U.S. Department of Education Issues a Summary of Cybersecurity Updates Required by the GLBA Safeguards Rule

PDF

The U.S. Department of Education (“Department”) last week issued an Electronic Announcement summarizing the updates that institutions must make to their cybersecurity and data protection policies and procedures in order to comply with the “Safeguards Rule” as amended by the Federal Trade Commission (“FTC”) in late 2021. The Safeguards Rule is a critical element of the consumer data protection requirements addressed in the Gramm-Leach-Bliley Act (“GLBA”), compliance with which is mandated in each institution’s Program Participation Agreement. Our November 29, 2022, Client Alert reported that the FTC extended the deadline for compliance with the revised Safeguards Rule to June 9, 2023, and the Department confirms that it will begin to enforce the new Safeguards Rule as of that date.

The Electronic Announcement includes numerous links to FTC and Department documents and guidance regarding the Safeguards Rule in particular and data protection in general. We also provided useful information in our December 22, 2021, Client Alert and our November 29, 2022, Client Alert.

The Department also noted that it plans to issue a future Electronic Announcement providing guidance regarding eventual compliance with the NIST SP 800-171 data security requirements. In the meantime, the Department reiterated its encouragement that institutions review these requirements and begin making preparations for compliance.

As we noted in our earlier Client Alerts, all institutions and third-party servicers are strongly advised to take these enhanced information security requirements seriously. A comprehensive gap analysis to assess deficiencies in the current cybersecurity function and the implementation of changes to address deficiencies identified by the analysis are important elements of any compliance plan.

It is imperative that institutions and servicers have the necessary policies, procedures, and protocols in place as soon as possible, and in any case no later than June 9, 2023. A finding of noncompliance with any element of the Safeguards Rule in a compliance audit or by any other means will cause the Department to question an institution’s administrative capability and potentially to impose restrictions on continued participation in the Title IV programs or take other administrative actions.

Maynard Cooper lawyers are deeply knowledgeable about all aspects of the Safeguards Rule, GLBA compliance, and NIST SP 800-171 requirements. We are available to advise and assist institutions with the development of a cybersecurity plan that meets their individualized needs and that satisfies FTC and Department requirements. Please let us know if we can be of assistance.

# # #

Maynard is a full-service firm with attorneys experienced in all regulatory and operational aspects of higher education, including federal and state oversight, accreditation, cybersecurity, employee and benefits issues, and real estate concerns.

Roger Swartzwelder advises regionally and nationally accredited institutions of higher education, investors, and accrediting agencies regarding legal, administrative, regulatory, accreditation, transaction and operational matters.

Brandon Sherman advises postsecondary institutions, accrediting agencies, and education investors on matters pertaining to federal financial aid eligibility, accreditation, cybersecurity, and Title IX.