How FTC Updates To “Safeguards Rule” Impact Higher Education Institutions

On December 9, 2021, the Federal Trade Commission (FTC) published a final rule amending the requirements for safeguarding customer information under the Gramm-Leach-Bliley Act (GLBA) (the Safeguards Rule). The Safeguards Rule has long specified cybersecurity standards under which financial institutions must maintain customer information, including higher education institutions (thanks to their participation in the federal student financial aid program). This is a significant development for our Higher Ed customers because it effectively mandates any Title IV participating institution to follow the updated guidelines.

Obligatory disclaimer: This article isn’t legal advice. Instead, it is a high-level look at new security regulations that affect our higher education customers. Therefore, we recommend that you seek guidance from your legal department and other relevant experts.

Key Security Elements Of The Updated Safeguards Rule

While the amendments still allow some flexibility, they now include detailed criteria that higher education institutions must implement. This includes more detailed requirements for developing and establishing an information security program. Here’s a brief look at some of the security elements from the updated Safeguards Rule that higher education institutions should be aware of:

• 314.4(c) Implement and maintain technical and physical access controls on customer information to limit access to authorized users and limit those users’ access to the scope of their authorizations.
• 314.4(c) Implement measures to “monitor and log the activity of authorized users” and to detect when they have accessed, used, or tampered with customer information outside the scope of their authorization.
• 314.4(c) “Implement multi-factor authentication for any individual accessing any information system.”
• 314.4(d)(2)—Implement continuous monitoring of “information systems” (as defined in 314.2) or annual penetration testing with vulnerability assessments at least every six months.
• 314.4(f)(3)—Periodically assess the information security risks that your institution’s service providers present and the adequacy of the safeguards they deploy to ensure that they are following the provisions of the Rule.
• 314.4(f)(3)—Periodically assess the information security risks that your institution’s service providers present and the adequacy of the safeguards they deploy to ensure that they are following the provisions of the Rule.

Pathlock can help organizations with these requirements. Here’s how:

• Implementing fine-grained, dynamic (ABAC) controls while continuing to leverage the role-based controls that are already defined and in-use across the organization.
• Implementing dynamic MFA, not just at the perimeter but also at the application, transaction, and data level (inline.)
• Granular Activity Logging to provide visibility into data access and usage trends
• Real-time user activity monitoring to ensure that security controls are properly enforced
• Audit trail to aid investigation and remediation efforts

What Else Is Included In The Updated Safeguards Rule

In addition to specific security controls, the amendments also include new requirements for risk assessments and new accountability and reporting requirements to boards of directors. We encourage you to review the revised regulations because some parts of the amendments may be more relevant to your institution’s needs than others. (pages 109–128 of this PDF document specifically cover the new rule)

Effective Date Of The Updated Safeguards Rule

Due to the time required to implement many of the described provisions, the effective date of most above-described elements is December 9, 2022.

Next Steps

You don’t want to wait until the last minute to implement any of these security mandates. Contact us today to learn how we can help ensure that your information security program meets these new federal requirements.

Sources, References, And Further Reading:

• “Policy Analysis: Revised, Highly Prescriptive FTC Safeguards Rule,” by Jarrett Cummings, EDUCAUSE
• “FTC Updates to “Safeguards Rule” Has Impacts for Higher Education Institutions,” by Sarah Pheasant & Jonathan Tarnow Faegre, Drinker Biddle & Reath LLP
• Standards for Safeguarding Customer Information (PDF) by The Federal Trade Commission