Among higher education IT professionals, the Gramm Leach Bliley Act (GLBA) is best known for its Safeguards Rule, which was designed to protect the security and confidentiality of certain types of customer financial information.
A Brief History of GLBA
GLBA is also known as the Financial Services Modernization Act of 1999. The law’s original purpose wasn’t to protect the security and privacy of consumer information. Instead, it was passed to allow different types of financial institutions to merge. Because these new merged institutions would have access to tremendous amounts of customer information, the law included new rules on how financial institutions would have to protect consumer financial information: The Privacy Rule and the Safeguards Rule. These rules are enforced for various industries by their respective regulating bodies—the federal bank regulatory agencies, the Securities and Exchange Commission, and the Federal Trade Commission (FTC).
The GLBA Safeguards Rule
Reduced to its most basic concepts, GLBA applies to higher education institutions because colleges and universities participate in certain types of financial activities that are defined in banking law. Administering federal student loans is one of the main types of activities that pull institutions under the GLBA umbrella. The FTC oversees higher education institutional compliance with the Safeguards Rule. The FTC issued its Safeguards Rule standards in May 2002, with industry compliance required by May 2003.
Under the Safeguards Rule, colleges and universities must “develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to [the institution’s] size and complexity, the nature and scope of [institutional] activities, and the sensitivity of any customer information at issue.” (16 C.F.R. sec. 314.3 (2011).) The Rule also prescribes a number of high-level elements that must be included in an institution’s information security program, such as designating an individual to be in charge of the program and employee training.
Recent GLBA Safeguards Rule Activity
In 2016, the FTC sought public comment on the Safeguards Rule during its regular regulations review. Numerous entities provided comment and thus far the FTC has made no changes to the rule.
In 2017 the US Department of Education (ED), which is concerned about institutional GLBA Safeguards Rule compliance because of federal student loan administration, began working to include a Safeguards Rule audit objective into the federal single audit process. Both public and private nonprofit colleges and universities generally must follow the federal single audit process.
ED’s goal is to establish institutional accountability for Safeguards Rule compliance with respect to student loan information. At the moment, the Safeguards Rule audit objective is on hold until at least the Fiscal Year 2019 audit process. EDUCAUSE and its higher education association partners continue to monitor this issue.
What Should Institutions Be Doing Now?
At fifteen, the GLBA Safeguards Rule is largely unchanged from its original form and compliance with the rule has become part of “business as usual” for higher education institutions. However, a potential need to demonstrate GLBA Safeguard Rule compliance is looming on the horizon.
To prepare, institutions should:
- Review your written information security program documentation, specifically with respect to GLBA compliance. Ensure that any documentation that was written originally for GLBA compliance (circa 2002–2003) is updated for your current circumstances, size, and complexity.
- Have you done a risk assessment lately for GLBA-covered information? If you haven’t done a formal risk assessment since the Safeguards Rule was implemented, now might be a good time to review your original risk assessment and update it for changed conditions.
- Make sure that your campus information security training and awareness activities reflect the current risks to GLBA-covered information and offer best practices on how to handle and secure those data.
- Pay attention to contracts and other documents that may mandate GLBA compliance or impose other information security and privacy compliance requirements. Are there any gaps that you need to address?
- Follow the EDUCAUSE Policy Spotlight blog for information about how the federal government is addressing IT policy issues that affect higher education. GLBA compliance and enforcement is one of the areas that EDUCAUSE specifically monitors.
This blog post contains selected excerpts from an article titled “The GLBA Safeguards Rule at Fifteen” published in the EDUCAUSE Review on October 8, 2018. The article was written by Vantage Technology Consulting Group Senior Consultant Joanna Lyn Grama and Jarret Cummings, Senior Advisor for Policy and Government Relations at EDUCAUSE.