All You Need to Know About GLBA Compliance in Higher Education

Cyberattacks plague colleges and universities. Learn why GLBA compliance in higher education institutions is important.  

Cybersecurity in higher education is becoming increasingly important. Colleges and universities collect and store large amounts of sensitive data ranging from students’ personal information and payment details to valuable scientific research results. This information has always been a desirable target of cybercriminals, while the pandemic has made it more accessible through online lessons and webinars. The free flow of the workforce, along with annual rotations of new students, also adds to the universities’ information security challenges. Collaboration and information sharing with other researchers, both inside and outside the university, is a security issue unseen in different industries. As the interconnectivity in higher education continues to increase, the attack surface grows accordingly.

One of the most extensive data incidents affecting students’ sensitive data occurred in April 2021. At that time a single attack compromised sensitive data held by several universities at once. The University of California, the University of Miami, the University of Colorado, Stanford University’s School of Medicine, Yeshiva University, and the University of Maryland were subjected to a cyberattack that involved Accellion File Transfer Appliance (FTA). Along with the universities, the incident affected more than 100 organizations, including government agencies and private companies. Find more information about this data security incident in one of our previous posts

With such challenges, education institutions should pay more attention to strengthening their security posture. One of the reliable and obligatory ways to help protect universities and their students’ data is to adhere to the Gramm-Leach-Bliley Act (GLBA). 

What is the Gramm-Leach-Billey Act?

GLBA was enacted on November 12, 1999, to reform the financial services industry and address concerns relating to consumer financial privacy. The Act’s primary purpose is to ensure that financial institutions safeguard the confidentiality of nonpublic personal information (NPPI) gathered from consumer records. The GLBA has three main sections: the Financial Privacy Rule, the Safeguards Rule, and a set of pre-text provisions. 

The Financial Privacy Rule requires financial institutions to inform about their information-sharing practices and  provide customers with the right to “opt-out.” A detailed overview of the GLBA  privacy requirements is available online. This post is mainly concerned with the Safeguards Rule that requires financial institutions and their affiliates to have necessary administrative, technical, and physical measures to keep consumer information secure. In addition to protecting NPPI, organizations that fall under Act’s provisions must also take measures to detect and prevent as many instances of unauthorized access attempts as possible.

What about the Higher Education Institutions? 

The fact that the financial service industry must be concerned with customers’ financial privacy is undisputable. However, what does make colleges and universities accountable for students’ personal and financial information? In fact, GLBA covers a broad range of financial institutions, including those not traditionally considered to fall under this category. Higher education institutions fall under the GLBA provisions because they engage in certain “financial activities.” Namely, they are entrusted with students’ financial aid information used to administer the Title IV Federal Student Financial Aid programs. 

Why GLBA Compliance in Higher Education Matters?

Recurring attacks targeting education institutions prompted the U.S. Department of Education to take reasonable measures to respond and prevent such kinds of attacks. To this end, the Department sent two letters – an initial letter in 2015 and a follow-up letter in 2016 – to remind education institutions and the third-party service providers of their legal obligations to protect students’ sensitive information. These letters were presented as resources to support schools’ efforts to support their cybersecurity practices, and the central pillar of this protection was the GLBA Security Safeguards rule

Another significant shift occurred in 2019 when the GLBA compliance was incorporated into schools’ annual federal audits. It was achieved by an amendment to the 2016 Audit Guide to determine whether Institutions of Higher Education are GLBA compliant. Technically, the 2019 amendment has terminated the self-regulated compliance attitude through establishing a federal annual compliance audit and estimated responsibilities for non-compliance. 

What are the Requirements for GLBA Compliance in Higher Education?

The audit process provides what higher education institutions must do to comply with GLBA. The institutions must clearly understand GLBA requirements outlined in the Safeguards Rule mentioned above. 

The Safeguards Rule requires developing a written information security plan to describe consumer information protection programs. Colleges and universities are free to design their plan at their own discretion. However, several components are obligatory with no exceptions. As part of a standard GLBA compliance process, education institutions must, among other things, to:

  • Develop, implement, and maintain a comprehensive information security program and adjust it in light of the results of the testing and monitoring;
  • Designate a qualified individual responsible for overseeing, implementing, and enforcing your information security program;
  • Conduct risk assessments periodically and implement additional controls to mitigate identified risks. Find more about the risk assessment process in one of our posts, How to Conduct the Risk Assessment
  • Regularly test or otherwise monitor the effectiveness of the safeguards’ key controls, systems, and procedures, including those to detect actual and attempted attacks on, or intrusions into, information systems;
  • Implement policies and procedures to ensure that personnel can enact your information security program (security awareness training; regular security updates);
  • Timely identify and address vulnerabilities in systems and applications; 
  • Establish a written incident response plan designed to respond and recover from any security event materially affecting the confidentiality, integrity, or availability of customer information in your control;
  • Periodically evaluate and update their security program.

Annual GLBA Compliance Audits 

Higher education institutions started submitting GLBA-related information to the Department of Education back in 2019. According to the amendment to the Audit Guide, independent auditors will check colleges and universities for the presence of the following: 

1 – Individuals designated to coordinate the Information Security program;

2 – Performed risk assessment that addresses the three critical areas noted in 16 CFR 314.4(b), which are:

    • Employee training and management;
    • Information systems, including network and software design, as well as information processing, storage, transmission, and disposal;
    • Detecting, preventing, and responding to attacks, intrusions, or other systems failures; and

3 – Documented safeguards for each risk identified during step 2

When an auditor determines that an institution has failed to comply with any of these requirements, the finding will be included in the institution’s audit report. 

What are the Implications for Non-Compliance 

GLBA provisions include severe penalties for non-compliance, including fines and even imprisonment. In case of GLBA violation:

  • The institution will be subject to up to $100,000 penalty;
  • Executives (or other responsible individuals) will be personally liable and may be subjected up to $10,000 for each violation;
  • The institution’s executives may also be subject to imprisonment for not more than five years.

In addition, the Department of Education itself can undertake enforcement actions. Expressly, if a college or university is found to be non-compliant, it will be denied access to the Department’s information systems.

To Conclude

At the time when the attack surface grows enormously, higher education institutions along with other financial service industries must take all possible measures to safeguard privacy and security to their customers’ information. The Gramm-Leach-Billey Act is the pillar of these protections as its Safeguards Rule requires organizations to implement necessary administrative, technical, and physical measures to keep consumer information secure. Adherence to these measures may not only help secure customers’ financial information but also avoid fines for non-compliance. 

To stay updated on the most recent  security and compliance topics, keep reading our blog or contact the Planet 9 team. We’ll be happy to assist!



Phone:  888-437-3646


Leave a Reply