Breaches in data security continue to plague almost all segments of the business world in today’s high-tech marketplace. These breaches have spurred regulations, such as the Gramm-Leach-Bliley Act (GLBA), which was designed to regulate the security and privacy of an individual’s financial information. The GLBA was intended to apply solely to “financial institutions,” however, the definition of a financial institution is very broad and ambiguous, and can include institutions other than banking entities. GLBA safeguards may therefore apply to educational institutions that have financial activities, such as lending, under its student financial aid program.
In two recent “Dear Colleague” letters issued by the Department of Education, the importance of protecting student information was noticeably emphasized. In addition, the U.S. Office of Management and Budget (OMB) included proposed “special tests” in the 2017 Vett Draft compliance supplement, which called for certain testing related to compliance for securing student information. Ultimately, the proposed rules were omitted from the final issuance, in order to allow institutions additional time to discuss and adjust information technology policies and controls. This omission, however, is only a temporary reprieve for educational institutions, as the 2019 compliance supplement will, more likely than not, revisit this matter.
The GLBA’s regulation contains various standards for protecting or safeguarding student data. Educational institutions must appropriately develop, implement, and maintain student information within a comprehensive program. The Department of Education has issued some guidelines that institutions should consider as they assess or develop their cybersecurity program as follows:
Educational institutions must report a data breach on the day the incident was detected or suspected. Any failure to report may be subject to substantial fines, which are incurred per violation. To avoid potential violations and fines, an organization must understand what a data breach is and the information that it is expected to report. In the event of an actual or suspected breach of personal identifiable information, the institution must immediately notify Federal Student Aid at CPSSAIG@ed.gov.
Many institutions have raised concerns over the new safeguard rules and proposed compliance supplement testing for information security. These organizations have argued that the objectives outlined may be too broad and ambiguous, which can lead to different interpretations from an internal and external reviewers’ perspective. These additional requirements may also place an increased financial burden on institutions.
Given the increased scrutiny and future compliance issues that may arise from the GLBA regulations to educational institutions, from monetary fines or loss of eligibility for Title IV funding, we recommend that organizations review their internal policies, procedures, and controls related to safeguarding student data.
Citrin Cooperman’s Not-for-Profit Practice and Technology and Risk Advisory Services advisors can assist you in further understanding the GLBA regulations and implementing best practices and policies at your organization.