The Gramm Leach Bliley Act: A Guide for Higher Education

Colleges and universities have many concerns to manage. From overseeing student safety and satisfaction to protecting copious amounts of data, the last thing many want to consider are pages of compliance requirements. And at 30+ pages, the Gramm-Leach-Bliley Act (GLBA), or Financial Services Modernization Act of 1999, is no exception. Its contents are complex, extensive, and at times, a little confusing. Add in the ominous threats of monetary fines, criminal prosecution and prison time for non-compliance and you’ve created a scenario that breeds a bit of anxiety.

Fortunately, with a little unpacking of terms, guidelines and general requirements this complex topic is easily reduced into something more palatable.

So let’s dive in, shall we?

What is the Gramm-Leach-Bliley Act?

The Gramm-Leach-Bliley Act (GLBA), which is overseen by the Federal Trade Commission (FTC), requires financial institutions (companies that offer consumers financial products or services like loans, financial or investment advice, or insurance) to explain their information-sharing practices to their customers and to safeguard sensitive data.¹

Claiming amnesty from this designation seems appropriate after reading the word “financial institution”. However, colleges and universities are still regulated by the GLBA because they deal with federal student loans. So instead of trying to fight the facts, it’s best to just dive right in.

What does the Gramm-Leach-Bliley Act mean for the higher education industry?

To help digest the message of the GLBA, it is helpful to review the contents of its three primary rules.²

1. The GLBA Privacy Rule. This rule regulates the collection and disclosure of private financial information.
2. The GLBA Safeguards Rule. This rule stipulates that financial institutions must implement security programs to protect such information.
3. The GLBA Pretexting Provisions Rule. This rule prohibits the practice of pretexting (accessing private information using false pretenses).

Colleges and universities can narrow their focus even further since they are primarily responsible for complying with the Safeguards Rule which, as stated in Section 501(b) requires organizations to develop, implement, and maintain a comprehensive written information security program that contains administrative, technical, and physical safeguards.³

This is where most universities begin to ask questions. Questions like, “how do we ensure that our cybersecurity program adheres to the requirements outlined in the GLBA?” And, “how do we know if we are missing any protocols that would subject the institution to penalization?” To help make this determination, it is helpful to review the following checklist from the FTC. 

GLBA compliance checklist: 5 requirements for a cybersecurity strategy

In addition to the general statement of just needing a written security plan, The Safeguards Rule further outlines five points that must be encompassed within the document:⁴

1. The plan must designate one or more employees to coordinate its information security program;
2. The plan must identify and assess the risks to customer information in each relevant area of the company’s operation, and evaluate the effectiveness of the current safeguards for controlling these risks;
3. The plan must design and implement a safeguards program, and regularly monitor and test it;
4. The plan must select service providers that can maintain appropriate safeguards, make sure your contract requires them to maintain safeguards, and oversee their handling of customer information; and
5. The plan must evaluate and adjust the program in light of relevant circumstances, including changes in the firm’s business or operations, or the results of security testing and monitoring.

How BitLyft Cybersecurity helps colleges and universities achieve GLBA compliance

In our experience, many organizations quickly realize they lack the time, talent and resources needed to effectively implement a strategy to meet compliance. That is where BitLyft comes in. Our security operations team is skilled in the monitoring, detection and neutralization of hidden and visible threats and can help provide the data needed to achieve GLBA compliance. Our cybersecurity experts help institutions meet these guidelines by:

• Collecting log messages that impact security and monitoring responsibilities and alert on violations.
• Collecting and correlating all log data to allow security administrators to identify monitor activity and be alerted to specific conditions.
• Collecting all access right administration activity for monitoring, reporting, and alerting.
• Alerting or reporting on all activity performed by privileged or sensitive user accounts.
• Collecting logs from network infrastructure and security devices and providing real-time monitoring, alerting, and forensic analysis.
• Collecting logs from hosts, and applications running on hosts, to provide real-time monitoring, alerting, and forensic analysis.

We understand the challenges of the compliance landscape and don’t want you to take it on alone. To learn even more about the Gramm-Leach-Bliley Act and how our team can help your organization maintain compliance, download our whitepaper.

1 Federal Trade Commission, “Gramm-Leach-Bliley Act,” web.

2 Tech Target, “Gramm-Leach-Bliley Act (GLBA),” web.

3 Federal Register, “Standards for Safeguarding Customer Information,” web.

4 Federal Trade Commission, “Financial Institutions and Customer Information: Complying with the Safeguards Rule,” web.