glba for higher education

The Gramm Leach Bliley Act: A Guide for Higher Education

Colleges and universities have many concerns to manage. From overseeing student safety and satisfaction to protecting copious amounts of data, the last thing many want to consider are pages of compliance requirements. And at 30+ pages, the Gramm-Leach-Bliley Act (GLBA), or Financial Services Modernization Act of 1999, is no exception. Its contents are complex, extensive, and at times, a little confusing. Add in the ominous threats of monetary fines, criminal prosecution and prison time for non-compliance and you’ve created a scenario that breeds a bit of anxiety.

Fortunately, with a little unpacking of terms, guidelines and general requirements this complex topic is easily reduced into something more palatable.

So let’s dive in, shall we?

What is the Gramm-Leach-Bliley Act?

The Gramm-Leach-Bliley Act (GLBA), which is overseen by the Federal Trade Commission (FTC), requires financial institutions (companies that offer consumers financial products or services like loans, financial or investment advice, or insurance) to explain their information-sharing practices to their customers and to safeguard sensitive data.1

Claiming amnesty from this designation seems appropriate after reading the word “financial institution”. However, colleges and universities are still regulated by the GLBA because they deal with federal student loans. So instead of trying to fight the facts, it’s best to just dive right in.

What does the Gramm-Leach-Bliley Act mean for the higher education industry?

To help digest the message of the GLBA, it is helpful to review the contents of its three primary rules.2

  1. The GLBA Privacy Rule. This rule regulates the collection and disclosure of private financial information.
  2. The GLBA Safeguards Rule. This rule stipulates that financial institutions must implement security programs to protect such information.
  3. The GLBA Pretexting Provisions Rule. This rule prohibits the practice of pretexting (accessing private information using false pretenses).

Colleges and universities can narrow their focus even further since they are primarily responsible for complying with the Safeguards Rule which, as stated in Section 501(b) requires organizations to develop, implement, and maintain a comprehensive written information security program that contains administrative, technical, and physical safeguards.3

This is where most universities begin to ask questions. Questions like, “how do we ensure that our cybersecurity program adheres to the requirements outlined in the GLBA?” And, “how do we know if we are missing any protocols that would subject the institution to penalization?” To help make this determination, it is helpful to review the following checklist from the FTC. 

GLBA compliance checklist: 5 requirements for a cybersecurity strategy

In addition to the general statement of just needing a written security plan, The Safeguards Rule further outlines five points that must be encompassed within the document:4

  1. The plan must designate one or more employees to coordinate its information security program;
  2. The plan must identify and assess the risks to customer information in each relevant area of the company’s operation, and evaluate the effectiveness of the current safeguards for controlling these risks;
  3. The plan must design and implement a safeguards program, and regularly monitor and test it;
  4. The plan must select service providers that can maintain appropriate safeguards, make sure your contract requires them to maintain safeguards, and oversee their handling of customer information; and
  5. The plan must evaluate and adjust the program in light of relevant circumstances, including changes in the firm’s business or operations, or the results of security testing and monitoring.

How BitLyft Cybersecurity helps colleges and universities achieve GLBA compliance

In our experience, many organizations quickly realize they lack the time, talent and resources needed to effectively implement a strategy to meet compliance. That is where BitLyft comes in. Our security operations team is skilled in the monitoring, detection and neutralization of hidden and visible threats and can help provide the data needed to achieve GLBA compliance. Our cybersecurity experts help institutions meet these guidelines by:

  • Collecting log messages that impact security and monitoring responsibilities and alert on violations.
  • Collecting and correlating all log data to allow security administrators to identify monitor activity and be alerted to specific conditions.
  • Collecting all access right administration activity for monitoring, reporting, and alerting.
  • Alerting or reporting on all activity performed by privileged or sensitive user accounts.
  • Collecting logs from network infrastructure and security devices and providing real-time monitoring, alerting, and forensic analysis.
  • Collecting logs from hosts, and applications running on hosts, to provide real-time monitoring, alerting, and forensic analysis.

We understand the challenges of the compliance landscape and don’t want you to take it on alone. To learn even more about the Gramm-Leach-Bliley Act and how our team can help your organization maintain compliance, download our whitepaper.

BitLyft AIR® Overview


New call-to-action

1 Federal Trade Commission, “Gramm-Leach-Bliley Act,” web.

2 Tech Target, “Gramm-Leach-Bliley Act (GLBA),” web.

3 Federal Register, “Standards for Safeguarding Customer Information,” web.

4 Federal Trade Commission, “Financial Institutions and Customer Information: Complying with the Safeguards Rule,” web.

Emily Miller

Emily Miller, BitLyft's dynamic Content Marketing Manager, brings a vibrant blend of creativity and clarity to the cybersecurity industry. Joining BitLyft over a year ago, Emily quickly became a key team member, using her Advertising and Public Relations degree from the University of Tampa and over 10 years of experience in graphic design, content management, writing, and digital marketing to make cybersecurity content accessible and engaging. Outside of BitLyft, Emily expresses her creativity through photography, painting, music, and reading. Currently, she's nurturing a cutting flower garden, reflecting her belief that both her work and gardening require patience, care, and creativity.

More Reading

GLBA Compliance
GLBA Compliance for Higher Ed: Unpacking the Gramm Leach Bliley Act 
Colleges and universities are responsible for sensitive personal and financial student information. Keeping this information safe is a vital and required responsibility for all higher learning...
glba requirements for higher education
Higher Education Requirements for GLBA: How to prepare for an audit
Since 1999, the Gramm Leach Bliley Act (GLBA) has existed to hold financial institutions responsible for the protection of customer's private information. Since Title IV schools receive federal...
University Campus
The State of Higher Education Cybersecurity: Top Insights and Trends
Higher education is a major target for cyberattacks. The education and research sectors were the top targets for cyberattackers in 2021, with an average of 1,605 attacks per organization per week, a...