Department of Education to Enforce Revised Cybersecurity Requirements
February 17, 2023
The Department of Education has issued an electronic notice relating to the updated cybersecurity regulations published by the Federal Trade Commission (FTC). On December 9, 2021, the FTC amended the Safeguards Rule under the Gramm-Leach-Bliley Act (GLBA). This comprehensive amendment updated data security requirements for financial institutions, including all Title IV institutions of higher education and servicers. Any finding of noncompliance with the updated rules will be resolved by the Department as part of its final determination of an institution’s administrative capability. GLBA-related findings will have the same effect on an institution’s participation in the Title IV programs as any other determination of noncompliance. Additionally, if the office of Federal Student Aid (FSA) cybersecurity team determines the institution poses a substantial security threat, it may temporarily or permanently disable the institution’s access to FSA application systems.
Background
The new Safeguards Rule provides financial institutions with specific details on their obligations to protect consumer (student) financial information. The GLBA is a federal law enforced by the FTC that governs how financial institutions use and collect personally identifiable information of their customers. The cybersecurity requirements of the GLBA applicable to institutions of higher education and servicers are set forth in the Safeguards Rule. The U.S. Department of Education, via the program participation agreement, several “Dear Colleague” letters, the FSA Handbook and the audit guide, has made it clear that Title IV schools are considered financial institutions and subject to the legal obligations to protect student information required under the GLBA and Safeguards Rule. As such, Title IV schools and servicers must now meet these strengthened security requirements.
