Safeguards Rule of the Gramm-Leach-Bliley Act (GLBA) – 15 years+ of Compliance EASFAA Annual Conference Portland, ME May 6, 2019 advisor advertisement Copyright © Cooley LLP, 3175 Hanover Street, Palo Alto, CA 94304. The content of this packet is an introduction to Cooley LLP’s capabilities and is not intended, by itself, to provide legal advice or create an attorney-client relationship. Prior results do not guarantee future outcome.

What We’ll Cover Today History of Gramm-Leach-Bliley Act (“GLBA”) Safeguards Rule Application of GLBA to Institutions of Higher Education (“IHL”) Impact of GLBA Compliance on Institutions of Higher Education operations Recent Legislative Activity Cybersecurity Audit Plan Impact of Changes on Institutions of Higher Education (“IHL”)

Overview of GLBA

Gramm-Leach-Bliley Act (Public Law 106-102) Financial Services Modernization Act of 1999. Original purpose of the law: Allow different types of financial institutions to merge. Resulting financial institutions have access to large amounts of consumer information. Act includes rules on how financial institution are required to protect consumer financial information.

Gramm-Leach-Bliley Act - Financial Institution “Financial Institution” Defined GLBA states that entities are considered “financial institutions” if they are engaged in “activities [that are] financial in nature” under Section 4(k) of the Bank Holding Company Act and regulations established by the Federal Reserve Board. GLBA applies to higher education institutions because colleges and universities participate in certain types of financial activities that are defined in banking law. Financial Activities: Administering federal student loans, servicing private education loans, debt collection and the general financial relationship with students, donors and others.

Gramm-Leach-Bliley Act (Public Law 106-102) Three Sections of Gramm-Leach-Bliley Financial Privacy Rule: Regulates the collection and disclosure of private financial information. Safeguards Rule: Stipulates that financial institutions must implement security programs to protect personal nonpublic information in their custody or control. Pretexting provisions: Prohibit the practice of pretexting (accessing private information using false pretenses).

GLBA – Financial Privacy Rule Oversight of GLBA is shared by many agencies (SEC, CFPB, FDIC, NAIC). Federal Trade Commission (“FTC”) oversees compliance with the Privacy Rule and Safeguards Rule for non-banking and non-Securities and Exchange Commission regulated entities. Through regulation, in the implementation of the Privacy Rule, the FTC states that colleges and universities are deemed to be in compliance with the rule if they are in compliance with the Family Educational Rights and Privacy Act “FERPA”). “Any institution of higher education that complies with the Federal Educational Rights and Privacy Act (“FERPA”), 20 U.S.C. 1232g, and its implementing regulations, 34 CFR part 99, and that is also a financial institution subject to the requirements of this part, shall be deemed to be in compliance with this part if it is in compliance with FERPA.”

GLBA – Safeguards Rule (May 2002) FTC issued Safeguards Rules in May 2002. Financial institutions required to implement Safeguards Rule by May 23, 2003. All financial institutions MUST have GLBA safeguards in place that: (1) Ensure the security and confidentiality of customer records and other information. (2) Protect against any anticipated threats or hazards to the security or integrity of customer data. (3) Protect against unauthorized access to or use of customer data, which could result in substantial harm or inconvenience to customers.

GLBA – Safeguards Rule (May 2002) Data Security Obligations Information security program: Financial institution must develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to the [institution's] size and complexity, the nature and scope of [institutional] activities, and the sensitivity of any customer information at issue (See 16 C.F.R. Part 314)

Required Elements of Information Security Program Designate an employee or employees to coordinate the institution's information security program. Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of customer information Must conduct a thorough, risk analysis that identifies technical, physical, and administrative risks and vulnerabilities. The risk assessment should include consideration of risks in each relevant area of the institution's operations.

Required Elements of Information Security Program Relevant area of the institution's operations for risk assessment: (1) Employee training and management; (2) Information systems, including network and software design, information processing, storage, transmission, and disposal; and (3) Detection and prevention of and response to attacks, intrusions, or other systems failures.

