Read more about the current Greenbook proposals. ...
This site uses cookies to ensure that we give you the best user experience. Cookies assist in navigation, analyzing traffic and in our marketing efforts as described in our Privacy Policy.
The Gramm-Leach-Bliley Act (GLBA) is a federal law that applies to entities that collect consumer financial data, including institutions of higher education. This law, specifically the Safeguards Rule, applies to how higher education institutions collect, store, and use student financial records containing personally identifiable information (PII). Some examples of student data that need to be protected under the GLBA include information provided on the Free Application for Federal Student Aid (FAFSA), student application information, and student information shared with loan servicers. Higher education institutions have been required to comply with the provisions of the GLBA since 2003; however, there has not been much enforcement by the Department of Education (DOE) related to the GLBA. This is about to change.
The U.S. Office of Management and Budget announced that it plans to add new Special Tests and Provisions to its 2019 Compliance Supplement, with the DOE including the testing requirements in the Audit Guide shortly thereafter. As a result, higher education institutions’ compliance with the GLBA will most likely be tested as part of your institution’s Single Audit starting in 2019. The DOE has cautioned higher education institutions that data security and student privacy are becoming critical issues. Failure to comply with GLBA provisions may bring penalties that range from monetary fines to the restriction or loss of eligibility for certain federal funding.
So, what does your institution need to do in order to ensure compliance with the GLBA and prepare for upcoming Single Audits? The Safeguards Rule requires institutions to develop, implement, and maintain a written information security program that includes the following components:
In addition to developing a program, institutions must properly train employees, managers, staff, and their vendors on their data security protocols and ensure there is ongoing training and monitoring. The employees responsible for implementation and management of the program must understand it, recognize its importance, and be incentivized to follow and adhere to it. Management must ensure that violations of the program are addressed appropriately. Vendors that aren’t able to comply with the necessary safeguards must be replaced.
How will this change impact your audit? External auditors will be required to conduct expanded audit testing and report significant noncompliance findings if the institution has complied with these requirements. This will add another layer of complexity and effort to the audit process. The DOE suggested the following audit procedures be tested as part of the auditors’ compliance audit:
These rules will be finalized as part of the vet copy of the Compliance Supplement, which will be released in the spring of 2019.
For additional information, please refer to the following resources:
Read more about the current Greenbook proposals. ...
Learn more about the regional and national supply chain implications of the Baltimore Key Bridge collapse. ...
We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.
Ask us
[email protected]
p:412.261.3644
f:412.261.4876
[email protected]
p:614.621.4060
f:614.621.4062
[email protected]
p:571.380.9003