Everything about the GLBA in Higher Education

Since 1999, the Gramm-Leach-Bliley Act (GLBA) has been holding financial institutions accountable for the protection of customer’s Personally Identifiable Information (PII). In the past few years, higher education institutions (EDUs) were reminded that the GLBA applies to them in their management of Title IV Student Financial Aid (FSA) funds.

Is The Department of Education conducting GLBA audits?

Yes. As of FY19, The Department of Education (ED) has been auditing EDUs on their GLBA compliance and referring any outstanding findings to the Federal Trade Commission (FTC) for enforcement.

Does my EDU have to comply with the GLBA?

Most likely. The requirements apply to any unit at your organization that participates in the Title IV Federal Student Financial Aid (FSA) Programs (e.g., registrars office, student aid office, bookstore, etc.). It also applied to institutions outside the US that administer FSA funds.

What are the requirements of the GLBA?

As originally stated in the 2016 “Dear Colleague” letter (GEN-16-12), the FTC’s Standards for Safeguarding Customer Information (16 CFR Part 314) requires EDUs to, among other things:

  • Develop, implement, and maintain a comprehensive information security program which:
    • Ensures the security and confidentiality of customer information;
    • Protects against any anticipated threats or hazards to the security or integrity of such information; and
    • Protects against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.
  • In order to develop, implement, and maintain your information security program, you shall:
    • Designate an employee or employees to coordinate your information security program.
    • Conduct a risk assessment that covers:
      • Employee training and management;
      • Information systems, including network and software design, as well as information processing, storage, transmission, and disposal; and
      • Detecting, preventing, and responding to attacks, intrusions, or other systems failures.
    • Design and implement information safeguards to control the risks you identify through risk assessment.
    • Oversee service providers, by:
      • Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue; and
      • Requiring your service providers by contract to implement and maintain such safeguards.
    • Evaluate and adjust your information security program in light of the results of the testing and monitoring.

Although not explicitly required at this time, ED references the more detailed control requirements outlined in NIST 800-171. Specifically, ED “strongly encourages those institutions that fall short of NIST standards to assess their current gaps and immediately begin to design and implement plans in order to close those gaps using the NIST standards as a model.” In an effort to guide EDUs, EDUCAUSE created the“An Introduction to NIST Special Publication 800-171 for Higher Education Institutions” which includes an overview of all 14 families of controls as well as other NIST 800-171 resources.

Are there penalties for non-compliance with the GLBA?

Yes. Repercussions for failing to comply with the GLBA could mean both reputational as well as monetary ramifications not only for the EDU but also for the individuals in charge of safeguarding customer information. As mentioned in the February 2020 ED electronic announcement, EDUs found to be non-compliant with the GLBA requirements will be referred to the FSA’s Postsecondary Institution Cybersecurity Team (Cybersecurity Team) where they “may temporarily or permanently disable the institution or servicer’s access to the [ED’s] information systems.” The Cybersecurity Team may also refer the EDU “to the Department’s Administrative Actions and Appeals Service Group for consideration of a fine or other appropriate administrative action by the Department.” Finally, the ED will also refer any audit findings to the FTC where they “will determine what action may be needed as a result of the GLBA audit finding.” And this doesn’t include the internal disciplinary action that could take place which could result in job loss and a tarnished reputation as an information security leader.

Although several websites on the internet mention specific FTC fines for GLBA violations, we couldn’t verify them. In fact, fines and penalties by the FTC can vary depending on a myriad of factors. Companies like Equifax and Paypal have both violated the GLBA (among other regulations) and have been penalized differently. And although the FTC has yet to penalize an EDU for GLBA violations, it doesn’t mean they can’t and won’t.

What steps can I take to ace my GLBA audit?

First and foremost, you must have an understanding of how the law applies to your institution. Secondly, you should have a process to measure GLBA compliance, conduct a risk assessment, and document safeguards. You can leverage an automated solution such as Isora GRC to help you. Ultimately, your goal should be to align your institution with the requirements and maintain documentation of your progress for auditors to review.

If you’d like to dive deeper into building a compliance process, you can grab a free copy of our Definitive Step-by-Step Guidebook to Ace your GLBA Audit.

for EDU

Ace your GLBA Audit

Learn everything you need to know to approach your audit with confidence. Get a FREE copy of our GLBA Definitive Step-by-Step Guidebook.

What’s the history of the GLBA in higher education?

The GLBA has technically always included EDUs. However, starting in 2015, several notices from ED were released informing EDUs of the law, its requirements, and their intent to perform an audit.

In 2015 and 2016, ED released two “Dear Colleague” letters (GEN-15-18 and GEN-16-12) where they reminded IHEs of their GLBA requirements and their intention to enforce them through annual compliance audits. During this time, ED also included compliance with the GLBA Safeguards Rule as a component of the SAIG contract between ED and EDUs.

ED initially proposed a GLBA audit for FY17. However, it was pushed back for FY18 then pushed back again for FY19.

Then in October 2019, the ED Office of Inspector General issued a “Dear CPA” letter (CPA-19-01). The letter amended the “Guide for Audits of Proprietary Schools and for Compliance Attestation Engagements of Third-Party Services Administering Title IV Programs” and explained the process for auditors to determine whether IHEs are meeting the GLBA compliance requirements.

Finally, in February 2020, ED released an electronic announcement explaining the procedures for enforcing the cybersecurity requirements under the GLBA, the referral of the audit to the FTC, and the consequences for EDUs that fail to comply. Jarret Cummings, EDUCAUSE Senior Advisor for Policy and Government Relations, summarized the electronic announcement by saying, “If an institution gets an audit finding based on the Safeguards Rule federal single audit objective, the finding will be included in the audit report that FSA receives. FSA, in turn, will share the finding with the FTC as well as its internal Cybersecurity Team. If the Cybersecurity Team thinks the situation is particularly egregious, it may cut off access to FSA systems and refer the issue to FSA’s admin compliance unit for a fine or some other form of admin action.”

In response to COVID-19, the Office of Management and Budget (OMB) released several memos providing short term relief. In the last memo (M-20-26), it extended the submission of the Single Audit up to six (6) months for audits with normal due dates from March 30, 2020, through June 30, 2020), and up to three (3) months for Audits with normal due dates from July 31, 2020, through September 30, 2020.

I still have questions, can SaltyCloud help?

We sure can. We work with dozens of top universities in the United States to help them ace their compliance audits and safeguard their organization. Learn more about our surveying platform, Isora GRC, or email us at info@saltycloud.com.