GLBA & Updating Data Security

Regulatory changes related to the Gramm-Leach Bliley Act that become effective December 9, 2022, will likely require colleges and universities to update and revise their security programs. The Federal Trade Commission, which enforces GLBA for higher education institutions, issued a final rule Federal Register in December 2021, with most GLBA rules becoming effective on January 10 of this year. However, some of the new rules related to a college’s security program will become effective December 9, 2022.

To ensure your institution is in compliance with the requirements, you can review section 314.4, which begins on page 70,307 of the Federal Register. These parts of 314 become effective December 9: 314.4(a), (b)(1), (c)(1) through (8), (d)(2), (e), (f)(3), (h), and (i).

You can access this Federal Register with the new final rules here.

Your institution’s security program should be part of your annual audit or a U.S. Department of Education Program Review. An institution can be cited if they are not meeting all regulatory requirements.

GLBA regulates data security and protection. It governs how higher education institutions collect, store, access and manage student financial data and records, such as tuition payments or financial aid, if the records contain Personally Identifiable Information.

To ensure compliance with GLBA, colleges need to develop, implement and maintain a comprehensive importation security program. The security program should be available during an audit for testing and reporting.

These are the most common audit findings related to GLBA requirements:

· Unable to identify a point of contact (POC)

· Missing an incident plan (how, when and who to report issues to)

· Failure to perform a risk assessment