Higher Education Compliance with Updates to the GLBA Safeguards Rule

Higher education institutions participating in the US Department of Education’s federal student aid programs need to be aware of recent updates to requirements to the Safeguards Rule of the Graham-Leach-Bliley Act (GLBA), which will go into effect on June 9, 2023. Though this act typically ensures that financial institutions like banks maintain appropriate data privacy practices that protect individuals’ nonpublic personal information (NPI), on February 28, 2020, the Office of Federal Student Aid (FSA) of the US Department of Education (ED) announced that educational institutions participating in the Federal Student Aid program must comply with the GLBA and report this compliance in their annual audit. On February 9, 2023, the FSA announced updates to the GLBA cybersecurity requirements specific to higher education institutions. To see how the new requirements fit into an institution’s compliance with GLBA, see FPF’s new Postsecondary Institution Data Governance Considerations reference guide and Data Governance Checklist.

What does this mean for institutions in the FSA program? 

All educational institutions should continuously review their data privacy and security program. As the provisions of the GLBA focus on nationally accepted best practices, including NIST 800-171, all institutions are advised to model their data security program around the GLBA regulations. However, it is also important to be aware that those who participate in the FSA program must include the following safeguards as part of their audits as specified in the United States Department Of Education Office Of Inspector General’s letter to auditors CPA-19-01.

• Designate an individual responsible for the coordination of its information security program.
• Perform a risk assessment that addresses three required areas:
  • Employee training and management;
  • Information systems, including network and software design, as well as information processing, storage, transmission, and disposal; and
  • Detecting, preventing, and responding to attacks, intrusions, or other systems failures.
• Document safeguards for each risk identified in the risk assessment.

In addition to audit requirements, institutions must ensure compliance with the three sections of the GLBA: Privacy Rule, Safeguard Rule, and Pretexting Provision. It is important to note that two Safeguard requirements (direct report to the Board of Directors and Incident Response Plan) only apply to institutions that maintain information on 5,000 or more consumers.

How do Institutions ensure compliance?

Institutions should evaluate their alignment with all three sections of the GLBA: Privacy Rule, Safeguard Rule, and Pretexting Provision. 

The Privacy Rule

The GLBA Financial Privacy Rule, 16 CFR Part 313, regulates how institutions inform customers about how they use and share their NPI.  The FTC has ruled that compliance with the Family Educational Rights and Privacy Act (FERPA) satisfies the privacy requirement of the GLBA. It is recommended that the institution review its policies, procedures, and practices around FERPA records, including financial aid information, to ensure compliance.

The following requirements of the Privacy Rule apply to higher education institutions:

• Establish a set of clear, concise privacy policies that include information about what data is collected, why it is collected, who the data will be shared with, and under what conditions.
  • This requirement may be satisfied with the institution’s FERPA annual notice. However, if the FERPA notice does not contain all required components, a data privacy policy/plan should detail this information.
• Before collecting personal information, ensure students have read the privacy notices and consented to any data sharing that requires consent.
• Ensure there is a process for notifying students when their personal data is shared with another financial institution or third party for the purpose of completing a transaction.
• Periodically review policies (at least annually) to ensure they are still relevant.

The Safeguards Rule

The objectives of the Safeguards Rule, 16 CFR Part 314, standards are to:

• Ensure the security and confidentiality of student information.
• Protect against any anticipated threats to the security or integrity of such records.
• Protect against unauthorized access to, or use of, such records or information that could result in substantial harm or inconvenience to any student.

The Safeguard Rule requires institutions to develop, implement, and maintain an information security program with administrative, technical, and physical safeguards that protect customer information. The information security program must address the following nine (9) elements:

1. Designate a Qualified Individual to oversee the institution’s information security program.

1. For institutions maintaining information on over 5,000 students, the Qualified Individual must report to the Board of Directors or governing body in writing regularly, at least annually, and include an overall assessment of the institution’s compliance with its information security program.
2. Develop and conduct a written risk assessment.

1. Design and implement safeguards to control the risks identified through your risk assessment. 

1. Regularly monitor and test the effectiveness of your safeguards. 
2. Implement policies/procedures around the implementation of your information security program. These should include specialized training for employees, affiliates, or service providers who have responsibility for executing the information security program. 
3. Monitor service providers; contracts must specify security expectations and ensure that appropriate safeguards are maintained. 
4. Establish processes to keep your information security program current.
5. Design a written incident response plan for the response to and recovery from a security event (for institutions maintaining information on over 5,000 students). 

The Pretexting Provision

The Privacy Protection for Customer Information “Pretexting” Provision, 15 USC § 6821, was designed to counter identity theft. Pretexting is a social engineering technique where the attacker tries to trick unsuspecting staff (through some form of pretext) into handing over nonpublic personal information. To comply, the institution must adhere to the following:

• Have policies, procedures, and controls in place to prevent the unauthorized disclosure of customer financial information and to deter and detect unauthorized disclosure or access.
• Periodic risk assessment of covered accounts, including (1) methods used to open accounts; (2) methods used to access accounts; and (3) previous experiences with identity theft.
• Establish a written Identity Theft Prevention Program designed to detect, prevent, and mitigate identity theft. The program must identify, detect, and respond to Red Flags as defined by the “Red Flags Rule.”
• Continued administration of identity theft prevention program that includes approval from and involvement of the board of directors (or appropriate committee), staff training, and oversight of service providers.
  • see Appendix A to Part 681 for additional guidance

For more information on the GLBA:

• https://www.ftc.gov/business-guidance/privacy-security/gramm-leach-bliley-act
• https://www.ftc.gov/business-guidance/resources/ftc-safeguards-rule-what-your-business-needs-know
• https://fsapartners.ed.gov/knowledge-center/library/electronic-announcements/2020-02-28/enforcement-cybersecurity-requirements-under-gramm-leach-bliley-act
• https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-314 
• https://www.fdic.gov/news/financial-institution-letters/2001/fil0139a.html  

FPF Resources:

• GLBA Postsecondary Institution Data Governance Considerations
• GLBA Data Governance Compliance Checklist