Tuesday, November 29, 2022
Federal Trade Commission Extends Deadline for Compliance with Safeguards Rule
On November 15, 2022, the Federal Trade Commission (“FTC”) announced that it has extended the deadline to comply with various aspects of the updated “Safeguards Rule” described in 16 C.F.R. Part 314. The new deadline for compliance is June 9, 2023.
The Safeguards Rule addresses the safeguards and protections that financial institutions are required to have in place to protect their consumer financial data and other sensitive information. The FTC considers institutions of higher education that participate in the federal student aid programs or that issue private loans and engage in debt collection activities to be financial institutions covered by the Safeguards Rule under the Gramm-Leach-Bliley Act (“GLBA”).
As we discussed in our December 22, 2021, Client Alert, the FTC revised the Safeguards Rule in October 2021, with some aspects of the rule taking effect on January 10, 2022. The FTC, however, originally gave institutions until December 9, 2022, to comply with certain provisions of the revised Safeguards Rule, including the following critical elements:
- designation of a qualified employee to oversee the institution’s information security plan;
- development of a written risk assessment;
- designing and implementing controls to limit access to consumer and other information, including encryption of sensitive information and multi-factor authentication;
- training for security personnel and other employees on cybersecurity matters;
- developing an incident response plan; and
- periodic assessment of security practices of service providers.
The FTC has determined that some financial institutions, particularly smaller ones, might not be able to comply with the new requirements by the original deadline. Therefore, all institutions now have an additional six months to take the necessary actions to come into compliance.
The U.S. Department of Education (“Department”) has continued to focus on cybersecurity and has emphasized that compliance with GLBA and data protection and security requirements is a vital aspect of an institution’s administrative capability. The Department issued an Electronic Announcement on December 18, 2020, that provides additional detail regarding the Department’s expectations for the protection of student information.
All institutions are strongly advised to take these enhanced information security requirements seriously. A comprehensive gap analysis to assess deficiencies in the current cybersecurity function and the implementation of changes to address deficiencies identified by the analysis are important elements of any compliance plan. It is imperative that institutions have the necessary policies, procedures, and protocols in place as soon as possible, and in any case no later than June 9, 2023.
Maynard attorneys are deeply knowledgeable about all aspects of the Safeguards Rule and GLBA compliance. We are available to advise and assist institutions with the development of a cybersecurity plan that meets their individualized needs and that satisfies FTC and Department requirements. Please let us know if we can be of assistance.
Maynard is a full-service firm with attorneys experienced in all regulatory and operational aspects of higher education, including federal and state oversight, accreditation, employee and benefits issues, and real estate concerns.
Roger Swartzwelder advises regionally and nationally accredited institutions of higher education, investors, and accrediting agencies regarding legal, administrative, regulatory, accreditation, transaction, and operational matters.
Brandon Sherman advises postsecondary institutions, accrediting agencies, and education investors on matters pertaining to federal financial aid eligibility, accreditation, cybersecurity, and Title IX.