This post begins my series which unpacks the FTC Safeguards Rule based on what I’ve read and learned these past nine months. Because there are so many changes this will be a long series of posts. I plan to have posts on other topics interspersed as it will get pretty dry having a long run of FTC posts.
Definitions
One of the foundational changes to the rule is additional and specific definitions. With all thing regulatory, your definitions set the foundation or framework which greatly influences how you interpret the regulation. And because this rule was written for lending institutions, it can be challenging to adapt these definitions to higher education. I’ll share how I’ve come to interpret these and what I’m hearing from other schools.
Consumers, Customers, Authorized Users
Many of the definitions relate to each other or stack which I find fun as this becomes a sort of logic puzzle. You initially begin with a consumer which “means an individual who obtains or has obtained a financial product or service from you that is to be used primarily for personal, family, or household purposes, or that individual’s legal representative.” This could be initially interpreted as a student since they are borrowing for their education. However, parents often co-sign so now we should consider parents consumers too. Next up is the customer, which “means a consumer who has a customer relationship with you.” And now we’re getting into the chain of definitions. A customer relationship “means a continuing relationship between a consumer and you under which you provide one or more financial products or services to the consumer that are to be used primarily for personal, family, or household purposes.” That chains to the definition of continuing relationship which has 12 examples along with 5 examples of no continuing relationship. So you see how this is not simple.
Many schools I’ve talked to are considering all of their people as customers – students, parents, alumni, and employees. This both expands the scope of what information systems (more on that soon) fall under this rule but also simplifies the scope as our information systems often have records on some or all of those people. So it’s simpler to say if the system has people records, it’s in scope.
Lastly, the definition of authorized users is important as the rule defines additional security controls required for “any employee, contractor, agent, customer, or other person that is authorized to access any of your information systems or data.” In particular, multi-factor authentication (MFA) is noted and hopefully we’ve made progress on that for cyber insurance. Note they mention customer in the authorized user definition. This opens up questions of what security you need on student access to systems as well as their parents (often parents can be granted access to limited pieces of the student’s educational record by the student). I suspect vendors who provide such systems which student and parents access will be adding MFA features.
Information Systems
As noted above, the rule defines an information system and one should note a particular the phrase in the definition “…containing customer information or connected to a system containing customer information….” The “connected to” piece has just expanded the scope across our integrated cloud systems. Again, each school may interpret this as they see fit (or as their legal department sees fit).
That’s enough on definitions for now. I do recommend reading through the definitions section of the rule as you’ll return to them as you unpack the requirements.