The Gramm-Leach-Bliley Act (GLBA), established in 1999 under the purview of the Federal Trade Commission (FTC), has long governed the safeguarding of sensitive information within financial institutions. Although not initially focused on educational contexts, the GLBA has more recently shifted into the spotlight of higher education governance.
Here we’ll dissect and analyze the critical elements of the GLBA and its Safeguards Rule, focusing on how they impact the collection, storage and use of student financial records in colleges and universities.
GLBA’s Rising Relevance in Higher Education
Within the last four years, the impact of the GLBA has been increasingly felt in higher education institutions. The Office of Management and Budget (OMB) ratcheted up this focus when it released its Compliance Supplement in July 2019, incorporating a new audit objective to assess institutional compliance with the Safeguards Rule.
The average cost of a single cybersecurity breach in higher education now $3.65 million.
Given recent high-profile examples, like the potentially disastrous MOVEit attacks in which Colorado State was among 600 organizations affected by a widespread and well-coordinated ransomware campaign, this added focus on safeguarding student financial records isn’t surprising. With the average cost of a single cybersecurity breach in higher education now at $3.65 million (as of March 2023), your responsibilities to protect student data and your institution’s financial future are greater than ever.
Fresh Changes to GLBA Safeguards Rule: What You Need to Know
In December 2021, the FTC enacted a revision of its Safeguards Rule, with some provisions effective on June 9, 2023. The education sector should note that the Department of Education’s Office of Inspector General has indicated that these revisions may be included in future OMB Compliance Supplements and would be subject to the single audit/federal awards program audit. With federal funding on the line, remaining compliant with these regulations and reporting requirements is essential.
3 Notable Updates to GLBA Requirements
The revisions in the Safeguards Rule cover a myriad of points ranging from risk assessments to personnel responsibilities. Here is a breakdown:
1. Personnel Coordination
Old Rule: Designate employee(s) for information security coordination.
New Rule: A qualified individual must be designated to manage and enforce the information security program. Even if a service provider or affiliate meets this requirement, the institution itself retains responsibility for compliance and oversight.
2. Risk Assessment
Old Rule: A risk assessment addressing three required areas was mandatory.
New Rule: Institutions must now conduct a written, periodically updated risk assessment that considers both internal and external threats, incorporating a more robust set of evaluation criteria.
3. Safeguarding Measures
Old Rule: Identify safeguards for each risk.
New Rule: Besides identifying safeguards, institutions now have to embrace a more complex set of data protection measures, such as multifactor authentication, secure disposal, and annual penetration testing.
Institutional Compliance Is Key
Understanding and implementing these changes is crucial for educational institutions to not only ensure compliance but also safeguard student data. These new changes necessitate a reevaluation of existing information security programs and may require the allocation of additional resources, including expert personnel and advanced cybersecurity tools.
The Gramm-Leach-Bliley Act’s evolving role in higher education, particularly with the recent changes to the Safeguards Rule, calls for universities and colleges to be proactive rather than reactive in the domain of student financial record-keeping and cybersecurity.
Collegis Education can help your institution achieve and maintain GLBA compliance with comprehensive solutions tailored to your unique needs. Our team of experts is well-versed in the latest best practices and can guide you through the intricacies of the Safeguards Rule and other compliance requirements. Reach out to us today to discuss your needs and take the first step toward safeguarding your institution’s future.
Author: Dr. Baz Abouelenein
Dr. Baz Abouelenein is a higher education leader and technology evangelist with over 20 years of success in achieving strategic business objectives and transforming technologies in higher education. He has extensive experience in developing technology strategies and industry best practices. He holds a doctorate in organizational leadership and boasts a unique mix of industry and academic experiences.