Cyberattacks plague colleges and universities. Learn why GLBA compliance in higher education institutions is important.
Cybersecurity in higher education is becoming increasingly important. Colleges and universities collect and store large amounts of sensitive data ranging from students’ personal information and payment details to valuable scientific research results. This information has always been a desirable target of cybercriminals, while the pandemic has made it more accessible through online lessons and webinars. The free flow of the workforce, along with annual rotations of new students, also adds to the universities’ information security challenges. Collaboration and information sharing with other researchers, both inside and outside the university, is a security issue unseen in different industries. As the interconnectivity in higher education continues to increase, the attack surface grows accordingly.
One of the most extensive data incidents affecting students’ sensitive data occurred in April 2021. At that time a single attack compromised sensitive data held by several universities at once. The University of California, the University of Miami, the University of Colorado, Stanford University’s School of Medicine, Yeshiva University, and the University of Maryland were subjected to a cyberattack that involved Accellion File Transfer Appliance (FTA). Along with the universities, the incident affected more than 100 organizations, including government agencies and private companies. Find more information about this data security incident in one of our previous posts.
With such challenges, education institutions should pay more attention to strengthening their security posture. One of the reliable and obligatory ways to help protect universities and their students’ data is to adhere to the Gramm-Leach-Bliley Act (GLBA).
GLBA was enacted on November 12, 1999, to reform the financial services industry and address concerns relating to consumer financial privacy. The Act’s primary purpose is to ensure that financial institutions safeguard the confidentiality of nonpublic personal information (NPPI) gathered from consumer records. The GLBA has three main sections: the Financial Privacy Rule, the Safeguards Rule, and a set of pre-text provisions.
The Financial Privacy Rule requires financial institutions to inform about their information-sharing practices and provide customers with the right to “opt-out.” A detailed overview of the GLBA privacy requirements is available online. This post is mainly concerned with the Safeguards Rule that requires financial institutions and their affiliates to have necessary administrative, technical, and physical measures to keep consumer information secure. In addition to protecting NPPI, organizations that fall under Act’s provisions must also take measures to detect and prevent as many instances of unauthorized access attempts as possible.
The fact that the financial service industry must be concerned with customers’ financial privacy is undisputable. However, what does make colleges and universities accountable for students’ personal and financial information? In fact, GLBA covers a broad range of financial institutions, including those not traditionally considered to fall under this category. Higher education institutions fall under the GLBA provisions because they engage in certain “financial activities.” Namely, they are entrusted with students’ financial aid information used to administer the Title IV Federal Student Financial Aid programs.
Recurring attacks targeting education institutions prompted the U.S. Department of Education to take reasonable measures to respond and prevent such kinds of attacks. To this end, the Department sent two letters – an initial letter in 2015 and a follow-up letter in 2016 – to remind education institutions and the third-party service providers of their legal obligations to protect students’ sensitive information. These letters were presented as resources to support schools’ efforts to support their cybersecurity practices, and the central pillar of this protection was the GLBA Security Safeguards rule.
Another significant shift occurred in 2019 when the GLBA compliance was incorporated into schools’ annual federal audits. It was achieved by an amendment to the 2016 Audit Guide to determine whether Institutions of Higher Education are GLBA compliant. Technically, the 2019 amendment has terminated the self-regulated compliance attitude through establishing a federal annual compliance audit and estimated responsibilities for non-compliance.
The audit process provides what higher education institutions must do to comply with GLBA. The institutions must clearly understand GLBA requirements outlined in the Safeguards Rule mentioned above.
The Safeguards Rule requires developing a written information security plan to describe consumer information protection programs. Colleges and universities are free to design their plan at their own discretion. However, several components are obligatory with no exceptions. As part of a standard GLBA compliance process, education institutions must, among other things, to:
Higher education institutions started submitting GLBA-related information to the Department of Education back in 2019. According to the amendment to the Audit Guide, independent auditors will check colleges and universities for the presence of the following:
1 – Individuals designated to coordinate the Information Security program;
2 – Performed risk assessment that addresses the three critical areas noted in 16 CFR 314.4(b), which are:
3 – Documented safeguards for each risk identified during step 2
When an auditor determines that an institution has failed to comply with any of these requirements, the finding will be included in the institution’s audit report.
GLBA provisions include severe penalties for non-compliance, including fines and even imprisonment. In case of GLBA violation:
In addition, the Department of Education itself can undertake enforcement actions. Expressly, if a college or university is found to be non-compliant, it will be denied access to the Department’s information systems.
At the time when the attack surface grows enormously, higher education institutions along with other financial service industries must take all possible measures to safeguard privacy and security to their customers’ information. The Gramm-Leach-Billey Act is the pillar of these protections as its Safeguards Rule requires organizations to implement necessary administrative, technical, and physical measures to keep consumer information secure. Adherence to these measures may not only help secure customers’ financial information but also avoid fines for non-compliance.
To stay updated on the most recent security and compliance topics, keep reading our blog or contact the Planet 9 team. We’ll be happy to assist!