Columbia Advisory Group

Columbia Advisory Group delivers exceptional Information

A Deep Dive into the Updated GLBA Safeguards Rule

On December 9, 2021, the Federal Trade Commission (FTC) introduced final regulations amending the Standards for Safeguarding Customer Information, a critical component of the Gramm-Leach-Bliley Act (GLBA) mandates on customer privacy protection. The alterations, effective from June 9, 2023, impact postsecondary institutions and highlight changes in the Department of Education’s (Department) enforcement of GLBA stipulations. Consequently, institutions are urged to update their practices to meet the requirements of the revised rule.

Under the previous GLBA Safeguards Rule, postsecondary institutions and third-party servicers agreed to shield student financial aid information related to the administration of Federal student financial aid programs. This obligation extended to include all Federal Student Aid applicant information and any data obtained from the Department’s systems for administering Title III and Title IV programs.

The Department has consistently encouraged these institutions to adhere to GLBA requirements and adopt security standards, such as NIST 800-171, to fulfill ongoing obligations under GLBA. As a result, institutions have been subject to periodic audits to ensure compliance with GLBA requirements.

The newly revised GLBA Safeguards Rule brings a refreshed understanding of customer definition and new requirements for safeguarding information. Customer information, as defined by the rule, refers to data procured while providing a financial service to a current or former student. The main objective of the GLBA standards is to ensure student information’s security, protect against threats, and prevent unauthorized access.

Institutions must develop, implement, and maintain a comprehensive written information security program featuring nine critical elements to achieve these objectives. These include designating a qualified individual for implementing and overseeing the program, basing it on a risk assessment, implementing safeguards to control identified risks, and regularly testing and monitoring its effectiveness, among other things. Institutions with fewer than 5,000 consumers must address only the first seven elements.

In April 2022, the FTC released a publication titled “FTC Safeguards Rule: What Your Business Needs to Know,” which serves as a compliance guide for entities. It provides in-depth information about the nine required elements and outlines what a good security program should look like.

Failure to comply with the Safeguards Rule after June 9, 2023, the effective date, may affect an institution’s participation in the Title III and Title IV programs. The Department plans to resolve GLBA findings from a compliance audit or other means by evaluating the institution’s information security safeguards to determine its administrative capability.

In cases where an institution or servicer is found not to comply with the Safeguards Rule, they will need to revise their information security program and provide the Department with a Corrective Action Plan (CAP). Repeated non-compliance may result in administrative action by the Department, affecting the institution’s or servicer’s participation in Title III and Title IV programs.

The Department intends to issue further guidance on NIST 800-171 compliance. However, it reiterates that meeting GLBA requirements differs from complying with NIST 800-171 and encourages institutions to integrate information security controls required under NIST 800-171 as soon as possible.

Where can I find more information? For additional information, see FSA’s electronic announcement: Updates to the Gramm-Leach-Bliley Act Cybersecurity Requirements. If you have questions regarding the Department of Education’s enforcement of GLBA, please get in touch with FSA_IHECyberCompliance@ed.gov. More information is also available on the Federal Trade Commission’s website. Updates to the Gramm-Leach-Bliley Act Cybersecurity Requirements | Knowledge Center

Brad Hudson

Cybersecurity Practice Leader

About Columbia Advisory Group

Founded in Dallas in 2012, Columbia Advisory Group LLC (CAG) is an established IT consulting firm renowned for delivering cost-effective, meaningful, and practical IT solutions that solve complex business problems. Our seasoned teams offer comprehensive insight across diverse regulatory and economic environments, providing unbiased, straightforward analysis and recommendations. We pride ourselves on our deep understanding of IT while remaining software and hardware-agnostic. Regardless of your organization’s growth trajectory or economic landscape, we at CAG are adept at adapting to your unique needs and complexity, offering tailored solutions to drive your success.

Contact us at info@columbiaadvisory.com.

More from our Blog:

Oct 17 2024 :

Columbia Advisory Group Achieves ISO 9001:2015 Certification for the 7th Straight Year.

Oct 10 2024 :

Strengthening Your Organization with Columbia Advisory Groups Effective Governance, Risk, and Compliance (GRC) Security Services