2023 Fiscal Audits Will Include More Detailed Data Security Compliance Requirements

If you are a Title IV institution, compliance with the revised Safeguards Rule and implementation of the data security controls set forth in the revised Rule is now a required segment of your annual financial audit.

The Federal Trade Commission’s (FTC) amendment to the Safeguards Rule under the Gramm-Leach-Bliley Act (GLBA) became effective on June 9, 2023. The comprehensive amendment updated data security requirements for financial institutions, including all Title IV institutions of higher education. The U.S. Department of Education has increased enforcement authority by requiring auditors to verify an institution’s compliance with components of the Safeguard Rule.

In March, the U.S. Department updated the Guide for Financial Statement Audits of Propriety Schools and For Compliance Attestation Examination Engagements of Proprietary Schools and Third-Party Servicers Administering Title IV Programs (“Audit Guide”). The Audit Guide is effective for fiscal years beginning on or after January 1, 2023, and will be in place for all audits conducted in 2024 and beyond.

The Audit Guide reinforces that Title IV institutions must adhere to the strict cybersecurity requirements set forth in the Safeguards Rule including a requirement to “develop, implement, and maintain a written, comprehensive information security program.” The objective is to “Determine whether the school designated an individual to oversee, implement, and enforce the school’s information security program and whether the school’s written information security program addresses six additional required elements.”

In addition to verifying that the institution has designated a qualified individual, the auditor must also verify:

1.     The information security program is based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks;

2.     Design and implementation of eight safeguards set forth in the regulation to control the risks the school or servicer identifies through its risk assessment;

3.     Regular testing or otherwise monitoring the effectiveness of the safeguards implemented;

4.     Implementation of policies and procedures to ensure that personnel are able to enact the information security program;

5.     How the school or servicer will oversee its information system service providers; and

6.     The evaluation and adjustment of an institution’s information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the information security program.

An institution’s failure to implement an information security program with the required elements by June 9, 2023 (the effective date of the Safeguards Rule) may result in an audit finding. If an institution has not implemented an information security program with the required elements by December 31, 2023, the institution will receive an audit finding and must submit a Corrective Action Plan (“CAP”). Moreover, FSA’s Cybersecurity Team and the Federal Trade Commission (FTC) will be informed of the audit findings regarding the Safeguards Rule and may request additional information to assess the level of risk to student data.

In an Electronic Announcement issued in February 2023 regarding cybersecurity compliance, the Department stated that a finding of non-compliance will be resolved as part of the Department’s determination of an institution’s administrative capability. Additionally, repeated non-compliance may result in administrative action impacting Title IV participation.

White House’s Executive Order on Artificial Intelligence Identifies Education as a Critical Field for AI Use and Oversight

The White House’s October 30, 2023, Executive Order on Safe, Secure and Trustworthy Artificial Intelligence provides insight into the future of regulating the development and use of artificial intelligence models in the United States.

The executive order identifies education as a critical field where the federal government will take advantage of advances in AI technologies, but also needs to protect consumers and the public from adverse impacts. Job training and education will provide access to students to learn about AI. Resources will be made available to those who experience displacement in the workforce due to AI. The order makes clear that the federal government will continue to enforce existing consumer protections as AI evolves. These include those safeguarding consumers from “fraud, unintended bias, discrimination, infringements on privacy, and other harms from AI.”

The executive order also directs the Secretary of Education to develop policies concerning the use and impact of AI in education in consultation with stakeholders. This will include the creation of an “AI toolkit” for institutions to use in implementing the department’s recommendations concerning appropriate use of AI, including human review of AI decisions, the design of AI to enhance trust and safety, and alignment of AI systems with U.S. privacy laws and regulations, among other things.

Read our full cross-practice alert about the Executive Order here

© 2009- Duane Morris LLP. Duane Morris is a registered service mark of Duane Morris LLP.

The opinions expressed on this blog are those of the author and are not to be construed as legal advice.

Proudly powered by WordPress