To protect student information, colleges and universities are required to comply with the Safeguards Rule of the Gramm-Leach-Bliley Act (GLBA). By existing law and regulation, the Federal Trade Commission (FTC) is the Safeguard Rule enforcement agency.
FTC regulations under 16 CFR Part 314, published in May 2002, mandate extensive new privacy protections for consumers stemming from the Gramm-Leach-Bliley Act. The GLBA requires financial institutions to take steps to ensure the security and confidentiality of customer records such as names, addresses, phone numbers, bank and credit card account numbers, income and credit histories, and Social Security numbers. The compliance deadline for the safeguards rule was May 23, 2003.
The GLBA broadly defines “financial institution” as any institution engaging in the financial activities enumerated under the Bank Holding Company Act of 1956, including “making, acquiring, brokering, or servicing loans” and “collection agency services.” Because higher education institutions participate in financial activities, such as making Federal Perkins Loans, FTC regulations consider them financial institutions for GLBA purposes.
The GLBA spells out several specific requirements regarding the privacy of customer financial information. Following its passage, NACUBO and other higher education associations worked to have colleges and universities exempted from the jurisdiction of the FTC because they did not fit the typical definition of a financial institution under the GLBA. As a result, under regulations promulgated in May 2000, colleges and universities are deemed to be in compliance with the privacy provisions of the GLBA if they are in compliance with the Family Educational Rights and Privacy Act (FERPA). However, higher education institutions are subject to the provisions of the act related to the administrative, technical, and physical safeguarding of customer information.
In the Office of Management and Budget Compliance Supplement released in July of 2019, a new audit objective designed to assess institutional compliance with the Safeguards Rule was announced. In February of 2020 ED released additional guidance for schools explaining the Department’s procedures for enforcing the requirements and the potential consequences for institutions or servicers that fail to comply.
Colleges and universities that administer student financial aid associated with Title IV programs have had to comply with the Safeguards Rule of the Gramm-Leach-Bliley Act (GLBA) since May 2003. That regulation was updated December 9, 2021, with some new requirements effective June 9, 2023.
The updates provide additional details and enhancements to the data security requirements to reflect the cyber threats, risks, and challenges in helping to secure student financial aid data.
The original six security control requirements of the Safeguards Rule have been expanded to nine. Some of the original six have been reworded to provide further clarity. These requirements, essential to a formalized and written information security program, are:
Colleges and universities must have an information security program in place that incorporates these requirements by June 9, 2023.
Not every institution has the same risk profile, size and complexity of IT, and resources to work toward compliance. The GLBA takes this into account and gives some leeway to smaller institutions with less than 5,000 students. For those smaller institutions with less than 5,000 students, only the first seven requirements apply.
Colleges and universities can consider these actions for meeting each requirement by the deadline.
A qualified individual should be one who has the skill and experience to help oversee the institution’s efforts to protect sensitive data like student financial aid data. This person doesn’t need to be in executive management—or even an employee.
This person could be a service provider (TEKRiSQ can be an administrator), a virtual chief information security officer (CISO) or consultant, tasked with keeping data secure. Choose someone with experience commensurate with the size and complexity of the institution’s operating environment. Oversight of a large university system with multiple campuses will have challenges very different from an institution with a single location.
Conducting a risk assessment entails identifying where all student financial aid information is handled, processed, stored, and transmitted, and understanding the threats, vulnerabilities, and risks that could impact the security of that information.
Define the ways student financial aid data is acquired, including the applications and systems that are used, and follow its lifecycle to its ultimate storage location or disposal. After identifying the data lifecycle flow, identify potential threats and vulnerabilities along the way. These threats could be an external hacker, disgruntled employee, or an untrained employee in the financial aid office.
Vulnerabilities could be an insecure file transfer system, lax application controls, and nonexistent encryption on databases. Once threats and vulnerabilities are identified, the risks should be identified and ranked. Risks could be things like student financial aid data loss or inadvertent exposure or reputational damage because of a data breach.
