Dive Brief:
- A proposal to tighten data security rules — out for comment through August 2 — could make compliance more restrictive for colleges.
- The Federal Trade Commission (FTC) is proposing expansive changes to the Safeguards Rule, which is part of its duties under the Gramm-Leach-Bliley Act (GLBA) and requires funds-disbursing institutions to secure financial information such as names and Social Security numbers.
- The GLBA already requires colleges to protect this data, but the regulations could compel them to take specific, codified steps to do so.
Dive Insight:
Since 2016, when the FTC first brought up changes to the Safeguards Rule, higher ed stakeholders have urged the commission to ensure the flexibility and autonomy colleges currently enjoy under the rule aren't replaced with an all-encompassing IT diktat. Those stakeholders include the National Association of College and University Business Officers (NACUBO), the American Council on Education and Educause, a higher ed information technology association.
Under the proposed changes, colleges would have six months to meet requirements such as expanding data encryption and access control and implementing multifactor authentication to access student data.
Higher ed stakeholders say a problem with the proposal is that it treats colleges as financial institutions. That's because, under the GLBA, colleges getting Title IV funds disburse loans and grants like financial institutions do. But Educause and NACUBO say colleges are such institutions only in a narrow and technical sense — and unlike financial institutions, each one of them is different.
"If you know one college or university you know (just) one college or university," Megan Schneider, senior director of government affairs, at NACUBO, told Education Dive.
Additionally, the six months allotted for compliance is not sufficient, said Jarret Cummings, senior policy advisor at Educause, in an interview with Education Dive.
"Colleges' networks and systems environments are fairly diverse, unlike that of a traditional funds-dispensing institution," he said. Although the systems conduct administrative and operations functions, they do so as part of "a much more diverse IT environment" that includes academics, research, teaching and learning, he added.
Educause also has an issue with what it says is an overly broad definition of where within an institution the rule changes would apply. For instance, it argues, measures like data encryption and continuous monitoring of authorized users can't be applied carte blanche.
"Given the goal of academic freedom, sweeping changes like this have to be approached very carefully so the institution's main mission, academics, isn't affected," Cummings said.
Any cybersecurity changes should be clearly defined as pertaining to customer information, he added. In this case, a student is a customer of the institution, akin to an account holder at a financial institution.
A requirement for a single person to monitor cybersecurity at the institution is also problematic, critics say. Because a college isn't a financial institution, according to Educause, requiring it to have one individual to monitor all cybersecurity is impractical. The shortage of cybersecurity professionals, particularly in rural areas, will also prove challenging.
"A team-based approach is more appropriate, and the institution must be able to leverage multiple cybersecurity leaders within itself," Cummings said.
Some observers say the FTC's changes are valid, citing the need for data security as records are increasingly digital.
"The (chief financial officer) and business office direct the electronic transfer of funds. Admissions and financial aid staff collect data. Registrars maintain data. Faculty and staff submit and have access to data. Parents and students submit data," wrote law firm CapinCrouse in a note on its website last year pertaining to the rule change. "Everyone should be concerned with data security."
NACUBO's Schneider argues that colleges are already protecting sensitive data in a way that's tailored to their needs. "If anyone is aware of the need for protecting data it is colleges and universities, they are very aware," she said.