FTC Strengthens Data Security Requirements Applicable to Institutions of Higher Education

Duane Morris 

January 6, 2022
The Federal Trade Commission (FTC) recently amended the Safeguards Rule under the Gramm-Leach-Bliley Act (GLBA). This comprehensive amendment updated data security requirements for financial institutions, including all Title IV institutions of higher education.
The GLBA is a federal law enforced by the FTC that governs how financial institutions use and collect Personally Identifiable Information of their customers. The specific cybersecurity requirements of the GLBA are set forth in the Safeguards Rule. The U.S. Department of Education, via the Program Participation Agreement, several “Dear Colleague” letters, the FSA Handbook and the audit guide, has made it clear that Title IV schools are considered financial institutions and subject to the legal obligations to protect student information required under the GLBA. As such, Title IV schools must now meet these strengthened security requirements.
This is the first amendment to the Safeguards Rule. Previously, the rule contained general language requiring financial institutions (including schools) to develop, implement and maintain a comprehensive, written information security program containing administrative, technical and physical safeguards. The new Safeguards Rule sets forth specific criteria for what safeguards must be included in an information security program, i.e., security controls such as encryption (while in use and at rest) and multifactor authentication. The new Safeguards Rule provides schools with specific details on their obligations to protect consumer (student) financial information.