GLBA Compliance in Higher Education

Introduction

The Gramm-Leach-Bliley Act (GLBA) has existed for years, but it has directly affected colleges and universities in the past four years. Higher education organizations will need to review their GLBA compliance to ensure compliance with the upcoming Safeguards Rule changes scheduled to take effect in June 2023.

What is the GLBA?

The Gramm-Leach-Bliley Act is a federal regulation that regulates the collection, storage, and transmission of Personally Identifiable Information (PII) by financial institutions. It consists of three sections: the Financial Privacy Rule, the Safeguards Rule, and the Pretexting provisions.

Does GLBA Compliance Apply to Higher Education?

The short answer is yes. GLBA compliance has affected various institutions since 1999, and higher education institutions have been subject to compliance audits since 2018.

The US Department of Education Federal Student Financial Aid Office (FSA) designated Title IV institutions as “financial institutions,” making them subject to GLBA compliance. The FSA also confirmed that most data sourced from the Department of Education and information used in administering Title IV programs classifies as Controlled Unclassified Information (CUI).

Currently, GLBA in higher education applies to how colleges and universities collect, store, and utilize student financial records containing PII, such as tuition payments and financial aid records. The Federal Trade Commission (FTC) enforces both the Privacy Rule (16 CFR 313) and the Safeguards Rule (16 CFR 314).

The GLBA Privacy Rule

The GLBA Financial Privacy Rule governs the collection and disclosure of private financial information. In general, colleges and universities comply with the Privacy Rule if they comply with the Family Educational Rights and Privacy Act (FERPA), which we explain in greater detail below.

FTC Safeguards Rule Requirements

Section 314.4 of the Safeguards Rule identifies nine elements that all Title IV institutions of higher education must include in their information security program. They are as follows:

1. Designating someone to implement and supervise your information security program. This person can be an employee or can work for an affiliate or service provider.
2. Conducting a risk assessment. The assessment must identify risks and threats that could compromise the security of students, staff, and others.
3. Implementing safeguards to control risks. This includes:
   -Understanding who has access to student and staff information and whether they need it.
   -Keeping an inventory of all systems, devices, platforms, and personnel.
   -Encrypting student and staff information or securing it through effective alternative controls.
   -Assessing your apps, if applicable, and implementing procedures for their security.
   -Implementing multi-factor authentication for anyone accessing student or staff information on your system.
   -Disposing of student and staff information securely.
   -Anticipating and evaluating changes to your information system or network as needed.
   -Maintaining a log of authorized users’ activity and watching for unauthorized access. 
4. Monitoring and testing the effectiveness of your safeguards. Colleges and universities must regularly test procedures for detecting actual and attempted attacks.
5. Training your staff. Employees must understand the importance of security and be trained to spot risks and threats.
6. Monitoring your service providers. All service providers must have the skills and experience to maintain appropriate safeguards.
7. Keeping your information security program current. Adjusting security protocols based on changes to operations or personnel, following risk assessments, or after identifying emerging threats.
8. Creating a written incident response plan. Title IV institutes of higher learning are required to have a “what if” plan in place should it experience a security event. This includes the steps your operation will take in the event of an incident, the roles/responsibilities of personnel, processes to fix weaknesses, and more.
9. Reporting to your board of directors. Your head of security must report in writing regularly to your Board of Directors or governing body regarding your information security program.

Recent FTC Safeguards Rule Amendments 

The Safeguards Rule was amended on January 10, 2022 and become effective June 9, 2023, to ensure that financial institutions’ practices are taking into account modern technologies.

It added five modifications to make their protection of customer data more robust: 

1. Security programs must include authentication and data should be encrypted. The rule also requires the risk assessment be set forth in writing. As to particular safeguards, the Final Rule requires that they address access controls, data inventory and classification, encryption, secure development practices, authentication, information disposal procedures, change management, testing, and incident response. 
2. Financial institutions need to improve their accountability when preparing their annual reports. Periodic reporting to boards of directors or governing bodies is also required in order to ensure their awareness and make it more likely that institutions will receive the required resources and be able to protect consumer information.
3. It exempts financial institutions that collect information from less than 5,000 consumers from some of the rule’s original nine requirements — specifically of having a written risk assessment, an incident response plan and preparing the annual report to the board of directors.
4. It expands the definition of financial institutions to include entities that conduct incidental activities to financial services. 
5. It includes a glossary of terms related to technology so that there is clarity regarding data security practices.

How Goliath Cyber Makes It Easier to Comply with the FTC’s Safeguards Rule

Implementing changes for compliance can be expensive. Since most colleges and universities are focused on controlling costs to keep tuition low and attract new students, complying with the new rules – including the upfront and annual recurring costs for hiring a Chief Information Security Officer (CISO) and implementing the required measures – can really break an educational institution’s budget. 

At Goliath Cyber, we know education is your focus, not cybersecurity. With our Executive Cyber Advisory Service, we become your CISO and report to your institution’s Board of Directors as required for less than half what it would cost to manage it on your own. We have more than 25 years of experience successfully implementing information security programs. We also specialize in the measures enumerated within the Safeguard Rule, including but not limited to: 

Cybersecurity Risk Assessments

This is the central element of the FTC’s Safeguards Rule. At Goliath Cyber, we conduct thorough cybersecurity risk assessments — documenting strengths, weaknesses, and corrective advice to elevate your cybersecurity program. The outcome prioritizes risks so that you can make risk-based decisions about security efforts. 

Penetration Testing

Penetration testing is a reliable way to test security protocols by simulating cyberattacks. This is done to identify exploitable vulnerabilities within your networks and/or applications. They are effective because they reflect the same methodologies cyber criminals use. This enables you to identify whether your current safeguards are working and how fast your response would be in the event of a security breach.

Our penetration testing services are also specifically designed to comply with regulatory and federal industry requirements. 

Consequences for GLBA Non-Compliance

If a higher education institution is non-compliant, the FSA’s Postsecondary Institution Cybersecurity Team may disable the institution’s access to the Department of Education information systems.

Under SEC. 523. [U.S.C. 6823] of the GLBA, there are several criminal penalties outlined. For example, institutions and violators may be subject to fines of up to $100,000, and individuals could face up to five years of imprisonment–or ten years for repeat offenders.

However, the most detrimental consequence of GLBA non-compliance is a security breach. In the case of a successful cyberattack, a perpetrator may leak or steal important student information. Institutions that fail to take appropriate measures to safeguard students’ financial information may pay significant ransoms to retrieve that data.

Even then, there is no guarantee that the attacker will return the information after receiving the money. Such non-compliance can also severely harm the university’s reputation. From a student’s perspective, why should they entrust such an institution with their personal information?

Next Steps

You don’t want to wait until the last minute to implement any of these security mandates. Contact us today to learn how we can help ensure that your information security program meets these new federal requirements.