Gramm-Leach-Bliley Act (GLBA)
As part of an Institution’s signed Program Participation Agreement (PPA) and the Student Aid Internet Gateway (SAIG) Enrollment Agreement, Institutions agree to protect student financial aid information and safeguard sensitive data under the Gramm-Leach-Bliley Act (GLBA). In 2019, the Department of Education (ED) added a compliance requirement titled Gramm-Leach-Bliley Act–Student Information Security that is required to be tested by auditors as part of the Student Financial Assistance Cluster annual Uniform Guidance compliance audit. Starting in 2020, ED required auditors to report noncompliance with GLBA as a finding in the Uniform Guidance audit. The initial compliance requirements made it mandatory for auditors to obtain an understanding of an Institution’s information security program, determine if an individual was assigned the responsibility of the program, perform a risk assessment over specific areas, and identify the safeguards for each identified risk resulting from the assessment.
Federal Trade Commission’s (FTC)
ED is adopting and enforcing the Federal Trade Commission’s (FTC) final regulations (Final Rule) into the annual compliance requirements related to the safeguards to protect student personal data. Implementation of the changes are required to be effective by June 9, 2023. Institutions are required to develop, implement, and maintain a written, comprehensive information security program (WISP) containing up to nine specific elements. The complexity of an Institution’s WISP is dependent upon the size and complexity of the Institution and the amount of data being maintained. GLBA requires data to be stored for two years, for each student, after the last date the data was used. For Institutions with over 5,000 students (consumers), all nine data elements must be present; less than 5,000 only the first seven elements. The first three data elements are the same from the previous compliance requirements. Elements four through nine are from the FTC Final Rule and include the following:
- Regularly testing and monitoring the effectiveness of safeguards,
- Establishing policies and procedures for employees to support the WISP,
- Documentation of how information with service providers is monitored,
- Evaluating and adjusting the WISP for material changes
- If over 5,000 consumers, establish an incident response plan,
- If over 5,000 consumers, annually report to the Board on the Institution’s information security program.
Why does this matter and what might be the urgency for compliance?
Most Institutions will have the Student Financial Assistance Cluster be the major program for their 2023 Uniform Guidance Audit, therefore requiring compliance with GLBA. Any GLBA reported findings will be evaluated by ED. If determined to not be in compliance with all of the Safeguard Rule requirements, a formal Corrective Action Plan (CAP) with established timeframes to become in compliance will be requested. Institutions, and those specifically responsible for the information security program, should review the new Safeguard Rules to determine their Institution’s current compliance. Institutions should make every effort to demonstrate compliance and an understanding of GLBA requirements as this will be requested as part of the annual audit. Institutions can also seek additional guidance here.
If you need further guidance or have any questions on this topic, we are here to help. Please do not hesitate to reach out to discuss your specific situation.
This material has been prepared for general, informational purposes only and is not intended to provide, and should not be relied on for, tax, legal or accounting advice. Should you require any such advice, please contact us directly. The information contained herein does not create, and your review or use of the information does not constitute, an accountant-client relationship.