January 1, 2021
Everything about the GLBA in Higher Education
Table of Contents
Are GLBA Audits being conducted?
Does my EDU have to comply with the GLBA?
What are the requirements of the GLBA?
Are there penalties for non-compliance with the GLBA?
What steps can I take to ace my GLBA audit?
What’s the history of the GLBA for EDUs?
I still have questions. Can SaltyCloud help?
Since 1999, the Gramm-Leach-Bliley Act (GLBA) has held financial institutions accountable for the protection of customer’s Personally Identifiable Information (PII). In the past few years, the U.S. Department of Education Federal (the Department) Student Financial Aid Office (FSA) has asserted that Title IV Institutions of Higher Education (EDUs) are considered “financial institutions” and thus subject to GLBA compliance. FSA has recently affirmed that most data sourced from the Department and information used in the administration of Title IV programs is considered Controlled Unclassified Information (CUI).
Yes. As of FY19, the GLBA Safeguards Rule has been included in the Federal Single Audit and requires internal and external Certified Public Accountants (CPAs) to audit against the requirements. Audit findings are being referred to the FSA Cybersecurity Team and the Federal Trade Commission (FTC) for “consideration of a fine or other appropriate administrative action.”
Most likely. The requirements apply to the more than 6,000 EDUs in the U.S. and abroad that administer FSA funds. The actual requirements only apply to the individual campus units that handle data related to the FSA programs (e.g., registrar’s office, student aid office, bookstore, etc.).
- Develop, implement, and maintain a comprehensive information security program which:
- Ensures the security and confidentiality of customer information;
- Protects against any anticipated threats or hazards to the security or integrity of such information; and
- Protects against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.
- In order to develop, implement, and maintain your information security program, you shall:
- Designate an employee or employees to coordinate your information security program.
- Conduct a risk assessment that covers:
- Employee training and management;
- Information systems, including network and software design, as well as information processing, storage, transmission, and disposal; and
- Detecting, preventing, and responding to attacks, intrusions, or other systems failures.
- Design and implement information safeguards to control the risks you identify through risk assessment.
- Oversee service providers, by:
- Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue; and
- Requiring your service providers by contract to implement and maintain such safeguards.
- Evaluate and adjust your information security program in light of the results of the testing and monitoring.
Although neither the Department nor FSA has directly required any specific cybersecurity framework for GLBA compliance or otherwise, they have always “strongly encouraged” that EDUs adopt the National Institute of Standards and Technology Special Publication 800–171 Rev. 2, Controlled Unclassified Information in Nonfederal Systems (NIST 800–171). However, on December 18, 2020, the Department and FSA gave notice to EDUs of their intent to begin conducting NIST 800-171 self-assessments as part of the multi-year phased rollout of their Campus Cybersecurity Program (CCP).
Does your EDU also conduct Department of Defense (DoD) sponsored research? The efforts to comply with NIST 800-171 and begin preparing for the Cybersecurity Maturity Model Certification (CMMC) will also apply for your GLBA covered units.
Yes, there can be both reputational and monetary ramifications for non-compliance with the GLBA. Those ramifications affect the EDU and the individuals (e.g., CISO, Security Analysts, Compliance Manager, etc.) in charge of safeguarding CUI and customer data from the Department FSA. As affirmed in the February 28, 2020 electronic announcement from FSA, EDUs found to be non-compliant with the GLBA requirements will be referred to the FSA’s Postsecondary Institution Cybersecurity Team where they “may temporarily or permanently disable the institution or servicer’s access to the Department’s information systems.” The Cybersecurity Team may also refer the EDU “to the Department’s Administrative Actions and Appeals Service Group for consideration of a fine or other appropriate administrative action by the Department.” And if that wasn’t enough, FSA will also refer any audit findings to the FTC where they “will determine what action may be needed as a result of the GLBA audit finding.” And this doesn’t include the internal disciplinary action that could take place within the EDU, which could result in job loss and a tarnished reputation as an information security or compliance professional.
