UpdateED

December 7, 2023 by Jessica S. High

2023 Fiscal Audits Will Include More Detailed Data Security Compliance Requirements

If you are a Title IV institution, compliance with the revised Safeguards Rule and implementation of the data security controls set forth in the revised Rule is now a required segment of your annual financial audit.

The Federal Trade Commission’s (FTC) amendment to the Safeguards Rule under the Gramm-Leach-Bliley Act (GLBA) became effective on June 9, 2023. The comprehensive amendment updated data security requirements for financial institutions, including all Title IV institutions of higher education. The U.S. Department of Education has increased enforcement authority by requiring auditors to verify an institution’s compliance with components of the Safeguard Rule.

In March, the U.S. Department updated the Guide for Financial Statement Audits of Propriety Schools and For Compliance Attestation Examination Engagements of Proprietary Schools and Third-Party Servicers Administering Title IV Programs (“Audit Guide”). The Audit Guide is effective for fiscal years beginning on or after January 1, 2023, and will be in place for all audits conducted in 2024 and beyond.

The Audit Guide reinforces that Title IV institutions must adhere to the strict cybersecurity requirements set forth in the Safeguards Rule including a requirement to “develop, implement, and maintain a written, comprehensive information security program.” The objective is to “Determine whether the school designated an individual to oversee, implement, and enforce the school’s information security program and whether the school’s written information security program addresses six additional required elements.”

In addition to verifying that the institution has designated a qualified individual, the auditor must also verify:

1. The information security program is based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks;

2. Design and implementation of eight safeguards set forth in the regulation to control the risks the school or servicer identifies through its risk assessment;

3. Regular testing or otherwise monitoring the effectiveness of the safeguards implemented;

4. Implementation of policies and procedures to ensure that personnel are able to enact the information security program;

5. How the school or servicer will oversee its information system service providers; and

6. The evaluation and adjustment of an institution’s information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the information security program.

An institution’s failure to implement an information security program with the required elements by June 9, 2023 (the effective date of the Safeguards Rule) may result in an audit finding. If an institution has not implemented an information security program with the required elements by December 31, 2023, the institution will receive an audit finding and must submit a Corrective Action Plan (“CAP”). Moreover, FSA’s Cybersecurity Team and the Federal Trade Commission (FTC) will be informed of the audit findings regarding the Safeguards Rule and may request additional information to assess the level of risk to student data.

In an Electronic Announcement issued in February 2023 regarding cybersecurity compliance, the Department stated that a finding of non-compliance will be resolved as part of the Department’s determination of an institution’s administrative capability. Additionally, repeated non-compliance may result in administrative action impacting Title IV participation.

November 17, 2023 by Duane Morris

EdUp Legal Podcast: The Latest on DOE Regulations

Tony Guida, Duane Morris partner and Team Lead of the Education Industry Group, is featured in the EdUp Legal podcast.

In the episode, Tony discussed the Department of Education’s most recent suite of regulations impacting institutions’ participation in the Title IV program, specifically with respect to certification, financial responsibility and administrative capability.

Listen to the EdUp Legal podcast, hosted by Deborah Solmor.

November 6, 2023 by Michelle Hon Donovan

White House’s Executive Order on Artificial Intelligence Identifies Education as a Critical Field for AI Use and Oversight

The White House’s October 30, 2023, Executive Order on Safe, Secure and Trustworthy Artificial Intelligence provides insight into the future of regulating the development and use of artificial intelligence models in the United States.

The executive order identifies education as a critical field where the federal government will take advantage of advances in AI technologies, but also needs to protect consumers and the public from adverse impacts. Job training and education will provide access to students to learn about AI. Resources will be made available to those who experience displacement in the workforce due to AI. The order makes clear that the federal government will continue to enforce existing consumer protections as AI evolves. These include those safeguarding consumers from “fraud, unintended bias, discrimination, infringements on privacy, and other harms from AI.”