Required Elements of Information Security Program Based on this risk assessment, the institution should design and implement a comprehensive data security plan that reasonably address the identified technical, physical, and administrative risks and vulnerabilities. The institution should review existing third party agreements for vendors that have access to sensitive data (including, but not limited to student data) to ensure that the contractual obligations provide reasonable data security protections. Such obligations should also be included in all future vendor agreements/contracts. The information security system should include procedures for communication and training for impacted employees detailing relevant obligations and duties.

Required Elements of Information Security Program Develop a process for routinely monitoring, evaluating, and revising the plan (and communicating updates to impacted employees). This process should take into account the changing nature of likely threats and available protective technologies. Develop, implement, and test a response plan for unauthorized disclosure of sensitive data (i.e. data breaches).

Recent Activity

U. S. Department of Education Guidance 2015: US Department of Education (ED) recorded GLBA Safeguards Rule compliance into its Title IV Program Participation Agreement (PPA). Provisions Terms and Conditions item 3(f) “The Standards for Safeguarding Customer Information, 16 CFR Part 314, issued by the Federal Trade Commission (FTC), as required by the Gramm-Leach-Bliley (GLB) Act, P.L. 106-102.These Standards are intended to ensure the security and confidentiality of customer records and information. The Secretary considers any breach to the security of student records and information as a demonstration of a potential lack of administrative capability as stated in 34 CFR 668.16(c). Institutions are strongly encouraged to inform its students and the Department of any such breaches.”

U. S. Department of Education Guidance July 29, 2015 Dear Colleague Letter – GEN-15-18: Protecting Student Information DOE stated that its “expectation is that all [Title IV institutions] will quickly assess and implement strong security policies and controls and undertake ongoing monitoring and management for the systems, databases, and processes that support all aspects of the administration of the [Title IV programs]”. Reminds institutions of the FERPA and GLBA obligations. Reference the Student Aid Internet Gateway (SAIG) Enrollment Agreement, which states that the institution must “ensure that all Federal Student Aid applicant information is protected from access by or disclosure to unauthorized personnel.”

U. S. Department of Education Guidance July 29, 2015 Dear Colleague Letter – GEN-15-18: Protecting Student Information SAIG Enrollment Agreement – Primary Destination Point Administrator (Primary DPA) “Must ensure that all users are aware of and comply with all of the requirements to protect and secure data from Departmental sources using SAIG.” SAIG Attachment B: Federal Student Aid User of Electronic Services Statement “The user understands that the information provided by the U.S. Department of Education is protected by the Privacy Act of 1974, as amended. Protecting this information, once it is entrusted to the user, becomes his or her responsibility. Therefore, the user agrees to protect the privacy of all information provided to him or her by the U.S. Department of Education.”

U. S. Department of Education Guidance July 29, 2016 Dear Colleague Letter – GEN-16-18: Protecting Student Information (cont’d) Reminder to institutions of their obligations to protect student information: SAIG Agreement requirements. Program Participation Act (“PPA”) that each institution signs in order to participate in the Title IV Programs. GLBA Requirements. Highlights that “important information related to cybersecurity protection is included in the National Institute of Standards and Technology (NIST) Special Publication 800-171”

U. S. Department of Education Guidance July 29, 2016 Dear Colleague Letter – GEN-16-18: Protecting Student Information (cont’d) GLBA security controls will be incorporated in the 2018 Single Audit Compliance Supplement and Audit Guide. Beginning in 2019*, GLBA security safeguards will be audited to assess institutional compliance and administrative capability. The Department will require the examination of evidence of GLBA compliance as part of an institution’s annual student financial aid audit.

U. S. Department of Education Guidance Draft Audit Language Audit Objectives: Determine whether the IHE designated an individual to coordinate the information security program; performed a risk assessment that addresses the three areas noted in 16 CFR 314.4 (b) and documented safeguards for identified risks. Suggested Audit Procedures: Verify that the IHE has designated an individual to coordinate the information security program. Obtain the IHE risk assessment and verify that it addresses the three required areas noted in 16 CFR 314.4 (b). Obtain the documentation created by the IHE that aligns each safeguard with each risk identified from step b above, verifying that the IHE has identified a safeguard for each risk.

