What Colleges and Universities Need to Know About GLBA Compliance

Most higher education leaders share a common understanding that the system as a whole is heavily regulated. Meeting legal requirements related to athletics, diversity, safety and more is simply expected. Yet there’s one area in which many institutions could stand to improve: information security.

There are numerous examples of costly breaches that schools have experienced over the years. In fact, cybersecurity in higher education is becoming increasingly important as more attackers target these institutions. Just one breach could expose sensitive data, but institutions can better protect themselves and their students by adhering to the Gramm-Leach-Bliley Act (GLBA).

While the GLBA – which requires institutions to explain how they share and protect nonpublic personal information – is geared toward financial services organizations, it also applies to colleges and universities. This has become even more important in recent years, so it’s wise to familiarize yourself with this law and how to comply.

Why GLBA compliance matters for colleges and universities

It’s no secret that higher education is plagued by cyberattacks. One of the most recent incidents occurred in April 2021 when data files were stolen from multiple schools due to a software security flaw.

But issues such as these have been taking place for years, particularly in the last decade. Recurring breaches in the 2010s are likely what prompted the U.S. Department of Education to send an initial letter in 2015 as well as a follow-up letter in 2016 reminding colleges and universities about the legal obligation to comply with the GLBA. Rather than scolding any institutions for wrongdoing, these letters were presented as resources to support schools’ efforts to bolster their cybersecurity protections.

Another important shift took place a few years later. While GLBA compliance was initially self-regulated, an amendment required that it be incorporated into schools’ annual federal compliance audits. Higher education institutions started submitting GLBA-related information to the Department of Education back in 2019.

As part of the evaluation procedure, auditors must:

• Ensure the school has a designated person to coordinate the information security program
• Confirm the institution has performed a risk assessment that addresses employee training and management, information systems, and protocols for attack detection, prevention and response
• Validate that the school has a documented safeguard for each of the above risks

Satisfying the GLBA audit standards isn’t just beneficial for protecting students and your institution as a whole. It’s also a legal requirement, and there are penalties for non-compliance (more on this in a later section).

GLBA compliance requirements for higher education institutions

The audit process provides a glimpse into what colleges and universities must do to comply with the GLBA, but it’s important to have a clearer understanding of the requirements. 

For starters, institutions are required to develop a written information security plan that describes the program they have in place to protect student information. These documents may vary from one school to another, but they must include the following elements:

• A designated employee (or employees) who coordinates the information security program
• A means of identifying and assessing risks to student information in each relevant area of operation, as well as a method for evaluating the safeguards that are currently in place
• An implemented safeguards program that’s regularly monitored and tested
• Service providers with the expertise and obligation to maintain appropriate safeguards who receive oversight in how to handle sensitive information
• A process for evaluating and adjusting the information security program to account for relevant changes

While GLBA compliance requirements are intentionally flexible to meet the needs of different institutions, the FTC provides further guidance on what should be included in an effective information security plan. Recommendations focus heavily on employee training and management. Some suggested practices include:

• Conducting background checks prior to hiring employees
• Limiting who has access to sensitive information
• Providing security maintenance training
• Implementing disciplinary action for violations

Consequences for schools that do not comply with the GLBA

If a school is found to be non-compliant as a result of the annual audit, the Federal Student Aid’s Postsecondary Institution Cybersecurity Team could disable the institution’s access to the Department of Education information systems. Serious or repeat cases may be subject to fines or other administrative actions.

There are also a number of criminal penalties mentioned within the body of the GLBA under section 523. The institution and the violators may be subject to fines of up to $100,000. Individuals may also face up to five years of prison time – or 10 years for repeat offenses. Violations are clearly taken very seriously.

But arguably the most detrimental outcome associated with GLBA noncompliance is a security breach. If this happens, important student data could be leaked or stolen by an attacker. Institutions that don’t take the appropriate measures to protect students’ financial information could ultimately end up having to pay hefty ransoms to recover that data. Even then, there’s no guarantee an attacker will actually follow through on returning information after they receive the funds. It’s also incredibly damaging to the university’s reputation. From a prospective student’s point of view, why entrust such an institution with your personal information?

Prioritize information security at your institution

It’s apparent that GLBA compliance needs to be top of mind for colleges and universities. Exposing students’ personal information doesn’t just risk an institution’s reputation; it can also lead to expensive ransoms and halt day-to-day operations.

Keep in mind that complying with the GLBA, while important, is really only focused on security. There are so many other priorities that information technology (IT) departments need to focus on, such as upgrading systems, integrating software and implementing innovative student-facing tools. This can be a lot for a college IT team to manage, but there are other options for seeking external support.