Although several websites on the internet mention specific FTC fines for GLBA violations, we couldn’t verify them. Fines and penalties by the FTC can vary depending on a myriad of factors. Companies like Equifax and Paypal have violated the GLBA (among other regulations) and have been penalized differently. Although the FTC has yet to penalize an EDU for GLBA violations, one thing is for sure: it’s not a question about if they will penalize, but rather when they will penalize.
First and foremost, you must understand the requirements of the GLBA and how they affect your EDU. Secondly, you should devise (if you haven’t already) a trustworthy process that enables you to measure GLBA compliance, conduct a risk assessment, and document safeguards across the distinct covered units across your campus. Your process might involve spreadsheets, or you can opt to use a GRC Assessment Platform to help you save time and resources. Ultimately, your goals should align the individual campus units with the requirements as best as possible while maintaining documentation and evidence of your progress for auditors to review.
The GLBA may seem nebulous at first glance, so we did the research and wrote the Definitive Step-by-Step Guidebook to Ace your GLBA Audit to help you. It has helped dozens of CISOs, security analysts, and compliance managers in higher education since the GLBA became an audited requirement.
The GLBA has technically always included EDUs. However, beginning in 2015, several FSA notices were released informing EDUs of the law, its requirements, and their intent to perform an audit.
In 2015 and 2016, FSA released two “Dear Colleague” letters (GEN-15-18 and GEN-16-12) where they reminded Title IV EDUs that the GLBA applies to them and their intention to enforce the GLBA Safeguards Rule through annual compliance audits. During this time, FSA also included compliance with the GLBA Safeguards Rule as a component of the SAIG contract between the Department and EDUs.
On October 30, 2019, the Department Office of Inspector General issued a “Dear CPA” letter (CPA-19-01). The letter amended the “Guide for Audits of Proprietary Schools and for Compliance Attestation Engagements of Third-Party Services Administering Title IV Programs” and explained the process for auditors to determine whether Title IV EDUs are meeting the GLBA compliance requirements.
On February 28, 2020, FSA released an electronic announcement titled, “Enforcement of Cybersecurity Requirements under the Gramm-Leach-Bliley Act,” explaining the procedures for enforcing the cybersecurity requirements under the GLBA, the referral of audit findings to the FTC, and the consequences for EDUs that fail to comply. Jarret Cummings, EDUCAUSE Senior Advisor for Policy and Government Relations, summarized the electronic announcement by saying, “If an institution gets an audit finding based on the Safeguards Rule federal single audit objective, the finding will be included in the audit report that FSA receives. In turn, FSA will share the finding with the FTC and its internal Cybersecurity Team. Suppose the Cybersecurity Team thinks the situation is particularly egregious. In that case, it may cut off access to FSA systems and refer the issue to FSA’s admin compliance unit for a fine or some other form of admin action.”
In response to COVID-19, the Office of Management and Budget (OMB) released several memos providing short-term relief. In the last memo (M-20-26), it extended the submission of the Single Audit up to six (6) months for audits with expected due dates from March 30, 2020, through June 30, 2020), and up to three (3) months for Audits with expected due dates from July 31, 2020, through September 30, 2020.
Most recently, on December 18, 2020, FSA released an announcement titled, “Protecting Student Information – Compliance with CUI and GLBA,” where they presented their planned, multi-year rollout of the Campus Cybersecurity Program (CCP). Although the CCP is a beast in itself, the letter mentioned the FSA’s intent to begin conducting NIST 800-171 self-assessments as early as 2021. Additionally, FSA also affirmed that as part of the Student Aid Internet Gateway (SAIG) Enrollment Agreement entered by Title IV EDUs, “most data sourced from the Department and information used in the administration of Title IV programs are considered CUI.”
We sure can. We work with dozens of EDUs to help them avoid audit findings, ace their GLBA audit, all while saving them valuable time and resources. Learn more about how our GRC Assessment Platform, Isora GRC, helps with GLBA Compliance, and reach out to us via email at email@example.com.
The Department of Education Federal Student Aid Office (FSA) has announced its Campus Cybersecurity Program for Title IV Higher Education Insitutions
Everything about the GLBA in Higher Education
Learn everything you need to know about the GLBA in Higher Education with our comprehensive blog post
Conducting a GLBA Pre-Audit Assessment will serve as evidence for your auditors and a guide for your institution