(GENERAL-23-09) Updates to the Gramm-Leach-Bliley Act Cybersecurity Requirements

On December 9, 2021, the Federal Trade Commission (FTC) issued final regulations (Final Rule) to amend the Standards for Safeguarding Customer Information (Safeguards Rule), an important component of the Gramm-Leach-Bliley Act’s (GLBA) requirements for protecting the privacy and personal information of consumers. The effective date for most of the changes to the Safeguards Rule is June 9, 2023. This Electronic Announcement provides a summary of the changes to the GLBA requirements resulting from the Final Rule, explains the impacts of the changes on postsecondary institutions, and describes changes to the Department of Education’s (Department) enforcement of the GLBA requirements. Institutions should coordinate with their leadership and appropriate staff to implement the requirements in the Final Rule by June 9.

Postsecondary institutions and third-party servicers must protect student financial aid information provided to them by the Department or otherwise obtained in support of the administration of the Federal student financial aid programs (Title IV programs) authorized under Title IV of the Higher Education Act of 1965, as amended (HEA). Each institution that participates in the Title IV programs has agreed in its Program Participation Agreement (PPA) to comply with the GLBA Safeguards Rule under 16 C.F.R. Part 314. Institutions and servicers also sign the Student Aid Internet Gateway (SAIG) Enrollment Agreement, which states that they will ensure that all Federal Student Aid applicant information is protected from access by, or disclosure to, unauthorized personnel, and that they are aware of and will comply with all of the requirements to protect and secure data obtained from the Department’s systems for the purposes of administering the Title IV programs.

In Dear Colleague Letters GEN-15-18 and GEN-16-12, we reminded institutions about the longstanding requirements of GLBA and notified them of our intention to begin enforcing the legal requirements of GLBA through annual compliance audits. In Dear CPA Letter CPA-19-01, the Office of Inspector General (OIG) explained the audit procedures for auditors to determine whether institutions were complying with GLBA. On February 28, 2020, we issued an Electronic Announcement that explained the Department’s procedures for enforcing those requirements and the potential consequences for institutions or servicers that fail to comply. On December 18, 2020 we issued an Electronic Announcement encouraging institutions to review and adopt NIST 800–171 as a security standard to support continuing obligations under GLBA.

Below we provide additional information about the updated requirements and definitions in the GLBA Safeguards Rule. Note that while the following provides a summary of the requirements, your best source of information is the text of the Safeguards Rule itself and GLBA guidance provided by the FTC. The FTC also provides a great deal of general data security guidance on its website.

The regulations at 16 C.F.R. Part 314 use the terms “customer” and “customer information.” For the purpose of an institution’s or servicer’s compliance with GLBA, customer information is information obtained as a result of providing a financial service to a student (past or present). Institutions or servicers provide a financial service when they, among other things, administer or aid in the administration of the Title IV programs; make institutional loans, including income share agreements; or certify or service a private education loan on behalf of a student.

The objectives of the GLBA standards for safeguarding information are to –

To achieve the GLBA objectives, institutions and servicers are required to develop, implement, and maintain a written, comprehensive information security program. The FTC’s regulations require that the information security program contains administrative, technical, and physical safeguards that are appropriate to the size and complexity of the institution or servicer, the nature and scope of their activities, and the sensitivity of any student information. 

An institution’s or servicer’s written information security program must include the following nine elements included in the FTC’s regulations:

Element 1: Designates a qualified individual responsible for overseeing and implementing the institution’s or servicer’s information security program and enforcing the information security program (16 C.F.R. 314.4(a)).

Element 2: Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution or servicer) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 C.F.R. 314.4(b)).

Element 3: Provides for the design and implementation of safeguards to control the risks the institution or servicer identifies through its risk assessment (16 C.F.R. 314.4(c)). At a minimum, the written information security program must address the implementation of the minimum safeguards identified in 16 C.F.R. 314.4(c)(1) through (8).

Element 4: Provides for the institution or servicer to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 C.F.R. 314.4(d)).

Element 5: Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 C.F.R. 314.4(e)).

Element 6: Addresses how the institution or servicer will oversee its information system service providers (16 C.F.R. 314.4(f)).

Element 7: Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the information security program (16 C.F.R. 314.4(g)).

Element 8: For an institution or servicer maintaining student information on 5,000 or more consumers, addresses the establishment of an incident response plan (16 C.F.R. 314.4(h)).

Element 9: For an institution or servicer maintaining student information on 5,000 or more consumers, addresses the requirement for its Qualified Individual to report regularly and at least annually to those with control over the institution on the institution’s information security program (16 C.F.R. 314.4(i)).

Institutions or servicers that maintain student information for fewer than 5,000 consumers are only required to address the first seven elements.

While all elements of the Safeguards Rule are vital to protecting the security of customer information, an institution or servicer may significantly reduce the risk of a security breach, and the resulting harm and inconvenience to its customers, by encrypting customer information while it is in transit outside its systems or stored on its system and by implementing multi-factor authentication for anyone accessing customer information on its systems.

In April of 2022, the FTC issued a new publication entitled FTC Safeguards Rule: What Your Business Needs to Know, which is meant to act as a “compliance guide” to ensure that entities covered by the Safeguards Rule maintain safeguards to protect the security of customer information. The publication provides valuable information such as describing what a reasonable security program should look like and goes over each of the nine required elements in greater detail.

Under the Standards of Administrative Capability at 34 C.F.R. 668.16(c), an institution is required to have an adequate system of internal controls that provides reasonable assurance that the institution will achieve its objectives regarding reporting, operations, and compliance. Information security safeguards are fundamental to a system of internal controls and essential for preventing disruption to these core objectives as they guard the information systems that collect, maintain, process, and disseminate student information. Therefore, an institution that does not provide for the security of the information it needs to continue its operations would not be administratively capable.

The changes to the Safeguards Rule expand on the minimum information security requirements that should already be in place at participating institutions and their third-party servicers. The Department intends to work with all institutions to improve their information security posture, including those that may not have yet implemented the Safeguards Rule requirements.

The changes to the Safeguards Rule are effective June 9, 2023. Any GLBA findings identified through a compliance audit, or any other means, after the effective date will be resolved by the Department during the evaluation of the institution’s or servicer’s information security safeguards required under GLBA as part of the Department’s final determination of an institution’s administrative capability. GLBA related findings will have the same effect on an institution’s participation in the Title IV programs as any other determination of non-compliance.

In cases where no data breaches have occurred and the institution’s or servicer’s security systems have not been compromised, if the Department determines that an institution or servicer is not in compliance with all of the Safeguards Rule requirements, the institution or servicer will need to develop and/or revise its information security program and provide the Department with a Corrective Action Plan (CAP) with timeframes for coming into compliance with the Safeguards Rule. Repeated non-compliance by an institution or a servicer may result in an administrative action taken by the Department, which could impact the institution’s or servicer’s participation in the Title IV programs.

The Department will issue guidance on NIST 800-171 compliance in a future Electronic Announcement, but again encourages institutions to begin incorporating the information security controls required under NIST 800-171 into the written information security program required under GLBA as soon as possible. Please note that compliance with the GLBA requirements is not the same as compliance with NIST 800-171. The current information security requirements that institutions must meet are the GLBA Safeguards Rule requirements at 16 C.F.R. Part 314.

If you have questions regarding any of the GLBA requirements, please contact the FTC at 202-326-2222. You can also find guidance regarding GLBA as well as other cybersecurity resources on the FSA Partner Connect Cybersecurity page. If you have questions about the Department’s enforcement of the GLBA, please contact the Cybersecurity Team at fsaschoolcybersafety@ed.gov.