Since 1999, the Gramm-Leach-Bliley Act (GLBA) has held financial institutions accountable for the protection of customer’s Personally Identifiable Information (PII). In the past few years, the U.S. Department of Education Federal (the Department) Student Financial Aid Office (FSA) has asserted that Title IV Institutions of Higher Education (EDUs) are considered “financial institutions” and thus subject to GLBA compliance. FSA has recently affirmed that most data sourced from the Department and information used in the administration of Title IV programs is considered Controlled Unclassified Information (CUI).
Yes. As of FY19, the GLBA Safeguards Rule has been included in the Federal Single Audit and requires internal and external Certified Public Accountants (CPAs) to audit against the requirements. Audit findings are being referred to the FSA Cybersecurity Team and the Federal Trade Commission (FTC) for “consideration of a fine or other appropriate administrative action.”
Does my EDU have to comply with the GLBA?
Most likely. The requirements apply to the more than 6,000 EDUs in the U.S. and abroad that administer FSA funds. The actual requirements only apply to the individual campus units that handle data related to the FSA programs (e.g., registrar’s office, student aid office, bookstore, etc.).
What are the requirements of the GLBA?
As initially stated in the 2016 “Dear Colleague” letter (GEN-16-12), the FTC’s Standards for Safeguarding Customer Information (16 CFR Part 314) requires EDUs to, among other things:
- Develop, implement, and maintain a comprehensive information security program which:
- Ensures the security and confidentiality of customer information;
- Protects against any anticipated threats or hazards to the security or integrity of such information; and
- Protects against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.
- In order to develop, implement, and maintain your information security program, you shall:
- Designate an employee or employees to coordinate your information security program.
- Conduct a risk assessment that covers:
- Employee training and management;
- Information systems, including network and software design, as well as information processing, storage, transmission, and disposal; and
- Detecting, preventing, and responding to attacks, intrusions, or other systems failures.
- Design and implement information safeguards to control the risks you identify through risk assessment.
- Oversee service providers, by:
- Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue; and
- Requiring your service providers by contract to implement and maintain such safeguards.
- Evaluate and adjust your information security program in light of the results of the testing and monitoring.
Although neither the Department nor FSA has directly required any specific cybersecurity framework for GLBA compliance or otherwise, they have always “strongly encouraged” that EDUs adopt the National Institute of Standards and Technology Special Publication 800–171 Rev. 2, Controlled Unclassified Information in Nonfederal Systems (NIST 800–171). However, on December 18, 2020, the Department and FSA gave notice to EDUs of their intent to begin conducting NIST 800-171 self-assessments as part of the multi-year phased rollout of their Campus Cybersecurity Program (CCP).
Does your EDU also conduct Department of Defense (DoD) sponsored research? The efforts to comply with NIST 800-171 and begin preparing for the Cybersecurity Maturity Model Certification (CMMC) will also apply for your GLBA covered units.
