GLBA Compliance for Higher Education in 2020: Rules and Requirements You Need to Know

In 1999, Congress passed the Gramm-Leach-Bliley Act, also known as the Financial Modernization Act of 1999. This act applied new privacy rules to financial institutions, designed to ensure the safety of customers' private information.

Primarily, the act applies to banks, credit unions, lenders, etc. However, it also applies to any organization that regularly handles financial information. Given most students need loans to afford school, the GLBA also applies to higher education.

In 2020, GLBA compliance is more important than ever.

What is the GLBA?

The Gramm-Leach-Bliley Act requires financial institutions to have specific security measures in place and to document how they protect financial information and with whom they share it. Customers have the right to opt-out of having any data shared with third parties. You have to have a written security plan. Compliance with the GLBA benefits institutions and their customers, helping institutions secure financial information and avoid potentially costly data breaches.

Non-compliance can also cause institutions to face fines of $100,000 per violation, and specific individuals responsible can be imprisoned for up to 5 years. The GLBA contains two key elements, the GLBA privacy rule and the GLBA safeguards rule.

What is the GLBA Privacy Rule?

The GLBA privacy rule is one of the two core requirements institutions must follow. It requires institutions to provide each customer with a privacy notice at the time the relationship is established and annually thereafter. This notice must include what information they collect, how it is shared and used, how it is protected, and how they can opt out of their information being shared with other parties.

Essentially this means that a privacy notice must be sent to all new students at the time they apply for financial aid and every year until graduation (at which point it becomes the responsibility of the lender). The privacy notice should be clearly readable and should be reviewed with the institution’s legal authority.

What is the GLBA Safeguards Rule?

The second core requirement is the safeguards rule. The safeguards rule requires multiple elements. The first is that the institution must have a written information security plan. Additionally, the institution must do a risk assessment on each department that handles private information, and develop and test controls to address any deficiencies found in the risk assessment. The plan must be updated if there are any changes. For most institutions, acquiring a program from a third-party vendor is the best course of action.

Why is GLBA Compliance So Important?

The increasing importance of GLBA compliance stems primarily from the sheer amount of money handled by a modern university. There are other reasons, though. Data breaches and cybersecurity incidents cannot be swept under the rug in today's landscape of transparency and rapid communication.

The final reason is that institutions are going to be facing audits. The Office of Management and Budget issued required audit requirements related to GLBA in July, 2019. These guidelines apply to non-federal entities that expend $750,000 or more in federal funds (such as federal student loans and Pell grants) in a year. Smaller community colleges may not be affected, but larger institutions can easily hit this limit and come under the audit. While institutions are already required to follow the GLBA safeguards rule to get Title IV funding, the audit may come as a shock to many, and the findings may be made public. This might affect the willingness of students and families to consider your university.

Even if the requirements don't apply to you, they make a good set of guidelines to ensure cybersecurity for your students and their families, and thus avoid a data breach that could be embarrassing, put your students at risk, and affect future enrollment.

Best Practices for Institutes of Higher Education

You need to follow best practices, which include:

  • Designate a person to coordinate the program.
  • Identify and assess risk in every relevant area of operation.
  • Design and implement a safeguards program, monitoring it regularly.
  • Carefully select service providers that maintain appropriate safeguards and make sure it is in the contract
  • Keep evaluating and adjusting the program to keep up with changes in operations or results of security testing.
  • Train employees in the correct way to handle personal information.
  • Train employees in cyber hygiene in general (the best IT security can be foiled if a careless employee logs on through insecure hotel Wi-Fi during a business trip or clicks on a link in a phishing email).
  • Employ appropriate encryption, especially if information is being stored in the cloud.

As many institutions do not have the internal knowledge of cyber security, seeking out expert GLBA compliance services for higher education is often the answer.

GLBA Compliance Requirements and the Upcoming Audit

The compliance requirements for GLBA include:

  • Designating an individual to coordinate the InfoSec program. This individual is ultimately responsible for ensuring that best practices are followed, and would generally report to the CIO.
  • A risk assessment that addresses three required areas: Employee training and management, information systems, and intrusion monitoring. This all falls under cybersecurity and means that it is vital to use the right software, train employees correctly, and have constant intrusion monitoring systems. For many institutions, it's easiest to outsource intrusion monitoring.
  • Documenting and implementing a safeguard for each identified risk.
  • Having a complete and robust written security program that can easily be read.
  • Vetting service providers and documenting the process.
  • Reviewing the information security program as intended.

The first three of these started to be included in the planned audits of institutions starting in the fiscal year ending June 30, 2019, whilst the second three may well be added moving forward. With the high penalties for non-compliance, it's vital that all colleges and universities have a proper GLBA compliance program in place. Even if the audit will not be conducted at your institution, meeting these standards will help to prevent a data breach that can affect your reputation and student enrollment, as well as the generosity of your alumni giving

Because of this, Colleges and Universities should seek expert help to ensure that they are compliant with the law and providing the highest levels of privacy for their students and their families. If you are looking for assistance in GLBA compliance, contact GreyCastle Security today. We have the experience and expertise you need to ensure that you do not become the next victim of a high-profile data breach.

Not sure how to get started? Click below to watch our webinar, "How to Prepare and Ace Your GLBA Audit." This webinar will explore exactly what the GLBA requirements are, what the auditors are looking for and provide documentation examples to show an organized, deliberate and well-planned response.