The Gramm-Leach Bliley Act (GLBA) enacted in 1999 is a regulation under the Federal Trade Commission (FTC) that requires financial institutions to be transparent about information-sharing practices and to safeguard sensitive information. While GLBA has been around for years, it has impacted colleges and universities more recently within the last four years. GLBA applies to higher education institutions specifically to the collection, storage and use of student financial records containing personally identifiable information. In the Office of Management and Budget (OMB) Compliance Supplement released in July 2019, a new audit objective designed to assess institutional compliance with the Safeguards Rule was announced.
In December 2021, the FTC revised its Safeguards Rule. Many of the provisions went into effect 30 days later, and other requirements were effective Dec. 9, 2022. The FTC provided a six-month extension through June 9, 2023. At a virtual Federal Student Aid conference in December 2022, the Department of Education Office of Inspector General informed institutions about the changes to the Safeguards Rule and that these changes may be included in the upcoming OMB Compliance Supplement and required to be assessed for compliance in the single audit/federal awards program audit.
While some of the Safeguards Rule updates revise and refine prior rules, others are new requirements that will require institutions to take steps to be compliant. The changes include:
Institutions must perform a risk assessment to address three required areas:
Institutions must perform a written risk assessment and update it periodically to reexamine the reasonably foreseeable internal and external risks. Risk assessment should include:
There are exemption rules for small institutions. If you maintain student financial aid information for less than 5,000 students, some of the new rules are not required. Rules italicized above are applicable to the exemption rule.
A full text of Part 314 – Standards for Safeguarding Customer Information can be found on the Code of Federal Regulations website. It is important to note effective date of Sections 314.4(a), (b)(1), (c)(1) through (8), (d)(2), (e), (f)(3), (h), and (i) are as of June 9, 2023.
Our specialized higher education team helps your institution prepare for compliance with the new Safeguard Rule. We can also guide institutions with tackling cybersecurity, data and information technology risks.
For more information, or to learn how Baker Tilly can help your institution, contact us.