Gramm Leach Bliley Act Update Impacts on Higher Education

Lisa Ritter, CPA, CFE, CITP, Partner

The Gramm Leach Bliley Act (GLBA) took effect in May of 2003, and was updated in December 2021.  The updated requirements took effect on June 9, 2023 and were effective for the entirety of the fiscal year for higher education institutions.  We expect that the student assistance program will have updated requirements for the GLBA, and all institutions will have to abide by the updated GLBA for periods ending in June of 2024.  The GLBA requires that covered entities, defined below, must have adequate safeguards over sensitive information along with being transparent about information-sharing practices.

The safeguard rules require covered financial institutions to develop, implement and maintain an information security program to protect customer information.  Higher education institutions qualify as a financial institution based on their handling of student payments, refunds, and the transactions of the student assistance federal program.  The rule defines customer information to be any record containing non-public personal information such as bank account information, and other personally identifiable financial information. The institution’s information security program must be written with the objective to ensure the security and confidentiality of customer information, protect against anticipated threats to the security and integrity of customer information and to prevent unauthorized transactions.  Major changes from the original GLBA include the following requirements:

  • Designate a qualified individual to implement and supervise the information security plan. This could be an employee or service provider, but the service provider must still be overseen by a qualified individual at the institution.
  • Conducting a written risk assessment to determine foreseeable risks and threats, including internal and external threats, to the security, confidentiality, and integrity of customer information. The institution must also update the risk assessment periodically.
  • Designing and implementing safeguards to control the risks identified through the risk assessment including the following items:
    • Implement and periodically review access controls.
    • Understanding of the Institution’s information technology ecosystem
    • Encryption of data including in storage and when in transit
    • Assess access points to customer data including apps and other programs.
    • Implementation of multi-factor authentication
    • Disposal of customer data securely
    • Anticipate and evaluate changes to your information system or network.
    • Maintain a log of authorized users’ activities and review for unauthorized access.
  • Monitoring of systems - including regular testing of procedures and policies and conducting annual testing such as penetration testing and vulnerability scans. Monitoring any third-party providers that handle the institution’s information.  Ensure that all staff are up to date on security training based on their position in the institution.
  • Requiring that a qualified individual report to the governing body in writing on at least an annual basis. The report must include an overall assessment of the institution’s compliance with its information security program as well as risk management and control decisions, service provider arrangements, test results, security events and how management responded, and recommendations for changes in the information security program.

Institutions should already have a basic information security program in place due to auditing requirements placed into the federal compliance supplement for the student assistance program starting in 2019. However, the updated GLBA expands upon the originally issued act.  Institutions should review all the requirements of the updated GLBA and ensure they are meeting the new requirements.  If you have any questions regarding the GLBA, reach out to a member of your audit team.

Connect With Us

Stay Connected!

Sign up to receive information on the latest government and non-profit industry insights, firm news, and upcoming events & seminars.

Jump to Page

Maher Duessel Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance / Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek
gazebo17