U. S. Department of Education Guidance Nov-Dec 2017, the Department of Education FSA Training and Conference ED announced that it would be requiring institutions of higher education to report any security breach of personally identifiable information. The Department is taking this position under its authority per the institution’s Title IV Program Participation Agreements (which include Gramm-Leach-Bliley Act commitments) and Student Aid Internet Gateway agreements.

U. S. Department of Education Guidance The Student Aid Internet Gateway (SAIG) Agreement requires that as a condition of continued participation in the federal student aid programs, IHLs report actual data breaches, as well as suspected data breaches. IHLs must report on the day that a data breach is detected or even suspected. The U.S. Department of Education (the Department) has the authority to fine institutions—up to $54,789 per violation per 34 C.F.R. § 36.2 —that do not comply with the requirement to self- report data breaches.

Federal Activity

Federal Trade Commission August 29, 2016, the FTC sought public comment on the Safeguards Rule (‘the Rule”) during its periodic review of regulations and guidelines. Issues included: - Economic impact and benefits of the Rule. - Conflicts between the Rule and state, local other federal laws or regulations. - Effect on the Rule of any technological, economic or other industry changes. - Addition of more specific requirements for information security programs to the rule. - Should the Rule require the inclusion of an incident response plan.

Federal Trade Commission August 29, 2016, the FTC public comment guidelines issues continued: - Should the Rule should reference or incorporate any other information security standards or framework, such as the National Institute of Standards and Technology’s Cybersecurity Framework or the Payment Card Industry Data Security Standard; - Should the Rule should contain its own definition of ‘‘financial institution’’ rather than cross-reference the definition set forth in the Privacy Rule; - Should the definition of ‘‘financial institution’’ be expanded.

Federal Trade Commission April 4, 2019 FTC published Notice of Proposed Rulemaking (NPRM) on possible changes to the Safeguard Rule. Deadline for public comment June 3, 2019. Proposed rules significantly expand the information security requirements that organizations covered by its Safeguards Rule must meet Comply with the numerous additional provisions within six months of the FTC finalizing them Proposed Changes eliminates flexibility and seek to impose requirements that the information security program must met.

FTC Proposed Changes Requires each covered entity to: Have "a qualified individual responsible for overseeing and implementing the information security program and enforcing the information security program". The proposed regulations identify this position as the chief information security officer, “CISO”, but covered entities would not have to designate their lead information security administrators as CISOs. Base its security program on a risk assessment that specifically delineates the criteria for categorizing risks and assessing the capability of institutional systems to address them, as well as how identified risks will be mitigated, accepted, or otherwise managed. Institutions would also have to conduct additional risk assessments periodically. Specific elements must be incorporated in the safeguards of the information security program

FTC Proposed Changes – Required Elements Information system controls that allow only authorized individuals to access customer information; Controls on access to physical locations that contain customer information to limit access to authorized individuals; Identification and management of relevant "data, personnel, devices, systems, and facilities" based on their relative importance and risk to business operations; Encryption of all customer information held or transmitted by the institution, both "at rest" or "in transit over external networks" (unless the CISO approves alternative controls based on the infeasibility of encryption); Use of secure development practices for any internally developed apps, and security testing procedures for any externally developed apps utilized to "transmit, access, or store customer information"; Multifactor authentication for any individual accessing customer information (unless the CISO approves in writing "the use of reasonably equivalent or more secure access controls");

FTC Proposed Changes – Required Elements "Audit trails within the information security program designed to detect and respond to security events"; Procedures for the secure disposal of customer information "in any format" once it is no longer needed for any legitimate business purpose (unless retention is required by law or "targeted disposal" is infeasible); Change management procedures; and Monitoring of authorized users on relevant systems to detect unauthorized access and/or tampering with customer information.

FTC Proposed Changes Implement either continuous monitoring of relevant information systems for attacks or intrusions, or annual penetration testing with biannual vulnerability assessments, again using their risk assessments as a guide. Mandates specific personnel policies, including: a) Security awareness training based on the institutional risk assessment; b) Use of "qualified information security personnel" to execute the information security program; c) Security updates and training for the institution's information security personnel; and d) Verification that information security personnel are maintaining "current knowledge of changing information security threats and countermeasures."

