Higher education institutions participating in the U.S. Department of Education’s federal student aid programs should be aware of recent developments. Updates to Safeguards Rule Requirements of Graham Leach Briley method (GLBA), effective on. June 9, 2023. This law typically ensures that financial institutions such as banks maintain appropriate data privacy practices that protect individuals’ non-public personal information (NPI), but on February 28, 2020, the U.S. Department of Education (ED ), the Federal Student Aid Administration (FSA) is announced Institutions participating in federal student aid programs must comply with the GLBA and report this compliance in annual audits. February 9, 2023, Financial Services Agency announced Updates to GLBA Cybersecurity Requirements Specific to Higher Education Institutions. To see how the new requirements fit into your institution’s compliance with GLBA, see New Requirements for FPF. Higher Education Data Governance Considerations Reference Guide and Data governance checklist.

What does this mean for institutions participating in the FSA program?

All educational institutions must continually review their data privacy and security programs. GLBA regulations focus on nationally recognized best practices; include NIST 800-171, We recommend that all institutions model their data security programs after the GLBA regulations. However, those participating in FSA programs should also be aware that they must include the following safeguards as part of their audits, as specified in the U.S. Department of Education Office of Inspector General’s letter to auditors: It’s important. CPA-19-01.

• Designate an individual to be responsible for coordinating the information security program.
• Perform a risk assessment that addresses three essential areas.
  • Employee training and management.
  • Information systems such as network and software design, information processing, storage, transmission, and disposal. and
  • Detect, prevent, and respond to attacks, intrusions, and other system failures.
• Document protective measures for each risk identified in the risk assessment.

In addition to audit requirements, institutions must ensure compliance with three sections of the GLBA: the Privacy Rule, the Safeguards Rule, and the Pretexting Rule. It is important to note that the two safeguard requirements (direct reporting to the board and incident response plan) apply only to institutions that manage information about 5,000 or more consumers.

How do institutions ensure compliance?

Institutions must assess alignment with all three sections of the GLBA: Privacy Rule, Safeguards Rule, and Pretext Regulations.

privacy rules

GLBA Financial privacy rules16 CFR Part 313, Regulates how institutions inform customers about how their NPI is used and shared. The FTC has ruled that compliance with the Family Educational Rights and Privacy Act (FERPA) satisfies the privacy requirements of the GLBA. Financial institutions are encouraged to review their policies, procedures, and practices regarding FERPA records containing financial aid information to ensure compliance.

The following requirements of the Privacy Rule apply to higher education institutions:

• Establish a clear and concise set of privacy policies that includes information about what data is collected, why it is collected, with whom it is shared, and under what conditions.
  • This requirement may be met by an agency’s FERPA annual notification. However, if your FERPA notice does not include all of the required components, you will need to detail this information in your data privacy policy/plan.
• Before collecting personal information, make sure students read the privacy notice and agree to any data sharing that requires consent.
• Ensure there is a process in place to notify students when their personal data will be shared with other financial institutions or third parties for the purpose of completing a transaction.
• Review your policies periodically (at least annually) to ensure they remain appropriate.

safeguard rules

purpose of safeguard rules16 CFR Part 314, the standards are:

• Ensures the security and confidentiality of student information.
• Protect against anticipated threats to the security or integrity of such records.
• Protect your records and information from unauthorized access or use that could cause significant harm or inconvenience to students.

The Safeguards Rule requires institutions to develop, implement, and maintain an information security program with administrative, technical, and physical safeguards to protect customer information. An information security program must address nine elements:

1. Designate a qualified individual to oversee the agency’s information security program.

1. For institutions managing information on more than 5,000 students, a qualified individual shall periodically, at least once a year, provide written information, including an overall assessment of the institution’s compliance with the information security program. Must be reported to the board or governing body.
2. Develop and conduct written risk assessments.

1. Design and implement safety measures to control risks identified through risk assessments.

1. Regularly monitor and test the effectiveness of your safety measures.
2. Implement policies/procedures for implementing information security programs. These should include specialized training for employees, affiliates, or service providers responsible for implementing the information security program.
3. Monitor your service provider. Contracts should specify security expectations and ensure that appropriate safeguards are maintained.
4. Establish a process to keep your information security program up to date.
5. Create a written incident response plan for responding to and recovering from security events (for educational institutions managing information for more than 5,000 students).

Pretexting clause

Regarding privacy protection of customer information ““Pretexting” regulations15 USC § 6821, Designed to combat identity theft. Pretexting is a social engineering technique in which an attacker (under some pretext) attempts to trick unsuspecting staff into handing over non-public personal information. To be compliant, institutions must:

• We prevent unauthorized disclosure of customer financial information and have policies, procedures, and controls in place to prevent and detect unauthorized disclosure or access.
• Periodic risk assessment of covered accounts. This includes (1) the method used to open the account; (2) the methods used to access your account; (3) Have a history of identity theft in the past.
• Establish a written identity theft prevention program designed to detect, prevent, and mitigate identity theft. The program isred flag rule”
• Ongoing management of the identity theft prevention program, including board (or appropriate committee) approval and involvement, staff training, and service provider oversight.

For more information about GLBA, please see below.

FPF resources: