their processes. Unlike banks and other traditional financial institutions, financial data comprises only a small portion of the information IHEs manage. That leaves leaders wondering how to distinguish which data is subject to the rule.
Does financial data have to be encrypted at all times or only as it moves from one system to another? Do IHEs have to track and log all system users’ activities at all times? These and similar questions demand further guidance, and the answers significantly impact the level of difficulty that compliance poses.
Confusing or not, PPA signatories must comply with the Safeguards Rule and demonstrate their efforts during annual student aid compliance audits. ED understands that C.F.R. Part 314 is a high hurdle, but it wants to see a good-faith effort to immediately design and implement an effective program that fulfills all the requirements of the Safeguards Rule. Noncompliance is a violation of Title IV program requirements and could lead to loss of eligibility.
It’s important to seek assistance from a qualified information security advisor who understands the unique challenges that IHEs face today. The data security experts at Mauldin & Jenkins can help ensure your security program meets the Safeguards Rule with minimum cost and disruption to your IHE.