Rating risks as critical, high, medium, or low should help identify appropriate and necessary controls.
Safeguards based on the risk assessment should be designed and implemented.
Technical safeguards may include:
Administrative safeguards may include policies that mandate certain security controls and describe sanctions for noncompliance.
To help make certain that safeguards are operating at an optimal level for securing student financial aid data, regularly monitor and test their effectiveness. For example, penetration testing could be performed against the network firewall to ascertain that malicious traffic is blocked.
Quarterly email phishing tests could be performed to test employee susceptibility.
Audit log alerts could be set on specific systems to notify the appropriate teams about potentially nefarious activity.
Protect student financial aid data by requiring security awareness training across the workforce—faculty, staff, student workers, vendors, and contractors. Your workforce will be the first line of defense against attempts by cybercriminals to circumvent technical controls like the firewall or antimalware software.
Security awareness training will help to keep your workforce alert to potential risks such as phishing emails, phone-based impersonation attacks, and bad actors following authorized people into sensitive areas.
Training the workforce to recognize social engineering attacks will help reduce the risk of ransomware, data theft, or unauthorized access to systems and data.
Many institutions use the specialization and expertise third-party service providers offer when they lack the skills in-house. Many IT departments don’t have staff dedicated to supporting a particular system or application.
Third-party support has a lot of benefits but there are risks, such as a lack of data security safeguards within the service provider’s own environment. Monitor third-party service providers that handle student financial aid data or sensitive data on the institution’s behalf. Their cybersecurity posture should be aligned with yours, and the obligation and responsibility to ensure the safety of student financial aid data flows down to the service provider.
Reviewing external audit reports of the service provider’s internal control structure, such as a System and Organization Controls (SOC) 2® Type 2 audit performed at least annually, is one of several ways.
An information security program must be reviewed regularly. Keep it updated to reflect newly introduced threats and risks to student financial aid data from new system implementation, new facilities, changes in business operations, and changes in cybersecurity.
Review the facets of the information security program at least annually to determine if any policies, procedures, or technologies need changes or updates. The designated qualified individual overseeing the program should start the reviews. That person may involve others within the institution’s information technology, legal, human resources, and executive management teams.
An incident response plan (IRP) is like accident insurance. You hope you never have to use it but it’s nice to have when needed.
For institutions hit with a successful cyber or ransomware attack, a well-documented, well-rehearsed IRP could mean the difference between a few minutes of inconvenience or several days or weeks to recover. An IRP details the protocols to follow in a cybersecurity incident. It’s the playbook for addressing the incident and minimizing the damage or unexpected downtime of a critical system.
In the aftermath of a security incident when the situation could get chaotic, the IRP can offer guidance for minimizing adverse impacts and returning to normal operations. The IRP should be a living document reviewed and modified as conditions change.
The designated qualified individual should report at least annually to the institution’s board of directors or trustees. If such a group isn’t available, that person should give a senior management representative an assessment of the institution’s information security program.
Assessment topics should include:
Regular reports can also include, among other things:
While meeting the Safeguards Rule requirements may seem daunting, the most important step is starting the process to document what the information security program should resemble at your institution.
The deadline of June 9, 2023, is approaching. Institutions that aren’t compliant with the Safeguards Rule may be required by the Department of Education to develop or revise their information security programs and submit a corrective action plan (CAP) that describes the steps to be taken by the institution to achieve compliance by a specific date.
Continued failure to comply may result in a ban of participation in the Title IV programs, a disabling of access to the Department of Education’s information systems, or a fine of $100,000.
In April 2016, the European Union adopted a new set of data protection regulations that expands the personal privacy rights of EU citizens. The effective date of these new regulations was May 25, 2018. These regulations apply even to entities with no physical EU presence as long as they control or process covered personal information of EU residents. Colleges and universities with EU-resident students or faculty should be taking steps to ensure compliance with these new regulations.