Gramm-Leach Bliley Act changes: what higher education institutions need to know

The Gramm-Leach Bliley Act (GLBA) enacted in 1999 is a regulation under the Federal Trade Commission (FTC) that requires financial institutions to be transparent about information-sharing practices and to safeguard sensitive information. While GLBA has been around for years, it has impacted colleges and universities more recently within the last four years. GLBA applies to higher education institutions specifically to the collection, storage and use of student financial records containing personally identifiable information. In the Office of Management and Budget (OMB) Compliance Supplement released in July 2019, a new audit objective designed to assess institutional compliance with the Safeguards Rule was announced.

In December 2021, the FTC revised its Safeguards Rule. Many of the provisions went into effect 30 days later, and other requirements were effective Dec. 9, 2022. The FTC provided a six-month extension through June 9, 2023. At a virtual Federal Student Aid conference in December 2022, the Department of Education Office of Inspector General informed institutions about the changes to the Safeguards Rule and that these changes may be included in the upcoming OMB Compliance Supplement and required to be assessed for compliance in the single audit/federal awards program audit.

While some of the Safeguards Rule updates revise and refine prior rules, others are new requirements that will require institutions to take steps to be compliant. The changes include:

Old rule

• Institutions must designate the employee(s) responsible for coordinating the information security program.

New rule

• Designate a qualified individual to oversee, implement and enforce the information security program. The qualified individual may be an employee, affiliate or service provider.
• To the extent that the requirement is met using a service provider or affiliate, institutions shall retain responsibility for compliance, designate a senior member of personnel responsible for direction and oversight of qualified individual and require the service provider or affiliate to maintain an information security program that protects the institution.

Old rule

Institutions must perform a risk assessment to address three required areas:

1. Employee training and management
2. Information systems, including network and storage design, as well as information processing, storage, transmission and disposal
3. Detecting, preventing and responding to attacks, intrusions or other system failures

New rule

Institutions must perform a written risk assessment and update it periodically to reexamine the reasonably foreseeable internal and external risks. Risk assessment should include:

• Criteria for evaluation and categorization of identifying risks
• Criteria for the assessment of the confidentiality, integrity and availability of information, including documentation of the adequacy of existing controls
• Requirements identifying how risks will be mitigated based on the assessment

Old rule

• Identify safeguards for each risk identified.

New rule

• Identify safeguards for each risk identified.
• Safeguards designed should address user access controls, data inventory encryption, secure application development, data retention policy, multifactor authentication, secure disposal, change management and monitoring and logging user activity.
• Conduct regular testing and monitoring of the effectiveness of implemented controls, including annual penetration testing and vulnerability scanning.
• Policies and procedures addressing security awareness training and that information security personnel are qualified and trained.
• Proper oversight and monitoring of service providers, which addresses selection process, contract wording and periodic assessment.
• Have a written incident response plan.
• Have the qualified individual prepare and present a written report to the board of directors or equivalent governing body at least annually to address the overall status of compliance with the information security program.

There are exemption rules for small institutions. If you maintain student financial aid information for less than 5,000 students, some of the new rules are not required. Rules italicized above are applicable to the exemption rule.

A full text of Part 314 – Standards for Safeguarding Customer Information can be found on the Code of Federal Regulations website. It is important to note effective date of Sections 314.4(a), (b)(1), (c)(1) through (8), (d)(2), (e), (f)(3), (h), and (i) are as of June 9, 2023.

Baker Tilly can help

Our specialized higher education team helps your institution prepare for compliance with the new Safeguard Rule. We can also guide institutions with tackling cybersecurity, data and information technology risks.

For more information, or to learn how Baker Tilly can help your institution, contact us.