GLBA Compliance for Higher Education
In 1999, President Clinton signed the Gramm-Leach-Bliley Act (GLBA) into law. The act essentially updated and replaced the 70-year-old Glass-Steagall Act and provided greater opportunities for financial institutions to offer more services
Before 1999, banks’ ability to consolidate was quite limited; investment banks, commercial banks, and insurance companies were considered separate, and the merging of any of these services was typically illegal. The GLBA removed this regulation but meant that the financial institutions would be governed more strictly in consumer privacy, consumer data sales, and information sharing. These components are codified in the Financial Privacy Rule, the Safeguards Rule, and Pretexting Provision of the act.
Since 1999, increased threats of data loss and concerns about data protection have prompted regulators to use the GLBA provisions as grounds for expanding oversight into other institutions which deal with financial data. Any institution that handles consumer finances is bound by the standards of the GLBA. Most recently, this definition has included higher education.
Compliance with the Family Educational Rights and Privacy Act (FERPA) has long been standard operating procedure within higher education. However, increasing cyberattacks and data breaches have prompted the Federal Government to clarify that, due to the large amount of private financial information held by higher education institutions, colleges and universities have the definitional qualification of being a “financial institution.”
GLBA Audits and More
These audits are meant to test existing data protection policies. Per the government’s student aid website, audits mandate that:
1. The institution designates an individual to coordinate its information security program.
2.The institution performs a risk assessment that addresses three required areas:
a) Employee training and management
b) Information systems, including network and software design, as well as information processing, storage, transmission, and disposal; and
c) Detecting, preventing, and responding to attacks, intrusions, or other systems failures.
3.The institution documents a safeguard for each risk identified in step 2 above.1
Of further importance to higher education are the Privacy and Safeguards Rules as found on the FTC webpage. Though they have been in place for years, the extending definition of “financial institution” places colleges and universities under this regulatory burden. The Privacy Rule maintains that users have the right to opt out of third-party information sharing and to receive an annual privacy notice about how their information is being used and protected. The Safeguards Rule requires institutions to have measures in place to keep customer information secure.
Higher Education Institution GLBA Requirements
While this act is beneficial to consumers, the extended rule application adds a significant burden for educational institutions—which are now considered on a similar level as banks. Under the expanded guidelines, institutions must:
- “Develop, implement, and maintain a comprehensive information security program.”
- “Base your information security program on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks.”
- “Develop administrative, technical, and physical safeguards.”
- “Develop, implement, and maintain a comprehensive information security program that is written in
- one or more readily accessible part and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue.”
- “Designate a qualified individual responsible for overseeing and implementing your information security program and enforcing your information security program.”
Essentially all university departments are privy to these requirements as part of an organization-wide privacy audit. Changing protocols must be updated regularly, disseminated across campus, audited frequently, and modified accordingly. The scope of this regulation appears in the act definitions: “Authorized user means any employee, contractor, agent, customer, or other person that is authorized to access any of your information systems or data.” And “Customer information means any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of you or your affiliates.
Institutional Implications
Comprehending governmental regulations can be challenging for even seasoned financial experts. But extending these rules into the realm of university systems means a significantly increased workload for those who are tasked with compliance.
- Who in your university manages non-public student or staff data, financial or otherwise?
- Admissions departments handle names, transcripts, and other data from applications and inquiries.
- Marketing departments receive logs of web traffic, IP addresses, user information, and computer system information.
- Libraries keep data on users. Maintenance has records on who enters which buildings when (via keycard data).
- Student Life keeps logs of living arrangements, conflicts, and disciplinary activity, all linked to student data.
- Residence staff may keep records in their dorm rooms, allowing possible unintended access to others in the building.
- Professors’ files contain personal student data, whether in hardcopy or digital form.
- Personal information may be linked, through syncing software (e.g. Google Drive, Dropbox, etc.) to personal, home-based computers or mobile devices.
As universities continue to venture into the realm of digital information collection, the opportunities for cyber criminals only increase. Remote learning, online offerings, and financial aid applications broaden a school’s repository of vulnerable, private data. Between 2019-2020, ransomware attacks on higher education intuitions doubled, with the average cost of solution costing $447,000.
Non-Compliance Penalties and Risks
Failure to comply with the updated obligations will result in the institution being reported to the FTC for further investigation. Consequences may include lengthy oversight periods or disabling institutional access to Department of Education information systems. In addition, due to the FTC’s reading of its own authority, it may impose significant monetary fines or even prison time for violators.5 Violations can cost an organization $100,000, and individuals in leadership can be fined up to $10,000 and sentenced to five years in prison. Organizations have already been found to be in violation of this act. For instance, in 2020, Mortgage Solutions FCS agreed to a $120,000 settlement for violating GLBA regulations.6
Finally, it’s worth noting that as hard-hitting as fines would be to a financial bottom line, they are nothing when weighed against the indirect costs to the institution: loss of trust and damage to reputation. Higher education is already under intense competitive pressure. Few schools could afford a financial or reputational hit as well.
What You can Do to Ensure GLBA Compliance
Thankfully, higher education administrators need not tackle this regulatory burden on their own. Ensuring institutional GLBA compliance can begin with a simple phone call. TruOps is a leader in regulatory compliance and incorporates cutting-edge, automated technologies to identify, evaluate, prioritize, and report on risk vulnerabilities within existing information systems. Our experts work with partner institutions to understand their existing processes and address GLBA compliance.
The TruOps Integrated Risk Management platform, comprised of integrated modules, is deployed as a flexible, cloud-based solution. We streamline risk assessment and deliver solutions across both the internal organization and third-party environments. We’ll assemble and implement a multi-faceted approach to overcome regulatory burdens and establish real-time risk awareness with simple-to-understand dashboards and reports.
We know that colleges and universities have a lot on their plates, and we take pride in our ability to provide solutions to quickly help them navigate the full scope of governmental requirements. Using the TruOps Integrated Risk Management solution, our higher education clients can confidently make informed risk and compliance decisions to securely manage their business.
Let us take on the burden of compliance with our proven strategies and extensive experience.
Give TruOps a call today. www.truops.com
©2022 TruOps, LLC. All rights reserved
Related Articles
Join The GBI Impact Community
Sign up to make an impact and hear about our upcoming events
By registering anywhere on the site, you agree with our terms and privacy policy