In 1999, Congress passed the Gramm-Leach-Bliley Act, also known as the Financial Modernization Act of 1999. This act applied new privacy rules to financial institutions, designed to ensure the safety of customers' private information.
Primarily, the act applies to banks, credit unions, lenders, etc. However, it also applies to any organization that regularly handles financial information. Given most students need loans to afford school, the GLBA also applies to higher education.
In 2020, GLBA compliance is more important than ever.
The Gramm-Leach-Bliley Act requires financial institutions to have specific security measures in place and to document how they protect financial information and with whom they share it. Customers have the right to opt-out of having any data shared with third parties. You have to have a written security plan. Compliance with the GLBA benefits institutions and their customers, helping institutions secure financial information and avoid potentially costly data breaches.
Non-compliance can also cause institutions to face fines of $100,000 per violation, and specific individuals responsible can be imprisoned for up to 5 years. The GLBA contains two key elements, the GLBA privacy rule and the GLBA safeguards rule.
The GLBA privacy rule is one of the two core requirements institutions must follow. It requires institutions to provide each customer with a privacy notice at the time the relationship is established and annually thereafter. This notice must include what information they collect, how it is shared and used, how it is protected, and how they can opt out of their information being shared with other parties.
Essentially this means that a privacy notice must be sent to all new students at the time they apply for financial aid and every year until graduation (at which point it becomes the responsibility of the lender). The privacy notice should be clearly readable and should be reviewed with the institution’s legal authority.
The second core requirement is the safeguards rule. The safeguards rule requires multiple elements. The first is that the institution must have a written information security plan. Additionally, the institution must do a risk assessment on each department that handles private information, and develop and test controls to address any deficiencies found in the risk assessment. The plan must be updated if there are any changes. For most institutions, acquiring a program from a third-party vendor is the best course of action.
The increasing importance of GLBA compliance stems primarily from the sheer amount of money handled by a modern university. There are other reasons, though. Data breaches and cybersecurity incidents cannot be swept under the rug in today's landscape of transparency and rapid communication.
The final reason is that institutions are going to be facing audits. The Office of Management and Budget issued required audit requirements related to GLBA in July, 2019. These guidelines apply to non-federal entities that expend $750,000 or more in federal funds (such as federal student loans and Pell grants) in a year. Smaller community colleges may not be affected, but larger institutions can easily hit this limit and come under the audit. While institutions are already required to follow the GLBA safeguards rule to get Title IV funding, the audit may come as a shock to many, and the findings may be made public. This might affect the willingness of students and families to consider your university.
Even if the requirements don't apply to you, they make a good set of guidelines to ensure cybersecurity for your students and their families, and thus avoid a data breach that could be embarrassing, put your students at risk, and affect future enrollment.
You need to follow best practices, which include:
As many institutions do not have the internal knowledge of cyber security, seeking out expert GLBA compliance services for higher education is often the answer.
The compliance requirements for GLBA include:
The first three of these started to be included in the planned audits of institutions starting in the fiscal year ending June 30, 2019, whilst the second three may well be added moving forward. With the high penalties for non-compliance, it's vital that all colleges and universities have a proper GLBA compliance program in place. Even if the audit will not be conducted at your institution, meeting these standards will help to prevent a data breach that can affect your reputation and student enrollment, as well as the generosity of your alumni giving
Because of this, Colleges and Universities should seek expert help to ensure that they are compliant with the law and providing the highest levels of privacy for their students and their families. If you are looking for assistance in GLBA compliance, contact GreyCastle Security today. We have the experience and expertise you need to ensure that you do not become the next victim of a high-profile data breach.
Not sure how to get started? Click below to watch our webinar, "How to Prepare and Ace Your GLBA Audit." This webinar will explore exactly what the GLBA requirements are, what the auditors are looking for and provide documentation examples to show an organized, deliberate and well-planned response.