alphaspirit - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Are nonprofit organizations subject to FTC data security oversight?

Are nonprofit organizations, like higher education institutions, subject to FTC data security regulations and oversight? Expert Mike Chapple explains.

I read your previous piece on FTC data security regulations. Are U.S. institutions of higher education subject...

to FTC data security oversight? The Gramm-Leach-Bliley Act and the Red Flags Rule apply to universities and both of them are overseen by the FTC, so does that imply that higher education is subject to FTC oversight?

This is a very difficult question to answer because it is an unsettled question of law. You should consult with legal counsel if you believe you are engaging in activities that might be regulated by the FTC. I'm not an attorney, so I can't offer you legal advice.

Traditionally, the FTC has not had the authority to regulate nonprofit organizations. This is the reason, for example, that nonprofit organizations were ineligible for the European Union's Safe Harbor program while it existed. That said, there are some areas where FTC oversight has extended to nonprofits in the past. The Fair and Accurate Credit Transactions Act, which enabled the Red Flags Rule, and GLBA both contained language that allowed FTC regulation of nonprofits under specific circumstances.

My take on the recent court decision allowing the FTC data security regulations is that it likely will not provide the FTC with broad oversight over the cybersecurity practices of nonprofit organizations. The FTC may have authority in specific circumstances, as it does under the Red Flags Rule and GLBA, but most aspects of higher education will likely remain under the jurisdiction of other agencies, such as the Department of Education's authority under FERPA and the Department of Health and Human Services' authority under HIPAA. Stay tuned, however. We'll only know the real answer to this question when it is put to the test by the courts.

Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)

Next Steps

Find out how a recent FTC lawsuit affects enterprises that suffer data breaches

Learn more about why security experts are wary about Rule 41

Discover the compliance standards that regulate biometric security systems

This was last published in July 2016

Dig Deeper on Information security laws, investigations and ethics