Skip to site navigation Skip to main content Skip to footer content Skip to Site Search page Skip to People Search page

Alerts and Updates

Department of Education to Enforce Revised Cybersecurity Requirements

February 17, 2023

Department of Education to Enforce Revised Cybersecurity Requirements

February 17, 2023

Read below

The new Safeguards Rule now sets forth specific criteria for what safeguards must minimally be included in an information security program. 

The Department of Education has issued an electronic notice relating to the updated cybersecurity regulations published by the Federal Trade Commission (FTC). On December 9, 2021, the FTC amended the Safeguards Rule under the Gramm-Leach-Bliley Act (GLBA). This comprehensive amendment updated data security requirements for financial institutions, including all Title IV institutions of higher education and servicers. Any finding of noncompliance with the updated rules will be resolved by the Department as part of its final determination of an institution’s administrative capability. GLBA-related findings will have the same effect on an institution’s participation in the Title IV programs as any other determination of noncompliance. Additionally, if the office of Federal Student Aid (FSA) cybersecurity team determines the institution poses a substantial security threat, it may temporarily or permanently disable the institution’s access to FSA application systems.

Background

The new Safeguards Rule provides financial institutions with specific details on their obligations to protect consumer (student) financial information. The GLBA is a federal law enforced by the FTC that governs how financial institutions use and collect personally identifiable information of their customers. The cybersecurity requirements of the GLBA applicable to institutions of higher education and servicers are set forth in the Safeguards Rule. The U.S. Department of Education, via the program participation agreement, several “Dear Colleague” letters, the FSA Handbook and the audit guide, has made it clear that Title IV schools are considered financial institutions and subject to the legal obligations to protect student information required under the GLBA and Safeguards Rule. As such, Title IV schools and servicers must now meet these strengthened security requirements.

What Has Changed?

Previously, the rule contained very general language requiring financial institutions (including schools) to develop, implement and maintain a comprehensive, written information security program containing administrative, technical and physical safeguards. The new Safeguards Rule now sets forth specific criteria for what safeguards must minimally be included in an information security program. These new requirements include:

  • Designating a single “qualified individual” responsible for information security programs
  • Written risk assessment
  • Written incident response plan
  • Specific critical controls for information security program, including encryption, multifactor authentication, data retention, access controls, inventories and change management procedures
  • Monitoring and testing
  • Security training and personnel qualification requirements
  • Oversight of service providers

While these requirements were initially set to be effective December 6, 2022, the FTC extended the date to June 6, 2023. You can find a detailed description of these new requirements in our previous Alert.

How Does the Department Plan to Enforce These New Requirements?

Noncompliance with the GLBA and the Safeguards Rule is typically identified either through the annual compliance audit or in connection with a data breach. Currently, the audit guide requires auditors to confirm compliance with the GLBA and that institutions and servicers have: (1) designated an individual to coordinate the information security program; (2) performed a risk assessment that addresses the three required areas set forth in the Safeguards Rule; and (3) documented a safeguard for each identified risk. There is a good chance that the audit guide will be amended this year to reflect the additional security requirements of the updated Safeguards Rule. Any audit findings are reported to the FTC and the FSA cybersecurity team for further review and potential investigation.

Any GLBA findings identified through a compliance audit or any other means after the effective date of the new Safeguards Rule will be resolved by the Department as part of its final determination of an institution’s administrative capability. GLBA-related findings will have the same effect on an institution’s participation in the Title IV programs as any other determination of noncompliance.

In cases where no data breaches have occurred and security systems have not been compromised, the Department will require the institution or servicer to develop and/or revise its information security program and provide the Department with a corrective action plan with time frames for coming into compliance with the Safeguards Rule. Repeated noncompliance may result in an administrative action taken by the Department, which could impact the institution or servicer’s participation in the Title IV program.

Enforcement in cases where there has been a data breach and/or system compromise was not addressed in this notice. However, the Department has previously stated that the FSA cybersecurity team will investigate each breach. If the cybersecurity team determines the institution poses a substantial security threat, it may temporarily or permanently disable the institution’s access to FSA application systems.

NIST 800-171 Standards

The Department reminds institutions once again that it will be issuing guidance on NIST 800-171 compliance in a future electronic alert. The Department has been advising institutions for several years that they should be working toward complying with these robust security standards, and in December 2021, announced that it would soon be requiring and enforcing compliance as part of its new Campus Cybersecurity Program.

Next Steps for Title IV Schools and Servicers

If they have not already done so, institutions and servicers should work with their legal counsel and cybersecurity experts to ensure compliance with the Safeguards Rule prior to June 6, 2023, and work diligently toward compliance with NIST 800-171 in preparation for the launch of the new requirements.

For More Information

If you have any questions related to this Alert, please contact Michelle Hon Donovan, Jessica S. High, any of the attorneys in the Education Industry Group or the attorney in the firm with whom you are regularly in contact.

Disclaimer: This Alert has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice. For more information, please see the firm's full disclaimer.