The executive order also directs the Secretary of Education to develop policies concerning the use and impact of AI in education in consultation with stakeholders. This will include the creation of an “AI toolkit” for institutions to use in implementing the department’s recommendations concerning appropriate use of AI, including human review of AI decisions, the design of AI to enhance trust and safety, and alignment of AI systems with U.S. privacy laws and regulations, among other things.

Read our full cross-practice alert about the Executive Order here.

October 31, 2023 by Duane Morris

How the FTC’s Updated Safeguards Rule Affects Higher Education Institutions

The Federal Trade Commission (FTC) has approved an amendment to the Safeguards Rule that would require institutions of higher education, as well as other nonbanking financial institutions, to report any notification events to the agency.

Read the full Alert on the Duane Morris LLP website.

October 23, 2023 by Duane Morris

Department of Education’s Final Rule on Financial Value Transparency and Gainful Employment Published

On October 10, 2023, the U.S. Department of Education published the final rule on financial value transparency and gainful employment (88 Fed. Reg. 70004). The regulation restores and expands an accountability framework for career-specific training programs. At the same time, the regulation creates, for the first time, a new disclosure framework applicable to educational programs offered by all institutions participating in the Title IV, Higher Education Act (HEA) federal student aid funding programs.

This summary provides an overview of important facts and key elements of the final rule.

Read the full Alert on the Duane Morris LLP website.

October 16, 2023 by Duane Morris

Webinar Replay – Understanding Borrower Defense to Repayment Claims

A video replay is available for the recent Duane Morris webinar, “Understanding Borrower Defense to Repayment Claims.” For more information, please visit the event page.

September 30, 2023September 30, 2023 by Duane Morris

Webinar: Understanding Borrower Defense to Repayment Claims

Duane Morris is hosting the webinar Understanding Borrower Defense to Repayment Claims on Thursday, October 5, 2023, from 2:00 pm to 3:00 p.m. Eastern.

REGISTER

About the Program

Institutions of higher education – public, nonprofit and proprietary – have reached out to Duane Morris’ Education Group with questions and concerns regarding Borrower Defense to Repayment claims. Join us for recommendations on how to handle these inquiries, insights on best practices and what to expect in terms of next steps.

Continue reading “Webinar: Understanding Borrower Defense to Repayment Claims”

June 7, 2023June 9, 2023 by Edward Cramp

Student Arbitration Agreements

By Edward Cramp and Jessica S. High

July 1 is quickly approaching for institutions that require students to sign pre-dispute arbitration agreements. The new Borrower Defense to Repayment (BDR) regulation goes into effect on July 1. Among other things, it prohibits Title IV institutions from requiring students to sign mandatory pre-dispute arbitration agreements covering BDR claims.

Institutions can continue to use arbitration agreements for non-BDR claims. Institutions should review current arbitration agreements to ensure they comply with the new regulation. Additionally, institutions must provide notice (with prescribed language) to students who previously signed a pre-dispute arbitration agreement that does not comply with the new regulations. The notice must be provided no later than exit counseling or the date on which the school files its initial response to a demand for arbitration or service of a complaint, whichever is earlier.

Compliant arbitration agreements and notices must be implemented by July 1. Some arbitration administrators, such as the American Arbitration Association, required consumer arbitration agreements to be registered with the agency. Such administrators may decline to administer an arbitration if the college or business does not comply with the registration requirement. Institutions should review their arbitration administrator’s rules to see if this is required.

Finally, litigation is pending in the case of CCST v. Cardoza, which may impact whether the new BDR regulation goes into effect as scheduled. Institutions should be on the watch for updates in the event that the court issues a ruling that impacts the implementation of the new rule.

If you have any questions about this blog post, please contact Edward Cramp, Jessica High, any of the attorneys in our Higher Education Group or the attorney in the firm with whom you are regularly in contact.

May 26, 2023 by Kristina Gill

U.S. Department of Education Updates Third Party Servicer Guidance

On May 16, 2023, the United States Department of Education (the “Department”) updated its Third Party Servicer Guidance issued in GEN-23-03. The new Dear Colleague Letter (“DCL”) officially delays indefinitely the previously issued guidance. It also removes the prohibition on contracts between institutions of higher education and foreign owned or operated third party servicers.

