TL;DR:
The GLBA impacts higher education institutions by mandating compliance with privacy and security rules related to student financial records, prompting a need for compliance review ahead of the June 2023 Safeguard Rule changes.
The Gramm-Leach-Bliley Act (GLBA) has existed for years, but it has directly affected colleges and universities in the past four years. Higher education organizations will need to review their GLBA compliance to ensure compliance with the upcoming Safeguards Rule changes scheduled to take effect in June 2023.
This article explores the importance of GLBA compliance for higher education institutions, compares its compliance requirements to other common standards, and explains the consequences of non-compliance. By understanding how GLBA compliance affects higher education institutions, your organization can better protect its students’ information, maintain regulatory compliance, and build consumer trust in a world where information security is critical for success.
What is the GLBA?
TL;DR:
The GLBA is a federal regulation governing financial institutions’ handling of customer information that will see updates in 2023, requiring organizations to prepare for changes to avoid non-compliance.
The Gramm-Leach-Bliley Act is a federal regulation that regulates the collection, storage, and transmission of Personally Identifiable Information (PII) by financial institutions. It consists of three sections: the Financial Privacy Rule, the Safeguards Rule, and the Pretexting provisions.
Does GLBA Compliance apply to higher education?
TL;DR:
Yes, GLBA compliance applies to higher education institutions, as they are considered financial institutions, and must adhere to Privacy and Safeguards Rules when handling student financial records containing PII.
The short answer is yes. GLBA compliance has affected various institutions since 1999, and higher education institutions have been subject to compliance audits since 2018.
The US Department of Education Federal Student Financial Aid Office (FSA) designated Title IV institutions as “financial institutions,” making them subject to GLBA compliance. The FSA also confirmed that most data sourced from the Department of Education and information used in administering Title IV programs classifies as Controlled Unclassified Information (CUI).
Currently, GLBA in higher education applies to how colleges and universities collect, store, and utilize student financial records containing PII, such as tuition payments and financial aid records. The Federal Trade Commission (FTC) enforces both the Privacy Rule (16 CFR 313) and the Safeguards Rule (16 CFR 314).
The GLBA Privacy Rule
TL;DR:
The GLBA Privacy Rule regulates the collection and disclosure of private financial information.
The GLBA Financial Privacy Rule governs the collection and disclosure of private financial information. In general, colleges and universities comply with the Privacy Rule if they comply with the Family Educational Rights and Privacy Act (FERPA), which we explain in greater detail below.
The GLBA Safeguards Rule
TL;DR:
The GLBA Safeguards Rule requires financial institutions (including higher education institutions) to implement information security programs, and with recent modifications, designate a qualified individual, conduct risk assessments, limit access, encrypt sensitive data, train personnel, develop incident response plans, evaluate service providers, and use MFA, all by June 2023.
Since 2003, the GLBA Safeguards Rule has mandated that higher education institutions establish an information security program to safeguard customer information.
Although GLBA compliance was initially self-regulated, an amendment in 2017 by the Federal Office of Management and Budget (OMB) and the FSA mandated that schools include it in their annual federal compliance audits. The FSA began auditing colleges and universities for GLBA compliance in 2018.
During the initial evaluation process, auditors must verify that each institution has the following:
- Designated a person to manage the information security program
- Conducted a risk assessment that addressed employee training and management, information systems, and protocols for detecting, preventing, and responding to attacks
- Documented safeguards for each of the above security risks
In December 2021, the Federal Trade Commission issued final regulations to modify the Safeguards Rule. The modifications expand on existing minimum information security requirements at participating institutions and their third-party service providers. Affected organizations will need to take the following steps in response to the revised rule:
- Designate a qualified individual to oversee their information security program.
- Develop a written risk assessment.
- Limit and monitor access to sensitive student information.
- Encrypt all sensitive information.
- Train security personnel.
- Develop an incident response plan.
- Regularly evaluate the security practices of service providers.
- Implement multi-factor authentication (MFA) or another method with equivalent protection for anyone accessing student information.
Changes to the GLBA Safeguards Rule will take effect in June 2023. To learn more about the Safeguards Rule, please refer to our Complete Guide.
GLBA vs. FERPA
TL;DR:
GLBA and FERPA are federal laws concerning privacy and confidentiality, with GLBA applying to financial institutions and FERPA specifically targeting educational institutions that receive federal funding.
The GLBA and the Family Educational Rights and Privacy Act (FERPA) are federal laws that relate to privacy and confidentiality, but they have different scopes.
While GLBA applies to various financial institutions, FERPA applies specifically to educational institutions that receive federal funding.
FERPA protects the privacy of student and education records and gives students the right to inspect and review their education records, request that their records be amended if they are inaccurate or misleading, and control the disclosure of their education records to third parties.
GLBA vs. HEA
TL;DR:
GLBA and HEA are federal laws, with GLBA focusing on financial privacy and HEA addressing higher education funding, policies, programs, accreditation, student privacy, rights, and loan repayment options.
