Webinar: The Regulatory Landscape ‒ A Dynamic and Disruptive 12 Month

Duane Morris will present Boot Camp for Education Legal Leadership, Session 1: The Regulatory Landscape ‒ A Dynamic and Disruptive 12 Months, on Wednesday, January 24, 2024, at 2:00 p.m. Eastern time/11:00 a.m. Pacific time.

The past 12 months have been one of the most active in recent memory for the U.S. Department of Education in publishing new regulations and issuing new policy guidance in the area of Title IV, Higher Education Act compliance. Join the Education Industry Group at Duane Morris for review and analysis of these developments and how they impact your institution, both now and in the near future.

REGISTER

Continue reading “Webinar: The Regulatory Landscape ‒ A Dynamic and Disruptive 12 Month”

2023 Fiscal Audits Will Include More Detailed Data Security Compliance Requirements

If you are a Title IV institution, compliance with the revised Safeguards Rule and implementation of the data security controls set forth in the revised Rule is now a required segment of your annual financial audit.

The Federal Trade Commission’s (FTC) amendment to the Safeguards Rule under the Gramm-Leach-Bliley Act (GLBA) became effective on June 9, 2023. The comprehensive amendment updated data security requirements for financial institutions, including all Title IV institutions of higher education. The U.S. Department of Education has increased enforcement authority by requiring auditors to verify an institution’s compliance with components of the Safeguard Rule.

In March, the U.S. Department updated the Guide for Financial Statement Audits of Propriety Schools and For Compliance Attestation Examination Engagements of Proprietary Schools and Third-Party Servicers Administering Title IV Programs (“Audit Guide”). The Audit Guide is effective for fiscal years beginning on or after January 1, 2023, and will be in place for all audits conducted in 2024 and beyond.

The Audit Guide reinforces that Title IV institutions must adhere to the strict cybersecurity requirements set forth in the Safeguards Rule including a requirement to “develop, implement, and maintain a written, comprehensive information security program.” The objective is to “Determine whether the school designated an individual to oversee, implement, and enforce the school’s information security program and whether the school’s written information security program addresses six additional required elements.”

In addition to verifying that the institution has designated a qualified individual, the auditor must also verify:

1.     The information security program is based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks;

2.     Design and implementation of eight safeguards set forth in the regulation to control the risks the school or servicer identifies through its risk assessment;

3.     Regular testing or otherwise monitoring the effectiveness of the safeguards implemented;

4.     Implementation of policies and procedures to ensure that personnel are able to enact the information security program;

5.     How the school or servicer will oversee its information system service providers; and

6.     The evaluation and adjustment of an institution’s information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the information security program.

An institution’s failure to implement an information security program with the required elements by June 9, 2023 (the effective date of the Safeguards Rule) may result in an audit finding. If an institution has not implemented an information security program with the required elements by December 31, 2023, the institution will receive an audit finding and must submit a Corrective Action Plan (“CAP”). Moreover, FSA’s Cybersecurity Team and the Federal Trade Commission (FTC) will be informed of the audit findings regarding the Safeguards Rule and may request additional information to assess the level of risk to student data.

In an Electronic Announcement issued in February 2023 regarding cybersecurity compliance, the Department stated that a finding of non-compliance will be resolved as part of the Department’s determination of an institution’s administrative capability. Additionally, repeated non-compliance may result in administrative action impacting Title IV participation.

EdUp Legal Podcast: The Latest on DOE Regulations

Tony Guida, Duane Morris partner and Team Lead of the Education Industry Group, is featured in the EdUp Legal podcast.

In the episode,  Tony discussed the Department of Education’s most recent suite of regulations impacting institutions’ participation in the Title IV program, specifically with respect to certification, financial responsibility and administrative capability.

Listen to the EdUp Legal podcast, hosted by Deborah Solmor.

White House’s Executive Order on Artificial Intelligence Identifies Education as a Critical Field for AI Use and Oversight

The White House’s October 30, 2023, Executive Order on Safe, Secure and Trustworthy Artificial Intelligence provides insight into the future of regulating the development and use of artificial intelligence models in the United States.

The executive order identifies education as a critical field where the federal government will take advantage of advances in AI technologies, but also needs to protect consumers and the public from adverse impacts. Job training and education will provide access to students to learn about AI. Resources will be made available to those who experience displacement in the workforce due to AI. The order makes clear that the federal government will continue to enforce existing consumer protections as AI evolves. These include those safeguarding consumers from “fraud, unintended bias, discrimination, infringements on privacy, and other harms from AI.”

