9 steps for universities to comply with the FTC’s safeguards rule

Since June 2023, the Federal Trade Commission (FTC)’s updated Safeguards Rule (16 CFR § 314.4) has applied to higher education institutions’ student lending programs.

Originally aimed at banks, the Safeguards Rule requires covered organizations to develop an “information security program” to protect financial data. For universities and colleges, this means information relating to student loans.

The Safeguards Rule’s information security program might be challenging for some higher education institutions. However, working through the nine steps below will help reduce the risk of security breaches involving students’ financial data.

1. Designate a qualified individual

Under 16 CFR § 314.4 (a), a higher education institution must designate a “qualified individual” to oversee and implement its information security program.

Your qualified individual can be an internal or external appointment. If the qualified individual is an external appointment (through a service provider or one of your affiliates), you must:

• Designate a senior employee to oversee and direct the qualified individual.
• Require the qualified individual to maintain an information security program.

You are responsible for your compliance with the Safeguards Rule, regardless of whether your qualified individual is employed by you or a third party.

2. Conduct a risk assessment

16 CFR § 314.4 (b) requires the higher education institution to base its information security program on a risk assessment that identifies “reasonably foreseeable internal and external risks” to the security, confidentiality, and integrity of covered student information.

Your risk assessment must:

• Consider any risk that could lead to the “unauthorized disclosure, misuse, alteration, destruction, or other compromise” of covered student information, and
• Assess any safeguards in place to control these risks.

The risk assessment must be documented, and include:

• The criteria you’ll use to evaluate and categorize security risks.
• The criteria you’ll use to assess the confidentiality, integrity, and availability of your information systems and covered student information, including any existing controls.
• A description of how or whether you will mitigate and address the risks you identify.

The Safeguards Rule requires that you periodically perform “additional risk assessments” along the same lines as those described above.

3. Design and implement safeguards

Once you have identified risks via the risk assessment process above, 16 CFR § 314.4 (c) says that you must design and implement safeguards to control those risks.

The safeguards must include:

• Access controls
• Data and device management
• Encryption of all covered student information, where feasible, both in transit and at rest
• Secure software development practices
• Multi-factor authentication (MFA), or another equivalent or stronger access control if recommended by your qualified individual
• Data retention and deletion processes
• Change management procedures
• Activity logs

4. Test and review your safeguards

Once you’ve identified your risks and implemented your safeguards, 16 CFR § 314.4 (d) states that you must “regularly test or otherwise monitor the effectiveness” of the safeguards.

Your tests must detect “actual and attempted attacks on, or intrusions into, information systems” and include continuous monitoring or periodic penetration testing and vulnerability assessments.

If you do not implement “effective continuous monitoring”, you must conduct:

• Annual penetration testing, and
• Vulnerability assessments to detect publicly-known security vulnerabilities:
  • Every six months, and
  • Whenever there are material changes to your business arrangements or other circumstances that could impact your information security program.