The GLBA and the Higher Education Act (HEA) are federal laws relating to different aspects of higher education and financial privacy.
The HEA governs the administration of federal higher education funding, policies, and programs, including financial aid programs such as Pell Grants, Stafford Loans, and work-study programs, as well as grants for research and development and funding for historically black colleges and universities, minority-serving institutions, and tribal colleges and universities.
The HEA also includes provisions related to the accreditation of colleges and universities, student privacy and rights, student loan repayment options, and various other issues related to higher education in the US.
GLBA Compliance Requirements for higher education institutions
TL;DR:
GLBA compliance for higher education institutions requires a written information security program, including designated personnel, a risk assessment, implemented safeguards, service provider oversight, and regular adjustments, while also emphasizing employee training, management, and recommending the adoption of the NIST 800-171 framework.
The GLBA audit process described earlier offers a glimpse into what colleges and universities must do to comply with the GLBA. However, having a more comprehensive understanding of the requirements is critical.
First and foremost, institutions must create a written information security program that explains the safeguards they have in place to protect student information. Although these documents may differ from one school to the next, every institution’s information security program must include the following elements:
- A designated qualified employee who coordinates the comprehensive information security program
- A means of identifying and assessing risks to student information in each relevant area of operation, as well as a method for evaluating safeguards currently in place
- An implemented safeguards program that’s regularly monitored and tested
- Service providers with the expertise and obligation to maintain appropriate safeguards who receive oversight in how to handle sensitive information
- A process for evaluating and adjusting the information security program to account for relevant changes
GLBA compliance requirements are intentionally adaptable to meet the varying needs of financial institutions. However, the FTC offers additional guidance on what an effective information security plan should contain. These recommendations concentrate heavily on employee training and management, with suggested practices that include:
- Performing background checks on prospective employees
- Restricting access to sensitive information to authorized personnel
- Delivering security awareness training
- Enforcing disciplinary action for breaches
Although the Department of Education and FSA have not directly mandated any specific cybersecurity framework for GLBA compliance or other purposes, they have always “strongly encouraged” higher education institutions to adopt the National Institute of Standards and Technology Special Publication 800-171 Rev. 2, Controlled Unclassified Information in Nonfederal Systems (NIST 800-171).
In 2020, the Department of Education and FSA declared their intention to conduct NIST 800-171 self-assessments as part of the multi-year phased rollout of their Campus Cybersecurity Program (CCP). Furthermore, the FSA has combined its cybersecurity compliance and made it accessible on the FSA Cybersecurity Compliance website.
Consequences for GLBA non-compliance
TL;DR:
Non-compliance with GLBA may result in disabled access to the Department of Education’s information systems, substantial fines, imprisonment, potential security breaches, and damage to the institution’s reputation.
If a higher education institution is non-compliant, the FSA’s Postsecondary Institution Cybersecurity Team may disable the institution’s access to the Department of Education information systems.
Under SEC. 523. [U.S.C. 6823] of the GLBA, there are several criminal penalties outlined. For example, institutions and violators may be subject to fines of up to $100,000, and individuals could face up to five years of imprisonment–or ten years for repeat offenders.
However, the most detrimental consequence of GLBA non-compliance is a security breach. In the case of a successful cyberattack, a perpetrator may leak or steal important student information. Institutions that fail to take appropriate measures to safeguard students’ financial information may pay significant ransoms to retrieve that data.
Even then, there is no guarantee that the attacker will return the information after receiving the money. Such non-compliance can also severely harm the university’s reputation. From a student’s perspective, why should they entrust such an institution with their personal information?
How Isora GRC from SaltyCloud can help
TL;DR:
Isora GRC from SaltyCloud is the powerfully simple GLBA Safeguards Rule solution, making regulatory compliance easier while helping higher education institutions improve their cyber resilience.
The quest for GLBA Safeguards Rule compliance across your covered campus units is complex as your organization strives to protect student data while navigating shifting threats and regulations.
Knowing where GLBA-covered data resides, if it’s protected, and whether it meets GLBA compliance standards requires an agile and lightweight solution that transcends outdated GRC platforms and tedious manual spreadsheets.
Isora GRC from SaltyCloud is the powerfully simple solution changing how information security teams manage governance, risk, and compliance (GRC). A new intuitive, automated, and collaborative platform designed by GRC experts, Isora GRC helps organizations ace compliance audits, build information security culture, and strengthen cyber resilience at scale.
- Ace your GLBA compliance audit with collaborative surveys, risk assessments, dynamic dashboards, and insightful reporting for auditors, leadership and employees.
- Improve your organization’s security posture with maturity models, preloaded security frameworks, and remediation tracking.
- Protect GLBA-covered and other sensitive data with a comprehensive host inventory, robust API integrations, and continuous assessments.
- Minimize third-party risk with a complete vendor inventory, risk assessment surveys, and approval workflows.
Join dozens of information security teams partnering with Isora GRC from SaltyCloud to build a risk and compliance program they can trust.
Discover how Isora GRC from SaltyCloud can streamline your GLBA Safeguards Rule compliance.
