Oct 17 2019

EDUCAUSE 2019: Higher Ed Organizations Advocate for Clarity and Context in Data Security Regulations

Policy advisers outline EDUCAUSE’s positions on Safeguards Rule revisions.

Public policy experts Jarret Cummings and Katie Branson presented “Higher Education and IT Policy, 2019: Developments and Directions” on Wednesday at the annual EDUCAUSE Conference in Chicago, updating attendees about pending developments in information security and accessibility.

Cummings is the EDUCAUSE senior adviser for policy and government relations, and Branson is a senior associate at EDUCAUSE consultants Ulman Public Policy.

One pending piece of legislation, the “long overdue” reauthorization of the Higher Education Act, Branson said, likely will not occur until after the 2020 presidential election.

“Even before recent events, it was highly unlikely the White House and Congress were going to pass any major legislation before the 2020 elections,” she said. “Now, with impeachment formally in the air, nothing is likely to pass that doesn’t have to.” 

JOIN THE CONVERSATION: Follow @EdTech_HigherEd on Twitter for continued EDUCAUSE coverage.

Higher Ed Allies Propose Revisions to Safeguards Rule Updates

Another issue of interest to the EDUCAUSE community, Cummings said, is proposed changes to the Federal Trade Commission’s Safeguards Rule, which requires financial institutions to put protections in place to protect consumer information. It applies to colleges because of their role in handling student loans and financial aid.

While the rule already requires a comprehensive, risk-based information security program, the FTC earlier this year called for a series of revisions that EDUCAUSE believes would “dramatically impact the degree of discretion and flexibility colleges have under the rule,” said Cummings.

Among other proposals, he said, colleges would have to appoint someone to the role of CISO (regardless of actual title); encrypt data related to customer information, in transit and at rest; and for any applications handling data, perform continuous security monitoring or annual penetration testing accompanied by a biannual vulnerability assessment. 

Of particular concern, said Cummings, is the six-month compliance deadline

He also pointed to the FTC’s definition of “small institutions,” which, as defined in the proposed changes, doesn’t translate well in a higher education context and thus could have a negative impact on potential exemptions. 

“We would be concerned that small colleges and universities that should be entitled to those exemptions would not have access to them,” he said.

In addition, Cummings said, the FTC was not specific enough about the information to which the requirements would apply, leaving open the possibility of “scope creep,” and many of the provisions fail to account for cloud services — now ubiquitous in higher education — which could create barriers to compliance. 

Accordingly, said Cummings, EDUCAUSE has joined with the American Council on Education and other allies to file a response to the proposal. They have asked for a two-year compliance deadline, with a one-year deadline to create a compliance plan, and for “small institutions” to be defined in a way that would more effectively protect their exemption status.

Finally, they have asked for revisions that better define the scope of the rule and account for the limited control and access to information that may apply to cloud services.

EDUCAUSE is also paying attention to an ongoing information security compliance issue involving the Department of Education’s Federal Student Aid Program, Branson said, and has formed a member working group to develop recommendations.

This matter, which also involves the FTC Safeguards Rule, relates to steps institutions must take in regard to data breaches or suspected breaches. EDUCAUSE has requested more clarity on these requirements and is interested in working more closely with FSA to develop them.

“Both sides have recognized that it makes sense for us to talk about and share our views and perspectives concerning what guidelines and information would be helpful to institutions,” Cumming said.

The FSA plans to discuss that collaborative model at its December meeting, said Branson.

Proposed Aim High Act Again Seeks Support in Congress

Finally, EDUCAUSE continues to work to advance federal legislation on voluntary guidelines for accessibility materials and technologies, Branson said. 

As part of that work, the organization and partners developed the Aim High Act. It was introduced in the House and Senate in the last Congress, and EDUCAUSE’s policy team is working to get it reintroduced in this Congress.

One change in the legislation, she said, is the addition of provisions that would address voluntary guidelines for pilot testing and provide more effective incentives for institutions to comply with the accessibility guidelines.

See more of our EDUCAUSE coverage here.

YinYang/Getty Images

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.