To help address concerns relating to consumer information, the Gramm-Leach-Bliley Act (GLBA) ensures certain privacy protections and safeguards are in place for financial institutions. Financial institutions covered by the GLBA are obligated to inform consumers of its information sharing practices and maintain adequate checks and balances in its systems of internal controls. Institutions and third-party servicers are covered by the GLBA – and as of 2019, so are proprietary school audits and third-party servicer compliance attestation engagements with fiscal years ending on or after December 31, 2019, per the Department of Education.
As the world we live in becomes more and more digital, it’s no surprise the Federal Trade Commission (FTC) has updated the Standards for Safeguarding Customer Information (Safeguards Rule) – an important component of GLBA requirements. If financial institutions don’t take the proper precautions to protect personal information, consumers are left susceptible to hackers and thieves.
The below is an overview of the recent changes made to the Standards for Safeguarding Customer Information (Safeguards Rule), effective June 9, 2023.
Safeguard Rules Updates
The requirements have not changed drastically from their prior iteration. Starting June 9, they are the following:
- Ensure the security and confidentiality of student information;
- Protect against any anticipated threats or hazards to the security or integrity of such information; and
- Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any student (16 C.F.R. 314.3(b)).
Elements to Include
Institutions and third-party servicers are required to have a written information security program that includes the following nine elements, according to 16 C.F.R. 314.4:
- Element 1: Designates an individual to oversee, implement and enforce the information security program.
- Element 2: Information security program is based on a risk assessment that identifies risks to customer information that could result in the compromise of such information. Assesses the sufficiency of any safeguards in place to control these risks.
- Element 3: Designs and implements safeguards to control risks identified through the risk assessment.
- Element 4: Provides for regular testing or monitoring of the effectiveness of the safeguards implemented.
- Element 5: Provides for the implementation of policies and procedures to ensure personnel can enact the information security program.
- Element 6: Addresses how the institution or servicer will oversee its information system service providers.
- Element 7: Evaluates and adjusts information security program based on results of required testing and monitoring; any material changes to its operations or business arrangements; the results of required risk assessments; or any other circumstances that may have a material impact on the information security program.
- Element 8: Addresses the establishment of an incident response plan for an institution or servicer maintaining student information on 5,000 or more consumers.
- Element 9: Addresses the requirement for an individual to report on the program to those with control over the institution for an institution or servicer maintaining student information on 5,000 or more consumers.
Reason for Changes
The addition of these elements expands on the information security requirements already in place to improve institutions’ security position. The Department of Education is tasked with resolving any GLBA findings during its final determination of an institution’s administrative capability.
Further, the Department plans to issue guidance on NIST 800-171 compliance, which deals with Controlled Unclassified Information in nonfederal systems and will form the foundation of these cybersecurity programs. This doesn’t mean schools shouldn’t work to incorporate the information security controls under this guidance prior to that time – keep in mind that NIST 800-171 compliance requires meeting over 100 individual controls across an array of categories, which is no small task.
A lot of this implementation will hinge on Element 1, meaning, designating a qualified individual responsible for overseeing the information security program is of the utmost importance. This will involve using a cybersecurity expert and could take a year or two to properly implement. Unless your institution has a large internal IT staff with the proper training, you will likely need to work with an external IT provider that possesses the required skills and expertise to implement and maintain your cybersecurity program.
We are just over two months away from the required implementation date – if you haven’t started to make these updates yet, we highly recommend you begin to gather information, so you can make informed decisions on meeting the requirements. The Department of Education offers cybersecurity resources here, which is a good place to start your research and follow as updates are provided.
If you’d like to talk through these changes with a Title IV audit expert, please get in touch with our team: