Update on GLBA for Higher Ed

The Gramm-Leach-Bliley Act (GLBA) is a federal ruling that applies to all entities that collect consumer financial data, including institutions of higher education. The law applies to how organizations collect, store, and use student financial records that contain personally identifiable information (PII).

Higher education institutions have been required to comply with the provisions of the GLBA since 2003, but the Department of Education (ED) didn’t include any compliance requirements related to the GLBA until 2019. 

Starting in 2019, the Office of Management and Budget’s Compliance Supplement included compliance requirements related to the GLBA and student information security for the Student Financial Aid cluster. As a result, auditors were required to perform procedures to determine if institutions of higher education were compliant with the new requirements.

In 2021, additional regulations were issued that significantly modified the requirements that institutions must meet under GLBA. In response, the 2023 Compliance Supplement included additional Student Financial Aid compliance requirements related to GLBA.

As part of the new compliance requirements, institutions must now develop, implement, and maintain a comprehensive information security program. The regulations require the written information security program to include up to nine elements.

At a minimum, an institution’s written information security program does the following:

  • Designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance.
  • Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customers that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. 
  • Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the program must address are as follows:
    • Implement and periodically review access controls. 
    • Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. 
    • Encrypt customer information on the institution’s system and when it’s in transit.
    • Assess apps developed by the institution.
    • Implement multi-factor authentication for anyone accessing customer information on the institution’s system. 
    • Dispose of customer information securely. 
    • Anticipate and evaluate changes to the information system or network. 
    • Maintain a log of authorized users’ activity and keep an eye out for unauthorized access.
  • Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented.
  • Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program.
  • Addresses how the institution will oversee its information system service providers. 
  • Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program. 
  • For an institution maintaining student information on 5,000 or more consumers, addresses the establishment of an incident response plan.
  • For an institution maintaining student information on 5,000 or more consumers, addresses the requirement for its Qualified Individual to report regularly and at least annually to those with control over the institution on the institution’s information security program.

Per the electronic announcement posted by the ED on February 9, 2023, any GLBA findings identified through a compliance audit will be resolved by the ED during the evaluation of the institution’s information security safeguards as part of the ED’s final determination of an institution’s administrative capability. GLBA-related findings will have the same effect on an institution’s participation in Title IV programs as any other determination of noncompliance. In cases where no data breaches have occurred and the institution’s security systems have not been compromised, if the ED determines that an institution is not in compliance with all of the requirements, the institution will need to develop and/or revise its information security program and provide the ED with a Corrective Action Plan with timeframes for coming into compliance. Repeated noncompliance by an institution may result in an administrative action taken by the ED, which could impact the institution’s participation in Title IV programs.

If you’d like further information on how to comply with the GLBA, please refer to page 5-3-77 of the May 2023 Compliance Supplement

About Schneider Downs Higher Education Services 

The Schneider Downs Higher Education industry group is a dedicated team of experienced professionals specializing in serving institutions from high schools to universities. Our experience in audit and assurance, tax advisory, technology and data and more allow our professionals to stay ahead of the latest trends, developments and challenges within the education sector and provide timely and practical solutions to our clients.  

To learn more, visit our Higher Education Industry Group page.  

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2024 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on
Get the Low Down Before You Download: Exploring the Temu App’s Security Risks
Understanding SOC Report Opinions
SOC 2 - What is ACTUALLY required?
Update on GLBA for Higher Ed
A First of Its Kind: The $25 Million Deepfake Scam
Postcard from the 2023 ISACA Pittsburgh Information Security Awareness Day
Register to receive our weekly newsletter with our most recent columns and insights.
Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us
contact us

This site uses cookies to ensure that we give you the best user experience. Cookies assist in navigation, analyzing traffic and in our marketing efforts as described in our Privacy Policy.