Colleges and universities are responsible for sensitive personal and financial student information. Keeping this information safe is a vital and required responsibility for all higher learning institutions. To address privacy concerns, colleges and universities must stay in compliance with certain regulations and legal guidelines.
The Gramm-Leach-Bliley Act addresses a variety of consumer financial privacy concerns, including those related to the transfer and safety of personal and financial information of college students. Higher education institutions must follow the regulations outlined by this act or risk facing serious consequences. To avoid non-compliance fines and other punishments, it’s important not to leave the quality of your cybersecurity to chance. Instead of waiting for an audit to learn you’re not taking the proper measures, learn the details of the Gramm-Leach-Bliley Act and what you should be doing to remain compliant.
What Is the Gramm-Leach-Bliley Act?
Enacted in 1999, the Gramm-Leach-Bliley Act (GLBA) is a regulation under the Federal Trade Commission (FTC) that requires financial institutions to be transparent about information sharing practices and to safeguard sensitive information. When provided with this important information, customers are given a chance to opt out of having their financial information shared with other organizations.
Also called the Financial Services Modernization Act of 1999, the GLBA was designed to allow mergers between certain financial institutions with federal supervision. This law repealed large parts of the Glass-Steagall Act of 1933, allowing commercial and investment institutions to merge. The purpose of the GLBA was to allow consumers to take advantage of the benefits of financial mergers while maintaining the integrity and security of banking and financial systems.
Since the new mergers allowed banks to combine with other connected industries like insurance, financial holding companies (FHC) were created. An FHC is a bank holding company that offers non-banking financial services like insurance underwriting and investment advisory services. While GLBA allowed these mergers to occur, it also created rules to limit the size of FHCs and ensure the security and safe transfer of the large amounts of sensitive customer information involved. The GLBA appointed the Federal Reserve to oversee these regulations.
Why Does the Gramm-Leach-Bliley Act Affect Colleges?
Colleges and universities aren’t financial institutions, but they perform similar actions that fall under the same requirements. Title IV institutions are schools where students are eligible for federal financial aid. These schools fall under the umbrella of GLBA. Because colleges and universities participate in financial activities like administering federal student loans, they are required to follow GLBA requirements. Higher education institutions are required to collect a vast amount of personal, financial, and health information about current students. Keeping track of how this information is collected and safely stored is essential. The GLBA mandates how colleges and universities keep private information secure.
The FTC oversees compliance for financial institutions with the Standards for Safeguarding Customer Information instituted in 2002. These safeguard rules are designed to:
- Ensure the safety and confidentiality of customer information
- Protect against potential threats to the security or integrity of customer data
- Protect against unauthorized access or use of customer data
All colleges and universities were required to be in compliance with these regulations by May 2003, one year after the safeguard standards were enacted. While GLBA requires the same standards as many modern information security programs, certain requirements must be followed or colleges and universities face the consequences of non-compliance.
GLBA Compliance Requirements for Colleges and Universities
The Safeguards Rule requires higher education institutions to create and maintain an information security plan that follows certain parameters to adequately protect customer information. GLBA Safeguards Rule requirements for colleges and universities include:
- Colleges and universities must develop a written plan that describes their program to protect customer information. The plan must be suitable for the institution’s size and complexity, and sufficient for the nature of the activities and sensitivity of the information involved.
- One or more employees will be designated to and will be responsible for coordinating the safety program.
- The written plan must include a method to identify and assess current risks to customer information in each relevant area of the informational system and evaluate the effectiveness of the way these risks are currently controlled.
- Safeguards for potential risks must be set in place and routinely tested and monitored.
- Service providers must be qualified to maintain appropriate safeguards. The contract should include requirements to maintain safeguards and oversee the handling of sensitive customer information.
- The plan should be evaluated and adjusted when relevant situations arise, like changes in business operations or results of security testing.
These regulations are designed to provide the flexibility colleges and universities need to create security programs based on the institution’s unique size, scope, and context. For any information security plan to work effectively, all employees should be aware of the policy and how it works. Frequent reminders and posted notifications will help employees recall the requirements and understand the legal ramifications of failure to comply.
The Risks of Non-Compliance with GLBA Requirements
The ability to keep sensitive information secure is essential. As colleges and universities become targets of hackers and ransomware and experience the consequences of major computer system breaches, the U.S. Department of Education (ED) has emphasized the importance of colleges and universities taking appropriate measures to protect sensitive data. In July 2015, and again in July 2016, the ED reminded higher education institutions of GLBA requirements and those mandated by the SAIG Enrollment Agreement. Among other things, the SAIG agreement highlights that all users must be aware of and comply with data protection and security requirements. This reminds higher education institutions to not only create an information security plan, but also to supply education, training, and access management to all users who handle institutional data.
Failing to maintain compliance with FTC regulations can lead to serious consequences. Each year, the Office of Management and Budget (OMB) issues the single audit compliance supplement which acts as a guidebook to prepare organizations for a single audit. While colleges and universities have been required to follow GLBA requirements since 2003, the compliance supplement requires yearly independent audits to ensure compliance.
