As our technology environment continues to evolve, so does the need to protect non-public student information. Colleges and universities, under their Program Participation Agreements (PPA), are required to comply with the Gramm-Leach-Bliley Act (GLBA), per General Terms and Conditions Part 3f. In order to ensure compliance with GLBA, the Department of Education recently added security controls testing to the audit requirements under the Uniform Guidance. Noncompliance with GLBA may be exposing your Institution to a range of severe penalties, including seven figure financial sanctions for the College or University and up to $10,000 each for Officers/Directors. Unassessed data privacy and cybersecurity control weaknesses expose your data to a reportable breach. Individual Board and Audit Committee members may be personally responsible for fines, civil and criminal legal actions, and unaffordable reputational damage.
Even though the GLBA has been on the books since 1999, it seems there is still some confusion regarding what controls, actions and processes colleges and universities are required to have in place to comply with the Privacy and Safeguards Rules. GLBA is administered and controlled by the Federal Trade Commission (FTC). Under the Privacy and Safeguards Rules, the law requires financial institutions that offer consumers financial products or services like loans, financial or investment advice, or insurance, to protect the privacy and security of consumer information they collect; to explain, in writing, their information-sharing practices to their customers; and to safeguard sensitive data. The Privacy and Safeguards Rules require colleges and universities to develop a written privacy and information security plan describing their programs to protect customer (student, parent, family member) information. The plan must be appropriate to the institution’s size and complexity, the nature and scope of its activities, and the sensitivity of the customer information it handles.
As part of its plan, each college or university has requirements surrounding documentation as well as requirements to:
• Identify where the controlled data is stored, processed, transmitted, and otherwise interacted with.
• Designate one or more employees to coordinate its privacy and information security program.
• At least annually, perform and document a thorough and accurate risk assessment that identifies and assesses the risks to customer information in each relevant area of the institution’s operation.
• At least annually, report on the program and risks found to the Board or other Oversight/Governance Committee.
• Continually evaluate the effectiveness of the current safeguards for controlling these risks (AKA annual risk assessments).
• Design and implement a safeguards program, and regularly monitor and test it.
• Select service providers (and audit their compliance) that can maintain appropriate safeguards.
• Evaluate and adjust the program considering relevant circumstances, including changes in the institution’s business or operations, or the results of security testing and monitoring.
These requirements are designed to be flexible and the needed safeguards appropriate to your circumstances should be implemented. In all cases, institutions must consider and address any unique risks raised by their business and educational operations, such as the risks raised when staff access student data from their homes or other off-site locations, or when student data is transmitted electronically inside or outside the institution’s network to a vendor, where data is stored in hardcopy or electronically, etc.
Privacy Rule Controls
Institutions covered by the Gramm-Leach-Bliley Act must tell their students about their information-sharing privacy practices and explain to customers their right to “opt out” if they don’t want their information shared with certain third parties.
Safeguards Rule – Data Access and Control
The Safeguards Rule requires institutions to assess and address the risks to customer information in all areas of their operation, including but not limited to the following four key areas that are particularly important to information security: information access management; training; systems change and patch management; and detecting, protecting and responding to cybersecurity events.
• Access management: Know who has access to your data, at all times, where the data resides, is transmitted and who interacts with it.
• Training: Any person who accesses protected data (management, Board Members, Audit Committee members, etc.) at the institution or at your third-party service provider must have training supporting the privacy and cybersecurity requirements of the institution. This training must be completed annually and adjust to changes at the institution and within the privacy and cybersecurity industries and based on your written risk assessment. You should have programs in place to regularly remind all staff of your institution’s policy and the legal requirement to keep customer information private, secure and confidential. All training needs to be documented and users should acknowledge completion in writing.
• System updates and patch management: Patch management is a necessary, regular and ongoing process for managing the often-fluctuating application, software, and other system changes and upgrades across all your servers, laptops, desktops, and mobile technologies. In addition to fixing software applications, many of these software patches deal with security weaknesses while others may deal with specific functionality for programs.
• Detecting, managing, controlling, and recovering from cybersecurity events: Institutions need to risk assess, deter, detect, and defend against cybersecurity events and breaches. The GLBA rules have expectations that you are taking reasonable steps to prevent attacks, quickly diagnose a security incident, and have a plan in place for responding effectively.
The Privacy and Safeguards Rules requires colleges and universities to develop and communicate a written privacy and information security plan to all affected parties. These plans should describe their programs to protect customer (student, parent, family member) information and the rights of individuals to opt out of data sharing in certain circumstances. These plans can be appropriate to the institution’s size and complexity, the nature and scope of its activities, and the sensitivity of the customer information handled. To meet the rules and standards, it’s critical to fully understand your risk profile, have ongoing programs to identify and risk assess where your data is used, and be aware of what external entities have access to your data.
Remember, GLBA’s definition of non-public information and controls may not meet the expectations of all the other states, federal government and international data privacy and security classifications for protected information in other laws and regulations such as HIPAA, European General Data Protection Rules (GDPR), FERPA, NY State Breach Notification Act, etc.
The requirements outlined above are expected to be effective in the next several years. Therefore, it is imperative that Institutions begin reviewing the potential impact of this additional audit requirement. The Bonadio Group is highly experienced in GLBA and available to help you ensure that your program, documentation and risk assessment meet the expectations of the law. We can assist you with any specific review and analysis of your institution’s current compliance with the Safeguard Rules established under the GLBA – contact us today to learn more.
Carl is the executive vice president in charge of Bonadio’s Enterprise Risk Management Division and the practice leader for all IT/IS engagements. Carl has more than 28 years of experience in internal audit in information technology and information systems security and architecture, deployment, project management, security by design, and governance.
This material has been prepared for general, informational purposes only and is not intended to provide, and should not be relied on for, tax, legal or accounting advice. Should you require any such advice, please contact us directly. The information contained herein does not create, and your review or use of the information does not constitute, an accountant-client relationship.