My NacuboWhy Join: Benefits of Membership

E-mail:   Password:   

 Remember Me? | Forgot password? | Need an online account?

Business and Policy Areas
Business and Policy Areas

NACUBO and EDUCAUSE Comment on Proposed Changes to FTC Safeguards Rule

November 9, 2016

In early September the Federal Trade Commission (FTC) solicited comments on changes it proposed to the Safeguards Rule of the Gramm-Leach-Bliley Act (GLBA), revisiting privacy protections for consumers. The GLBA take steps to ensure the security and confidentiality of customer records such as names, addresses, phone numbers, bank and credit card account numbers, income and credit histories, and Social Security numbers. While the GLBA focuses primarily on the banking and financial services industry, the role that colleges and universities play as loan intermediaries in the financial aid process brings them under the scope of the Safeguards Rule. 

While EDUCAUSE and NACUBO were generally unopposed to many of the proposed updates to the rule, the associations submitted a comment letter to discuss a few potential changes that aroused concern. Specifically, the FTC proposed incorporating a specific governing information security standard such as the National Institute of Standards and Technology's Cybersecurity Framework. The commission also proposed adding specific and prescriptive requirements for information security plans that would include set standards for a response plan in the event of a security breach. 

In response to these proposals, EDUCAUSE and NACUBO urged the FTC to keep in mind that in a sector with actors as diverse as those in higher education, context- and standards-based approaches to information security programs are critical to ensure that each institution is able to develop a plan that best meets its individual needs. The flexibility of the current Safeguards Rule allows it to effectively regulate institutions of all sizes and missions that have information security needs of varying degrees of complexity and scope. EDUCAUSE and NACUBO expressed concerns that a shift to a "one-size-fits-all" regulatory approach would require institutions to abandon plans that work well for their needs in favor of plans that comply with regulations but are not individually tailored to their campuses.

Additionally, the organizations stated that the proposed changes may cause the rule to overlap and potentially conflict with existing state and federal information security regulations.


Megan Schneider
Assistant Director, Federal Affairs