Under the instructions of the OMB’s 2019 Compliance Supplement, and a letter issued by the ED on October 30, 2019, higher education institutions are required to perform an independent audit with the following mandatory procedures:
- Verify that an employee has been designated to coordinate the information security program
- Verify that a risk assessment has been performed that addresses the three requirements noted in the compliance supplement, including (1) employee training and management, (2) information systems (network and software design, information processing, storage, transmission, and disposal), (3) detecting, preventing, and responding to attacks, intrusions, or system failures
- Verify that a safeguard is documented for each risk
The Consequences of Non-Compliance
All institutions participating in Federal Student Aid (FSA) programs must be prepared to demonstrate compliance with the Safeguards Rule. As part of an ongoing effort to protect the sensitive personal and financial information of students and parents, these requirements are a comfort to families and employees. Still, for institutions wading through the red tape and many requirements of maintaining GLBA compliance, the regulations can be stressful.
Colleges and universities who fail to meet the GLBA privacy and security requirements are subject to dangerous computer system breaches that put the information of students and parents at risk. These failures typically result in fines and public reports that make institutions in question far less attractive to incoming students. Perhaps most importantly, colleges and universities that suffer cybersecurity breaches are at risk of restricted or complete loss of Title IV funding, making them ineligible to participate in federally funded financial aid programs.
3 Tips for Higher Education Institutions to Maintain GLBA Compliance
GLBA compliance is required by the FTC and a necessary way to keep sensitive information secure. Still, maintaining compliance each year can be difficult. It is essential for Title IV schools to understand the requirements of GLBA and ensure compliance. Taking certain precautions can make it easier to follow GLBA standards. Use these tips to keep sensitive financial information secure within your institution.
1. Take Special Precautions When Hiring New Employees
Employees who will be responsible for handling sensitive information should be required to follow certain hiring requirements and additional regulations related to routine tasks. Requirements for employees may include:
- Reference checks and background checks for new employees who will be responsible for sensitive information
- Signing an agreement to follow the institution’s confidentiality and security standards
- Limited access to sensitive information based on the extent they need the information to complete a specific job
- Required use of strong passwords that must be changed routinely
- Use of password-required screensavers that lock employee computers during inactivity
- Locking areas where sensitive records are kept
- Not sharing or posting passwords
- Encryption of sensitive information before transmission
- Reporting suspicious attempts to obtain customer information
2. Routinely Remind Employees of Important Information Safety Policies and Disciplinary Actions
Since colleges and universities are encouraged to create information safety programs that fit the unique needs of their institution, policies can be unique. The policies you create should be shared with employees and posted where they can be easily accessed. Policies that should be developed and communicated to employees may include:
- Policies for employees who telecommute and use mobile devices for work
- Specific disciplinary measures for all policies
- Policies to maintain a consistent and careful inventory of computers and other equipment that store sensitive information
- Specific policies that prevent terminated employees from accessing sensitive information
- Policies for safe transmission of sensitive information
- Policies for safe and complete disposal of sensitive information
- Policies that outline the requirements of third-party vendors that you share information with
3. Maintain a Strong Working Relationship With Your Software Developers
When you create a customized information security plan, you likely invest in up-to-date software to help your employees carry out the related policies and regulations correctly. This means your security plan is only as effective as the cybersecurity company you work with. Maintaining GLBA compliance means having certain policies in place to remain current with exactly what your software developers do for you. Here are a few ways you can determine the value of your cybersecurity company.
- Monitor the websites of your software vendors for recent information about emerging threats
- Check with vendors for patches that reveal vulnerabilities
- Use antivirus and spyware programs that update automatically and maintain up-to-date firewalls
- Choose a cybersecurity company that is available for collaboration and communication so your immediate concerns will always be addressed in a timely manner
- Choose a cybersecurity company with experience protecting colleges and universities
- Promptly share information supplied by your software company about new threats and procedures to relevant employees.
The Gramm-Leach-Bliley Act exists to provide the necessary protection of sensitive personal and financial information of consumers who entrust any business with that information. As technology evolves, so do threats that endanger the safety of any information that must be stored or transmitted electronically. That’s why it’s essential for higher learning institutions to evolve along with these threats and stop them before students and parents become victims of related breaches or other cybersecurity attacks.
Creating a customized information plan to maintain GLBA compliance is a massive undertaking. It’s essential that you have an adequate plan in writing, the ability to train employees to follow this plan, and an audit system to ensure the plan works. Furthermore, you must update your information security plan as needed to ensure it remains effective over continually growing threats. While this is considered business as usual for colleges and universities, it’s not an easy task.
BitLyft Cybersecurity is an experienced cybersecurity organization with extensive experience working with the intense demands of colleges and universities. It’s our goal to provide higher learning institutions with customized, stress-free cybersecurity solutions that will always meet your growing needs. If your current security system doesn’t give you the peace of mind you need, get in touch with our experienced team to learn about how we can provide you with a customized plan that will make every GLBA audit a breeze.