Higher Education Information Technology

Gramm Leach Bliley Act Update

The Gramm Leach Bliley Act (GLBA) took effect in May of 2003, and was updated in December 2021.  The updated requirements took effect on June 9, 2023 and were effective for the entirety of the fiscal year for higher education institutions.  We expect that the student assistance program will have updated requirements for the GLBA, and all institutions will have to abide by the updated GLBA for periods ending in June of 2024.  The GLBA requires that covered entities, defined below, must have adequate safeguards over sensitive information along with being transparent about information-sharing practices.

The safeguard rules require covered financial institutions to develop, implement and maintain an information security program to protect customer information.  Higher education institutions qualify as a financial institution based on their handling of student payments, refunds, and the transactions of the student assistance federal program.  The rule defines customer information to be any record containing non-public personal information such as bank account information, and other personally identifiable financial information. The institution’s information security program must be written with the objective to ensure the security and confidentiality of customer information, protect against anticipated threats to the security and integrity of customer information and to prevent unauthorized transactions.  Major changes from the original GLBA include the following requirements:

  • Designate a qualified individual to implement and supervise the information security plan. This could be an employee or service provider, but the service provider must still be overseen by a qualified individual at the institution.
  • Conducting a written risk assessment to determine foreseeable risks and threats, including internal and external threats, to the security, confidentiality, and integrity of customer information. The institution must also update the risk assessment periodically.
  • Designing and implementing safeguards to control the risks identified through the risk assessment including the following items:
    • Implement and periodically review access controls.
    • Understanding of the Institution’s information technology ecosystem
    • Encryption of data including in storage and when in transit
    • Assess access points to customer data including apps and other programs.
    • Implementation of multi-factor authentication
    • Disposal of customer data securely
    • Anticipate and evaluate changes to your information system or network.
    • Maintain a log of authorized users’ activities and review for unauthorized access.
  • Monitoring of systems – including regular testing of procedures and policies and conducting annual testing such as penetration testing and vulnerability scans. Monitoring any third-party providers that handle the institution’s information.  Ensure that all staff are up to date on security training based on their position in the institution.
  • Requiring that a qualified individual report to the governing body in writing on at least an annual basis. The report must include an overall assessment of the institution’s compliance with its information security program as well as risk management and control decisions, service provider arrangements, test results, security events and how management responded, and recommendations for changes in the information security program.

Institutions should already have a basic information security program in place due to auditing requirements placed into the federal compliance supplement for the student assistance program starting in 2019. However, the updated GLBA expands upon the originally issued act.  Institutions should review all the requirements of the updated GLBA and ensure they are meeting the new requirements.  If you have any questions regarding the GLBA, reach out to a member of your audit team.