FTC Proposed Changes Develop a written plan for security incident response that specifically identifies: The plan's goals; a) The institution's internal response processes, with clear definitions of roles, responsibilities, and decision-making authority; b) Provisions for internal and external communications/information sharing; c) Requirements for remediation of any identified vulnerabilities in systems/controls; d) Requirements for documenting and reporting on incidents and response activities; and e) Procedures for post-incident review and revision of the response plan

FTC Proposed Changes CISO to report annually to the institution's governing board about its information security program; that report must specifically address: 1) The status of the program and the institution's compliance with the rule; and 2) "Material matters" such as risk assessment/management/control decisions, service provider arrangements, test results, security incidents and responses, and recommendations for program changes.

FTC Proposed Changes - Exemptions Covered entities that maintain customer information for fewer than five thousand consumers, exempt from: 1) Written risk assessment, 2) Continuous monitoring or penetration testing/vulnerability assessment, 3) The written incident response plan, and 4) Annual governing board reporting.

Institutional Readiness Evaluate and document their current campus compliance with the Safeguards Rule Designate an employee or employees to coordinate the information security program. Identify reasonable, foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks.

Institutional Readiness Risk assessment should include consideration of risks in each of the following operational areas: 1) Employee training and management, 2) Information systems, including network and software design as well as information processing, 3) Storage, transmission, and disposal, and 4) Detecting, preventing, and responding to attacks, intrusions, or other systems failures.

Institutional Readiness Design and implement information safeguards to control the risks identified through risk assessment and regularly test or monitor the effectiveness of the safeguards’ key controls, systems, and procedures. Oversee service providers by taking steps to select and retain providers that are capable of maintaining appropriate safeguards for customer information. Contractually require service providers to implement and maintain such safeguards.

Institutional Readiness Periodically evaluate and adjust the information security program, based on the results of the testing and monitoring mentioned above, any material changes to operations, or any other circumstances that are known to have or that may have a material impact on the information security program.

Federal Register Federal Trade Commission Proposed Safeguards Rules Resources Federal Register Federal Trade Commission Proposed Safeguards Rules https://www.federalregister.gov/documents/2019/04/04/2019-04981/standards- for-safeguarding-customer-information FERPA FAQ: http://www2.ed.gov/policy/gen/guid/fpco/faq.html Regulations: FERPA - http://www.ecfr.gov/cgi-bin/text- idx?c=ecfr&sid=11975031b82001%E2%80%8Cbed902b3e73f33e604&rgn=div5&view=te xt&node=34:1.1.1.1.33&idno=34 Distance Learning - http://www.ecfr.gov/cgi-bin/text- idx?SID=d47a835cb32d5c5042ac596901473db3&node=se34.3.602_117&rgn=div8

IFAP – Cybersecurity Compliance Information Page Resources IFAP – Cybersecurity Compliance Information Page https://ifap.ed.gov/eannouncements/Cyber.html Page include links to: GLBA, FTC Red Flags, FERPA, State Privacy Laws and International regulations for data security and privacy mandatory requirements Tools to assist in cybersecurity compliance (NIST 800-171, IHE Compliance Framework, Cybersecurity Self- Assessment Tool etc.) Report a Breach ED-SOC Contact Information, Information Alerts, Training and Conference presentations, ED references and guidance for cybersecurity

Resources Privacy Technical Assistance (PTAC) https://nces.ed.gov/programs/ptac/ The Privacy TA Center is a “one-stop” resource for education stakeholders to learn about data privacy, confidentiality, and security practices related to student-level longitudinal data systems. Protecting Student Privacy https://studentprivacy.ed.gov/ A service of the Privacy TA Center and the Family Policy Compliance Office.

Resources HIPAA State data breach laws Governance HHS HIPAA page: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/index.html State data breach laws http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach- notification-laws.aspx Governance NIST Cybersecurity Framework http://www.nist.gov/cyberframework/

Questions? Marjorie Arrington marrington@cooley.com 202-776-2062