The executive order also directs the Secretary of Education to develop policies concerning the use and impact of AI in education in consultation with stakeholders. This will include the creation of an “AI toolkit” for institutions to use in implementing the department’s recommendations concerning appropriate use of AI, including human review of AI decisions, the design of AI to enhance trust and safety, and alignment of AI systems with U.S. privacy laws and regulations, among other things.

Read our full cross-practice alert about the Executive Order here

Department of Education’s Final Rule on Financial Value Transparency and Gainful Employment Published

On October 10, 2023, the U.S. Department of Education published the final rule on financial value transparency and gainful employment (88 Fed. Reg. 70004). The regulation restores and expands an accountability framework for career-specific training programs. At the same time, the regulation creates, for the first time, a new disclosure framework applicable to educational programs offered by all institutions participating in the Title IV, Higher Education Act (HEA) federal student aid funding programs.

This summary provides an overview of important facts and key elements of the final rule.

Read the full Alert on the Duane Morris LLP website.

Webinar: Understanding Borrower Defense to Repayment Claims

Duane Morris is hosting the webinar Understanding Borrower Defense to Repayment Claims on Thursday, October 5, 2023, from 2:00 pm to 3:00 p.m. Eastern.

REGISTER 

About the Program

Institutions of higher education – public, nonprofit and proprietary – have reached out to Duane Morris’ Education Group with questions and concerns regarding Borrower Defense to Repayment claims. Join us for recommendations on how to handle these inquiries, insights on best practices and what to expect in terms of next steps.

Continue reading “Webinar: Understanding Borrower Defense to Repayment Claims”

Student Arbitration Agreements

By Edward Cramp and Jessica S. High

July 1 is quickly approaching for institutions that require students to sign pre-dispute arbitration agreements.  The new Borrower Defense to Repayment (BDR) regulation goes into effect on July 1. Among other things, it prohibits Title IV institutions from requiring students to sign mandatory pre-dispute arbitration agreements covering BDR claims.

Institutions can continue to use arbitration agreements for non-BDR claims. Institutions should review current arbitration agreements to ensure they comply with the new regulation.  Additionally, institutions must provide notice (with prescribed language) to students who previously signed a pre-dispute arbitration agreement that does not comply with the new regulations. The notice must be provided no later than exit counseling or the date on which the school files its initial response to a demand for arbitration or service of a complaint, whichever is earlier.

Compliant arbitration agreements and notices must be implemented by July 1. Some arbitration administrators, such as the American Arbitration Association, required consumer arbitration agreements to be registered with the agency.  Such administrators may decline to administer an arbitration if the college or business does not comply with the registration requirement. Institutions should review their arbitration administrator’s rules to see if this is required.

Finally, litigation is pending in the case of CCST v. Cardoza, which may impact whether the new BDR regulation goes into effect as scheduled.  Institutions should be on the watch for updates in the event that the court issues a ruling that impacts the implementation of the new rule.

If you have any questions about this blog post, please contact Edward Cramp, Jessica High, any of the attorneys in our Higher Education Group or the attorney in the firm with whom you are regularly in contact.

U.S. Department of Education Updates Third Party Servicer Guidance

On May 16, 2023, the United States Department of Education (the “Department”) updated its Third Party Servicer Guidance issued in GEN-23-03.  The new Dear Colleague Letter (“DCL”) officially delays indefinitely the previously issued guidance.  It also removes the prohibition on contracts between institutions of higher education and foreign owned or operated third party servicers.

This DCL replaces the prior update posted in a blog by Undersecretary Kvaal, in which he commented that the department was effectively delaying the prior DCL.  This formalizes that announcement.

The DCL indicates that institutions will be provided with at least six (6) months advance notice before the effective date of any future formal guidance.  The deadlines for audit and contractual requirements in any new guidance will be delayed until the institution’s first fiscal year beginning after the effective date for the reporting requirements.  We read this to mean that institutions and Third Party Servicers will not be required to retroactively implement the new guidance.

Finally, the Department also clarified that institutions may contract with foreign owned Third Party Servicers.  It rescinded earlier guidance on this issue.  The Department did note, however, that this issue may be subject to rulemaking in the future.

Institutions and potential Third Party Servicers should continue to evaluate how they may be impacted by new regulation or guidance in this area.  It is clear that the Department is intent on increasing its oversight of Third Party Servicers by expanding the scope of services that fall into the Third Party Servicer bucket in the Higher Education Act.  In addition, the Department has identified Third-Party Servicers and Related Issues for rulemaking in the fall of 2023. Concerned parties should continue to monitor developments from the Department as they arise over the next several months.

© 2009- Duane Morris LLP. Duane Morris is a registered service mark of Duane Morris LLP.

The opinions expressed on this blog are those of the author and are not to be construed as legal advice.

Proudly powered by WordPress