The Gramm Leach Bliley Act (GLBA) is a law that applies to financial institutions and includes privacy and information security provisions that are designed to protect consumer financial data. This law applies to how higher education institutions collect, store, and use student financial records (e.g., records regarding tuition payments and/or financial aid) containing personally identifiable information. GLBA regulations include both a Privacy Rule (16 CFR 313) and a Safeguards Rule (16 CFR 314), both of which are enforced by the Federal Trade Commission (FTC) for higher education institutions. Colleges and universities are deemed to be in compliance with the GLBA Privacy Rule if they are in compliance with the Family Educational Rights and Privacy Act (FERPA). The Safeguards Rule was promulgated in 2002, with compliance required in May 2003.
In early 2017, the federal Office of Management and Budget (OMB), working with the Department of Education’s office of Federal Student Aid (FSA), announced that a Gramm-Leach-Bliley Act (GLBA) Safeguards Rule audit objective would be included in the federal single audit process that most colleges and universities have to follow. Starting in 2018, the FSA started auditing for GLBA compliance. FSA has consolidated its cybersecurity compliance and is available on the FSA Cybersecurity Compliance website. Institutions should also carefully review the single provision in the FSA Program Participation Agreement (PPA) that speaks to the GLBA Safeguards Rule, as well as two provisions in the Student Aid Internet Gateway Agreement (SAIG) that address data breach issues, since these agreements state each college or university’s compliance obligations.