CLIENT ALERT: FTC’S UPDATED REQUIREMENTS TO GLBA “SAFEGUARD RULE” EFFECTIVE DECEMBER 9, 2022
By Linh Nguyen and Dan Lydon
Nearly one year ago, the Federal Trade Commission (“FTC”) issued a Final Rule on standards for safeguarding customer information (“Safeguard Rule”) pursuant to the Gramm Leach Bliley Act (“GLBA”). The GLBA is a data privacy law that requires “financial institutions” to implement policies and standards governing the collection, disclosure, and protection of customer nonpublic personal information. Higher education institutions must comply with the GLBA, as required by their Program Participation Agreement, in order to protect student financial aid information and records.
While much of the FTC’s Final Rule became effective on January 10, 2022, the FTC delayed the effective date of provisions related to the Information Security Program (“ISP”) until December 9, 2022. Previously, the FTC required financial institutions, including higher education institutions, to implement an ISP, but did not specify requirements for safeguarding information within those programs. The Final Rule altered the previous requirements and added specificity to the elements of an ISP. Notable requirements of the Final Rule include:
- The ISP must be written, and colleges and universities must make the ISP available in “one or more readily accessible parts.” The Final Rule does not provide examples of access that would meet this requirement.
- Colleges and universities must identify a qualified individual responsible for overseeing, implementing, and enforcing the ISP. This individual can be employed by the institution itself, can be an affiliate, or can be a third-party service provider. However, when designating an affiliate or third-party service provider, the institution must retain responsibility and must designate a senior member to oversee and direct their work. Additionally, the qualified individual will be responsible for submitting to the institution’s governing board an annual written report about the ISP. This annual report must meet certain requirements as specified in the Final Rule.
- Colleges and universities must conduct a written risk assessment on the security of the institution’s customer information. The risk assessment must speak to:
- The criteria used to evaluate and classify the relevant security risks that the institution has identified;
- The criteria used to assess the confidentiality, integrity, and availability of the institution’s information systems and customer information, including the adequacy of the existing controls in the context of the identified risks or threats the institution faces; and
- The ways in which identified risks from the risk assessment will be mitigated or accepted and how the ISP will address the risks.
The risk assessment must also be periodically reexamined in light of reasonably foreseeable external and internal risks.
- Colleges and universities must design and implement safeguards based on the risks identified in their risk assessments. The safeguards must include:
- Technical and physical access controls on customer information to limit access to authorized users and limit those users’ access to the scope of their authorizations;
- Identification and management of “the data, personnel, devices, systems, and facilities” central to an institution’s operations in light of their “relative importance to business objectives and the institution’s risk strategy;”
- Encryption of all customer information “held or transmitted” by the institution when “in transit over external networks or at rest
- Secure development practices for any internally developed applications and security assessment procedures for any externally sourced applications that the institution uses to “transmit, access, or store customer information;”
- Implementation of multi-factor authentication for any individual accessing an information system, subject to exceptions determined in writing by the designated qualified individual overseeing the ISP;
- Procedures in the event of a change in management; as well as
- Measures to monitor and register the activity of authorized users and to detect when they have accessed, used, or tampered with customer information outside the scope of their authorization.
- Colleges and universities must test or monitor the effectiveness of the safeguards set forth in their ISP at least every six months, whenever the institution experiences significant operational changes, or an incident that may have a “material impact” on the ISP occurs.
- Colleges and universities must provide security awareness training for personnel consistent with the results of their risk assessment and such training must be sufficient to address security risks. Institutions should also verify that personnel take steps to stay current with changing security threats and countermeasures.
- Colleges and universities must establish a written incident response plan to promptly address a security event. The Final Rule lists requirements of the response plan, which requires at minimum the goal of the plan; the internal processes for responding to a security event; the definition of clear roles, responsibilities and levels of decision-making authority; external and internal communications and information sharing; remediation of identified weaknesses; documentation and reporting of security events; and evaluation and revision to the written incident response following a security event.
In advance of the December 9, 2022, deadline, colleges and universities should seek compliance with the FTC’s Safeguard Rule as amended by the Final Rule. We encourage institutions to contact HMBR’s Higher Education Group with any questions or concerns about the Final Rule and/or the GLBA.