This DCL replaces the prior update posted in a blog by Undersecretary Kvaal, in which he commented that the department was effectively delaying the prior DCL. This formalizes that announcement.

The DCL indicates that institutions will be provided with at least six (6) months advance notice before the effective date of any future formal guidance. The deadlines for audit and contractual requirements in any new guidance will be delayed until the institution’s first fiscal year beginning after the effective date for the reporting requirements. We read this to mean that institutions and Third Party Servicers will not be required to retroactively implement the new guidance.

Finally, the Department also clarified that institutions may contract with foreign owned Third Party Servicers. It rescinded earlier guidance on this issue. The Department did note, however, that this issue may be subject to rulemaking in the future.

Institutions and potential Third Party Servicers should continue to evaluate how they may be impacted by new regulation or guidance in this area. It is clear that the Department is intent on increasing its oversight of Third Party Servicers by expanding the scope of services that fall into the Third Party Servicer bucket in the Higher Education Act. In addition, the Department has identified Third-Party Servicers and Related Issues for rulemaking in the fall of 2023. Concerned parties should continue to monitor developments from the Department as they arise over the next several months.

May 17, 2023 by Katherine D. Brodie

U.S. Department of Education Releases Draft New Gainful Employment, Financial Responsibility, Administrative Capability, and Ability to Benefit Proposed Rules – 30 Day Public Comment Period

On May 17, 2023, the U.S. Department of Education (Department) released to the public the text of proposed regulations to establish a new iteration of a Gainful Employment (GE) rule, which would terminate access to Federal financial aid for career training programs that leave graduates with unaffordable debt burdens or with earnings that are no higher than workers without any education beyond high school.

The proposed regulations will be published in the Federal Register on May 19, 2023. The public may submit comments on the proposed rule through the Regulations.gov website for 30 days. The Department expects to finalize the rules later this year. Under the master calendar requirements of the Higher Education Act, rules finalized by November 1, 2023, will go into effect on July 1, 2024.

The proposed GE rule applies to all Title IV eligible programs offered by proprietary (for-profit) institutions of higher education and less than 2 year (certificate) programs offered by public and private non-profit institutions. Institutions offering such programs should closely analyze the proposed rule and submit public comments within the 30 day open comment period. We will be publishing a more detailed analysis of key components of the rule in the near future.

The Department also included proposed changes to three other regulatory areas:

Financial Responsibility, which includes proposals to make it easier for the Department to secure upfront financial protection when colleges start to exhibit signs of financial struggle, such as when an institution incurs significant debts or liabilities from a lawsuit or is at risk of losing access to Federal financial aid programs.
Administrative Capability, which includes proposals to increase requirements for colleges to provide adequate career services and clearer financial aid information, and to limit the employment of individuals with a past history of risky behavior or misconduct related to the Federal financial aid programs.
Certification Procedures, which includes proposals to make it easier for the Department to incorporate stronger safeguards into its written agreements with institutions for participating in Federal financial aid programs. These proposals also protect students by allowing the Department to require teach-out plans or agreements when a college is at risk of closure.

Finally, the regulations contain consensus language agreed to during negotiated rulemaking in Spring 2022 that will revise Ability to Benefit rules. These are provisions related to how students without a high school diploma may access Federal aid. In particular, the regulations would provide a more streamlined process for States to approve postsecondary opportunities for these students.

View an unofficial copy of proposed regulations here. A fact sheet on the GE and transparency parts of the rules can be found here and a fact sheet on the other provisions in the regulatory package are here. The Department is also releasing a version of the data that was used to model the effects of the proposed gainful employment and financial transparency rules in the Regulatory Impact Analysis, which can be found on this page.

Department of Education Releases Proposed Rules on Accountability for Certificate and For-Profit Programs and Transparency into Unaffordable Student Debt | U.S. Department of Education