Update on GLBA for Higher Ed

The Gramm-Leach-Bliley Act (GLBA) is a federal ruling that applies to all entities that collect consumer financial data, including institutions of higher education. The law applies to how organizations collect, store, and use student financial records that contain personally identifiable information (PII).

Higher education institutions have been required to comply with the provisions of the GLBA since 2003, but the Department of Education (ED) didn’t include any compliance requirements related to the GLBA until 2019. 

Starting in 2019, the Office of Management and Budget’s Compliance Supplement included compliance requirements related to the GLBA and student information security for the Student Financial Aid cluster. As a result, auditors were required to perform procedures to determine if institutions of higher education were compliant with the new requirements.

In 2021, additional regulations were issued that significantly modified the requirements that institutions must meet under GLBA. In response, the 2023 Compliance Supplement included additional Student Financial Aid compliance requirements related to GLBA.

As part of the new compliance requirements, institutions must now develop, implement, and maintain a comprehensive information security program. The regulations require the written information security program to include up to nine elements.

At a minimum, an institution’s written information security program does the following:

• Designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance.
• Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customers that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. 
• Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the program must address are as follows:
  • Implement and periodically review access controls. 
  • Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. 
  • Encrypt customer information on the institution’s system and when it’s in transit.
  • Assess apps developed by the institution.
  • Implement multi-factor authentication for anyone accessing customer information on the institution’s system. 
  • Dispose of customer information securely. 
  • Anticipate and evaluate changes to the information system or network. 
  • Maintain a log of authorized users’ activity and keep an eye out for unauthorized access.
• Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented.
• Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program.
• Addresses how the institution will oversee its information system service providers. 
• Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program. 
• For an institution maintaining student information on 5,000 or more consumers, addresses the establishment of an incident response plan.
• For an institution maintaining student information on 5,000 or more consumers, addresses the requirement for its Qualified Individual to report regularly and at least annually to those with control over the institution on the institution’s information security program.

Per the electronic announcement posted by the ED on February 9, 2023, any GLBA findings identified through a compliance audit will be resolved by the ED during the evaluation of the institution’s information security safeguards as part of the ED’s final determination of an institution’s administrative capability. GLBA-related findings will have the same effect on an institution’s participation in Title IV programs as any other determination of noncompliance. In cases where no data breaches have occurred and the institution’s security systems have not been compromised, if the ED determines that an institution is not in compliance with all of the requirements, the institution will need to develop and/or revise its information security program and provide the ED with a Corrective Action Plan with timeframes for coming into compliance. Repeated noncompliance by an institution may result in an administrative action taken by the ED, which could impact the institution’s participation in Title IV programs.

If you’d like further information on how to comply with the GLBA, please refer to page 5-3-77 of the May 2023 Compliance Supplement. 

About Schneider Downs Higher Education Services 

The Schneider Downs Higher Education industry group is a dedicated team of experienced professionals specializing in serving institutions from high schools to universities. Our experience in audit and assurance, tax advisory, technology and data and more allow our professionals to stay ahead of the latest trends, developments and challenges within the education sector and provide timely and practical solutions to our clients.  

To learn more, visit our Higher Education Industry Group page.