Q
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Are nonprofit organizations subject to FTC data security oversight?

Are nonprofit organizations, like higher education institutions, subject to FTC data security regulations and oversight? Expert Mike Chapple explains.

I read your previous piece on FTC data security regulations. Are U.S. institutions of higher education subject...

to FTC data security oversight? The Gramm-Leach-Bliley Act and the Red Flags Rule apply to universities and both of them are overseen by the FTC, so does that imply that higher education is subject to FTC oversight?

This is a very difficult question to answer because it is an unsettled question of law. You should consult with legal counsel if you believe you are engaging in activities that might be regulated by the FTC. I'm not an attorney, so I can't offer you legal advice.

Traditionally, the FTC has not had the authority to regulate nonprofit organizations. This is the reason, for example, that nonprofit organizations were ineligible for the European Union's Safe Harbor program while it existed. That said, there are some areas where FTC oversight has extended to nonprofits in the past. The Fair and Accurate Credit Transactions Act, which enabled the Red Flags Rule, and GLBA both contained language that allowed FTC regulation of nonprofits under specific circumstances.

My take on the recent court decision allowing the FTC data security regulations is that it likely will not provide the FTC with broad oversight over the cybersecurity practices of nonprofit organizations. The FTC may have authority in specific circumstances, as it does under the Red Flags Rule and GLBA, but most aspects of higher education will likely remain under the jurisdiction of other agencies, such as the Department of Education's authority under FERPA and the Department of Health and Human Services' authority under HIPAA. Stay tuned, however. We'll only know the real answer to this question when it is put to the test by the courts.

Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)

Next Steps

Find out how a recent FTC lawsuit affects enterprises that suffer data breaches

Learn more about why security experts are wary about Rule 41

Discover the compliance standards that regulate biometric security systems

This was last published in July 2016

Dig Deeper on Information security laws, investigations and ethics

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What has been your organization's experience with FTC cybersecurity oversight?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close