Higher education institutions have been required to comply with the provisions of the Safeguards Rule of the Gramm-Leach Bliley Act (GLBA) for more than a decade. Since its inception, however, there has been little oversight by the Department of Education (DoE) related to the GLBA. This is about to change.
The DoE recently made it clear to institutions that it expects the proper controls and processes in place and will begin monitoring compliance in the near future through the annual single audits performed on Title IV student financial aid funds received.
What does this mean to my institution?
Institutions' external auditors will be required to conduct expanded audit testing and report significant noncompliance findings if the required security is not in place.
Where should I start?
Many institutions are asking this same question. Here's what we recommend:
- Understand the current rules.
- Determine if your institution has a documented response to the Safeguards Rule.
- If documentation is insufficient to demonstrate the institution’s current compliance with the Safeguards Rule, gather the appropriate individuals to design a plan to implement the requirements of the regulations.
- If your institution has a documented response to the Safeguards Rule, determine if any updates are necessary to demonstrate effective compliance.
- Communicate the potential impact of the GLBA Safeguards Rule to interested parties. These include the student financial aid department, information technology, Controller’s office, chief financial officer or vice president of finance, chief executive officer or president, board of trustees, etc.
Remind me — what are the current rules?
The overall expectations of the Safeguards Rule can be found at the Federal Trade Commission (FTC).
Specifically, some of the key requirements call for institutions to:
- Designate an information security officer and related oversight responsibilities for the institution’s security.
- Assess the risks to confidential information, assess the level of mitigating controls in place, and identify action plans to accept or further mitigate remaining risks.
- Implement an information security program, including various technical and physical underlying controls, such as data encryption and secure shredding processes.
- Oversee vendor relationships to ensure confidential data are secured at their locations when applicable and access is controlled when vendors connect to the institution.
- Perform an ongoing evaluation of their program to keep content current with an ever-evolving security environment.
Examples of higher education data that need to be protected include:
- Information a student provides on the Free Application for Federal Student Aid (FAFSA).
- Student application information.
- Student information that is shared with service providers, for example for loan servicing purposes.
How are these changes expected to impact single audits?
The Safeguards Rule isn't currently tested as part of the federal compliance audit (or single audit) of Title IV funds. But communications from the DoE consistently indicate it will become part of this testing in the near future. Currently, testing steps are expected to be included in the 2019 release of the Office of Management and Budget Compliance Supplement for external auditors to follow when testing the Student Financial Assistance cluster.
As reported in the Federal Student Aid: Better Program Management and Oversight of Postsecondary Schools Needed to Protect Student Information report issued by the U.S. Government Accountability Office (GAO) in December 2017, the DoE requested the following suggested audit procedures be tested in the external auditor's compliance audit:
- Verify that a school has designated an individual to coordinate the information security program,
- Obtain the school’s risk assessment and verify that it addresses the required standards for safeguarding customer information, and
- Obtain documentation of the school’s safeguard that aligns with each risk identified from the risk assessment and verify that the school has identified a safeguard for each risk.
Whether the steps above (as written) or another version of these steps are ultimately decided upon by the DoE, external audit firms will have to complete this testing when the compliance supplement includes them. As a result, institutions will have to demonstrate compliance with the underlying requirements of the Safeguards Rule during the audit period. This may entail more individuals or departments at institutions being involved in responding to audit requests than in the past, and it certainly will mean more time spent by external auditors and auditees to complete the testing.
Where can I find more information?
We've compiled a list of resources to help higher education institutions more fully understand compliance with the GLBA Safeguards Rule, including:
- IFAP Dear Colleague Letter - July 29, 2015 - GEN-15-18 - Protecting Student Information
- IFAP Dear Colleague Letter - July 1, 2016 - GEN-16-12 - Protecting Student Information
- Safeguards Rule - Full Text
- GAO Report on Federal Student Aid - November 2017
What should I do now?
Assess the Safeguards Rule at your institution. External auditors may be testing compliance sooner than you think, and you'll want to make sure your institution is in compliance.
What if I need help?
Plante Moran has a cybersecurity team with years of experience assisting organizations with GLBA Safeguards Rule concerns. Please contact our team if you have any questions about the Safeguards Rule expectations.
