U.S. Department of Education Announces Updated Data Security Expectation for Postsecondary Institutions

On February 9, 2023, the U.S. Department of Education (Department) published Electronic Announcement General-23-09 (EA) summarizing updated requirements of the “Safeguards Rule” as adopted by the Federal Trade Commission (FTC) pursuant to the Gramm-Leach-Bliley Act (GLBA) and applicable to postsecondary institutions that participate in the Title IV federal student aid programs. As noted in an earlier alert on GLBA applicability to higher education, all such institutions, whether public, private nonprofit or for-profit, agree as part of their Title IV Program Participation Agreement (PPA) to comply with the GLBA as enforced by both the Department and the FTC. This alert summarizes the Department’s updated GLBA guidance and compliance requirements, which take effect for Title IV-participating postsecondary institutions and third-party servicers (as such latter term is defined by the Department) on June 9, 2023.

Students as Customers

Because the regulations implementing GLBA focus on “customer information” and the safeguarding of “customer” data, postsecondary institutions may not immediately associate such terminology with their educational mission and operations. However, the Department has long stated, and the EA emphasizes, that any information which is “obtained as a result of providing a financial service” — including the administration of Title IV federal student aid to students, the making of institutional loans, participating in income-sharing agreements, or the certification or servicing of private education loans for students — constitutes customer information for GLBA purposes. As a result, the personal and financial information of current and former students — when held, obtained, managed or transmitted by the institution — is subject to the protections of the Safeguards Rule.

Required Elements of a Written Information Security (IS) Program

The EA reminds institutions and third-party servicers that the Safeguards Rule requires a written information security program which reflects the following seven characteristics:

1. It designates a “qualified individual” to oversee and enforce the information security program at the institution or servicer;
2. It is based on a risk assessment that accounts for both internal and external risks, and which evaluates the adequacy of existing safeguards in light of these risks;
3. It provides for the implementation of the risks identified in the risk assessment described above, and must at least provide for the following eight “minimum safeguards”:
   • Review of physical or other access to information, including review of authorized users;
   • Evaluation of the data, personnel, devices, and systems on which the institution conducts its business,
   • and their necessity in light of the information security risk they may present;
   • Encryption of all customer information, whether static or in transit;
   • Development of secure in-house applications to reduce risk to consumer information;
   • Implementation of two-factor authentication;
   • Development of secure data disposal procedures;
   • Adoption of change management policies; and
   • Implementation of procedures and controls to monitor and log authorized user activity.
4. It requires regular testing or monitoring of the effectiveness of its safeguards;
5. It establishes policies to educate and train personnel who can enact and maintain the information security program;
6. It describes effective oversight of IS service providers; and
7. It accounts for the need to re-evaluate, adjust, and otherwise modify the written information security program in light of testing, monitoring, training, risk assessment, changes in business practices or operations, or other circumstances that may materially impact the information security program.

In addition, institutions that maintain 5,000 or more student records must establish an Incident Response Plan for the prospective occurrence of a data breach and must mandate a report by the “qualified individual” to the institution’s information security leadership on at least an annual basis.

The EA also notes that institutions may benefit from encrypting information that travels into or out of its information systems, or while stored on such systems, and also notes that multi-factor identification can reduce instances of unauthorized access to student/customer information. The EA also invites institutions to review the FTC’s May 2022 “compliance guide” on the Safeguards Rule, which is available here.

Compliance Guidance and Enforcement Processes

The EA further notes that information security, and compliance with the Safeguards Rule specifically, are requirements for an institution to be deemed administratively capable to administer Title IV programs under 34 CFR § 668.16. The EA states that the Department “intends to work with all institutions to improve their information security posture,” but also notes that these changes to the Safeguards Rule merely expand on information security requirements that “should already be in place” at Title IV-participating postsecondary institutions and their third-party servicers.

After the updated requirements take effect on June 9, 2023, the Department will address any GLBA findings (whether identified through a compliance audit or other means) as part of the Department’s “final determination of an institution’s administrative capability.” The EA notes that any such findings will have “the same effect” on an institution’s Title IV participation as “any other determination of noncompliance.”

In addition, if the Department finds that an institution or third-party servicer has not complied with the Safeguards Rule, but no data breach has occurred — that is, the failure of safeguarding is purely internal — the EA states that the Department will require a Corrective Action Plan for remediation, along with deadlines for compliance. Repeated instances of noncompliance could result in “administrative action” by the Department, potentially including impacts to the Title IV participation of the institution or servicer.

Additional Data Security Controls Under NIST 800-171

To protect “controlled unclassified information” in non-federal information systems, and in connection with the Federal Information Security Management Act of 2002 (FISMA), the National Institute of Standards and Technology has promulgated the NIST 800-171 information security protocols. In the EA, the Department states that it “will issue guidance” on NIST 800-171 compliance in a future EA and encourages institutions to incorporate NIST 800-171 controls into their written IS program requirements. However, the Department also notes that these protocols are not synonymous with, and are no substitution for, GLBA compliance and the Safeguards Rule.

This summary should not be construed to constitute legal advice. For many higher education institutions, implementation of the updated Safeguards Rule will require coordination and alignment with other applicable privacy and data security requirements. Please do not hesitate to contact the authors if you have any questions regarding these or other education regulatory matters.