On December 9, 2021, the Federal Trade Commission (FTC) introduced final regulations amending the Standards for Safeguarding Customer Information, a critical component of the Gramm-Leach-Bliley Act (GLBA) mandates on customer privacy protection. The alterations, effective from June 9, 2023, impact postsecondary institutions and highlight changes in the Department of Education’s (Department) enforcement of GLBA stipulations. Consequently, institutions are urged to update their practices to meet the requirements of the revised rule.

Under the previous GLBA Safeguards Rule, postsecondary institutions and third-party servicers agreed to shield student financial aid information related to the administration of Federal student financial aid programs. This obligation extended to include all Federal Student Aid applicant information and any data obtained from the Department’s systems for administering Title III and Title IV programs.

The Department has consistently encouraged these institutions to adhere to GLBA requirements and adopt security standards, such as NIST 800-171, to fulfill ongoing obligations under GLBA. As a result, institutions have been subject to periodic audits to ensure compliance with GLBA requirements.

The newly revised GLBA Safeguards Rule brings a refreshed understanding of customer definition and new requirements for safeguarding information. Customer information, as defined by the rule, refers to data procured while providing a financial service to a current or former student. The main objective of the GLBA standards is to ensure student information’s security, protect against threats, and prevent unauthorized access.

Institutions must develop, implement, and maintain a comprehensive written information security program featuring nine critical elements to achieve these objectives. These include designating a qualified individual for implementing and overseeing the program, basing it on a risk assessment, implementing safeguards to control identified risks, and regularly testing and monitoring its effectiveness, among other things. Institutions with fewer than 5,000 consumers must address only the first seven elements.

In April 2022, the FTC released a publication titled “FTC Safeguards Rule: What Your Business Needs to Know,” which serves as a compliance guide for entities. It provides in-depth information about the nine required elements and outlines what a good security program should look like.

Failure to comply with the Safeguards Rule after June 9, 2023, the effective date, may affect an institution’s participation in the Title III and Title IV programs. The Department plans to resolve GLBA findings from a compliance audit or other means by evaluating the institution’s information security safeguards to determine its administrative capability.

In cases where an institution or servicer is found not to comply with the Safeguards Rule, they will need to revise their information security program and provide the Department with a Corrective Action Plan (CAP). Repeated non-compliance may result in administrative action by the Department, affecting the institution’s or servicer’s participation in Title III and Title IV programs.

The Department intends to issue further guidance on NIST 800-171 compliance. However, it reiterates that meeting GLBA requirements differs from complying with NIST 800-171 and encourages institutions to integrate information security controls required under NIST 800-171 as soon as possible.

Where can I find more information? For additional information, see FSA’s electronic announcement: Updates to the Gramm-Leach-Bliley Act Cybersecurity Requirements. If you have questions regarding the Department of Education’s enforcement of GLBA, please get in touch with FSA_IHECyberCompliance@ed.gov. More information is also available on the Federal Trade Commission’s website. Updates to the Gramm-Leach-Bliley Act Cybersecurity Requirements | Knowledge Center