Nonprofit Resources

FTC Extends Compliance Deadline for Certain Provisions of the Safeguards Rule

On November 15, 2022, the Federal Trade Commission (FTC) announced that the deadline to comply with certain provisions of the updated Standards for Safeguarding Customer Information Rule (Rule) component of the Gramm-Leach-Bliley Act (GLBA) has been extended by six months from December 9, 2022, to June 9, 2023.

The Rule requires institutions to establish an information security program and supporting controls to protect customer information obtained in conjunction with providing financial services. For higher education institutions, this information is typically the personally identifiable information (PII) collected when providing financial aid.

While the updated Rule went into effect in January 2022, the FTC granted institutions more time to achieve full compliance with the clarified requirements. The six-month extension applies to the requirements to:

• Designate a single individual to oversee the institution’s information security program (as opposed to a committee)
• Enhance the written risk assessment to categorize risks and responses
• Limit and monitor access to sensitive customer information
• Implement multi-factor authentication (MFA) or a method with equivalent protection for any individual accessing customer information
• Encrypt all sensitive information
• Train security personnel
• Develop and document a formal incident response plan
• Create procedures to periodically assess the security practices of service providers
• Provide regular, written reports to the board

The FTC said it extended the compliance deadline after receiving reports “that there is a shortage of qualified personnel to implement information security programs and that supply chain issues may lead to delays in obtaining necessary equipment for upgrading security systems.”

For all specifics on the extension, please note that sections 314.4(a), 314.4(b)(1), 314.4(c)(1)–(8), 314.4(d)(2), 314.4(e), 314.4(f)(3), 314.4(h), and 314.4(i) have been extended to June 9, 2023.

Note, however, that the clarified requirements do not repeal the existing requirements agreed to by higher education institutions in their Program Participation Agreement (PPA). The PPA attests to compliance with GLBA, which means higher education institutions must:

• Develop, implement, and maintain a written information security program
• Designate employee(s) responsible for coordinating the information security program
• Identify and assess risks to customer information
• Design and implement safeguards
• Select appropriate service providers that are capable of maintaining appropriate safeguards
• Periodically evaluate and update their information security program

Auditors will continue to be required to audit compliance with GLBA as indicated in the Compliance Supplement, which is revised annually. The 2022 Compliance Supplement required auditing of the following components:

• Designate employee(s) responsible for coordinating the information security program
• Identify and assess risks to customer information
• Design and implement safeguards

It is important to ensure your institution achieves and maintains compliance with the updated requirements, which you can learn more about in our Revisiting GLBA: Important Updates article.

Please contact us with questions or to learn how we can assist you with GLBA compliance.

Sign up for e-news and alerts