I read your previous piece on FTC data security regulations. Are U.S. institutions of higher education subject...
to FTC data security oversight? The Gramm-Leach-Bliley Act and the Red Flags Rule apply to universities and both of them are overseen by the FTC, so does that imply that higher education is subject to FTC oversight?
This is a very difficult question to answer because it is an unsettled question of law. You should consult with legal counsel if you believe you are engaging in activities that might be regulated by the FTC. I'm not an attorney, so I can't offer you legal advice.
Traditionally, the FTC has not had the authority to regulate nonprofit organizations. This is the reason, for example, that nonprofit organizations were ineligible for the European Union's Safe Harbor program while it existed. That said, there are some areas where FTC oversight has extended to nonprofits in the past. The Fair and Accurate Credit Transactions Act, which enabled the Red Flags Rule, and GLBA both contained language that allowed FTC regulation of nonprofits under specific circumstances.
My take on the recent court decision allowing the FTC data security regulations is that it likely will not provide the FTC with broad oversight over the cybersecurity practices of nonprofit organizations. The FTC may have authority in specific circumstances, as it does under the Red Flags Rule and GLBA, but most aspects of higher education will likely remain under the jurisdiction of other agencies, such as the Department of Education's authority under FERPA and the Department of Health and Human Services' authority under HIPAA. Stay tuned, however. We'll only know the real answer to this question when it is put to the test by the courts.
Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)
Find out how a recent FTC lawsuit affects enterprises that suffer data breaches
Learn more about why security experts are wary about Rule 41
Discover the compliance standards that regulate biometric security systems
Dig Deeper on Information security laws, investigations and ethics
Related Q&A from Mike Chapple
Choosing to encrypt confidential data with AES or DES encryption is an important cybersecurity matter. Learn about the important differences between ... Continue Reading
It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ... Continue Reading
The HHS OCR ruled that healthcare ransomware attacks are HIPAA violations, so these covered entities need to react according to the HHS's guidance. ... Continue Reading