On October 27, 2021, the Federal Trade Commission (FTC) announced newly updated standards for safeguarding customer information (“Safeguards Rule”) under the Gramm-Leach-Bliley Act (GLBA). The new rule amends the FTC’s 2002 Safeguards Rule and applies to financial institutions under the scope of the FTC’s regulatory authority.
How does the new rule apply to colleges and universities?
The Federal Trade Commission (FTC) is the Safeguards Rule enforcement agency for higher education institutions. The GLBA broadly defines a “financial institution” as any entity engaging in the financial activities listed under the 1956 Bank Holding Company Act. These activities include “making, acquiring, brokering, or servicing loans” and “collection agency services.” Since colleges and universities participate in specified financial activities, such as making federal student financial assistance loans or undertaking collection activities from staff and students, FTC regulations consider them to be financial institutions for GLBA purposes. In 2015, 2016, and 2019, the U.S. Department of Education reminded higher education institutions of their obligations under GLBA to protect customer data obtained whilst administering federal student financial assistance programs.
What are the new Safeguards Rule requirements?
The newly updated rule is significantly more prescriptive than the original 2002 Safeguards Rule. Under the newly revised Safeguards Rule, financial institutions must implement specific controls. Some of the more notable requirements include:
- Creating a written incident response plan that includes internal processes for responding to a security event.
- Developing data destruction procedures for customer information that has not been used for at least two years (unless that information is necessary for business operations).
- Adopting change management procedures.
- Encrypting all customer information in transit and at rest.
- Continuously monitoring the efficacy of security safeguards or performing yearly periodic penetration testing and biannual vulnerability assessments
- Enabling multi-factor authentication for any person accessing an information system containing consumer financial information.
- Implementing processes to select service providers who maintain appropriate safeguards for customer information, including contractually requiring service providers to implement security safeguards
Financial institutions must also designate a single qualified individual who is responsible for implementing and enforcing the organization’s information security program. The new rule does clarify that the qualified individual who is responsible for the information security program may be an employee or a service provider. The qualified individual must report in writing at least annually to the organization’s board or governing body about the overall status and efficacy of the organization’s information security program.
The new rule also adds additional criteria to the performance of risk assessments. Under the 2002 Safeguards Rule, financial institutions needed to conduct a risk assessment to identify risks to the security, confidentiality, and integrity of customer information and assess the efficacy of safeguards. The new rule requires that risk assessments be written, be performed periodically, contain criteria for the evaluation of identified security threats, and require a description of how identified risks will be mitigated or accepted. In addition, a financial institution’s information security program must implement safeguards to control the risks identified through the risk assessment.
When does the new Safeguards Rule go into effect?
The new Safeguards Rule becomes effective within 30 days after publication in the Federal Register. It is currently scheduled to be published on December 9, 2021 (so the effective date will be January 9, 2022). However, some requirements will be delayed one year (to December 2022). These include the requirements to appoint a qualified individual for an organization’s information security program, develop a written incident response plan, complete written risk assessments, conduct continuous monitoring (or annual penetration testing and biannual vulnerability assessments), and periodic third-party service providers assessments.
Higher education GLBA checklist
To get ready for the new GLBA Safeguards Rule requirements, higher education institutions should:
- Consider adopting an industry best practice framework (e.g., NIST SP 800-53, NIST Cybersecurity Framework, ISO 27001, or the CIS Critical Security Controls) for your institutional information security program. Following a best practices framework helps ensure you are following recommended actions for effective security controls.
- Review and improve your written incident response processes, paying special attention to the requirements noted in the revised GLBA Safeguards Rule. You will want to make sure that your processes address the goals of the incident response plan, provide internal processes for responding to a security event, define clear roles and responsibilities for incident response, outline communications activities, and include mitigation and recovery procedures.
- Strengthen information security awareness and education activities for your workforce, particularly those staff members dealing with customer information. You will want to regularly update your awareness and education programs with information about the particular information security risks that your institution faces.
- Bolster your risk assessment processes, ensuring that you regularly conduct risk assessments for the information systems that store, transmit, and process customer data. Consider following a risk assessment methodology (like one provided by NIST or ISO) to ensure that your risk assessment is comprehensive and well-documented.
- Create processes for selecting third-party service providers to ensure that the service provider has effective security practices, and confirm that institutional contracts with those service providers contain provisions to secure institutional data.
- Take the time to read the new GLBA Safeguards Rule and the guidance provided by the FTC in support of the new rules to understand how best to approach compliance.
This post was authored by Associate Vice President Joanna Grama, who advises clients on information security program governance and strategy.
If you’d like assistance improving your campus information security program, the Vantage Strategic Planning and Technology Management team can help. We have extensive experience designing information security programs, drafting policies and procedures, conducting controls assessments, and preparing incident response plans. Our consultants are experienced InfoSec leaders and practitioners who understand the issues of complex organizations. Our certifications include CISSP, HCISPP, CISM, CGEIT, CRISC, GSLC, and GSTRT. Contact us to learn more.