The Gramm-Leach Bliley Act (GLBA) enacted in 1999 is a regulation under the Federal Trade Commission (FTC) that requires financial institutions to be transparent about information-sharing practices and to safeguard sensitive information. While GLBA has been around for years, it has impacted colleges and universities more recently within the last four years. GLBA applies to higher education institutions specifically to the collection, storage and use of student financial records containing personally identifiable information. In the Office of Management and Budget (OMB) Compliance Supplement released in July 2019, a new audit objective designed to assess institutional compliance with the Safeguards Rule was announced.
In December 2021, the FTC revised its Safeguards Rule. Many of the provisions went into effect 30 days later, and other requirements were effective Dec. 9, 2022. The FTC provided a six-month extension through June 9, 2023. At a virtual Federal Student Aid conference in December 2022, the Department of Education Office of Inspector General informed institutions about the changes to the Safeguards Rule and that these changes may be included in the upcoming OMB Compliance Supplement and required to be assessed for compliance in the single audit/federal awards program audit.
While some of the Safeguards Rule updates revise and refine prior rules, others are new requirements that will require institutions to take steps to be compliant. The changes include:
Old rule
- Institutions must designate the employee(s) responsible for coordinating the information security program.
New rule
- Designate a qualified individual to oversee, implement and enforce the information security program. The qualified individual may be an employee, affiliate or service provider.
- To the extent that the requirement is met using a service provider or affiliate, institutions shall retain responsibility for compliance, designate a senior member of personnel responsible for direction and oversight of
