How Recent Changes in the GLBA Affect Higher Education
Just as many institutions of higher learning are settling in with the requirements of the Gramm-Leach-Bliley Act (GLBA) and the Federal Trade Commission (FTC) Safeguards Rule, we are seeing the first major changes to the rule in 16 years. The safeguards rule requires financial institutions to maintain a documented information security program to protect customer information, and the recent changes expand on that requirement. The safeguards rule applies to customer information collected or maintained by financial institutions, and while it may seem out of place, the FTC has deemed institutions of higher learning a nonbanking financial institution.
Higher education is not alone here; other organizations affected by this rule include but are not limited to:
- Mortgage lenders
- “Pay day” lenders
- Finance companies
- Mortgage brokers
- Account servicers
- Check cashers
- Wire transferors
- Travel agencies operated in connection with financial services
- Collection agencies
- Credit counselors and other financial advisors
- Tax preparation firms
- Nonfederally insured credit unions
- Investment advisors that are not required to register with the SEC
While this new rule is lengthier and contains much more specific detail on security requirements that may have appeared a bit vague in the past, these amendments may require only small tweaks to a well-established program.
It also should be noted that Section 314.6 identifies exceptions to some of the new changes. Sections 314.4(b)(1), (d)(2), (h), and (i) do not apply to financial institutions that maintain customer information concerning fewer than 5,000 consumers. On the surface, it may appear that some institutions will be partially exempt from these new rules; however, management will have to evaluate the records stored on both current and past students to determine if they are below this threshold. While the exception is noted, it is not advisable to eliminate any security testing steps that will help management validate their security level or overall maturity.
There are many small changes in the document, but the most significant changes are noted in §314.4 Elements. This section explains with more detail the key elements of the previously stated requirements, as well as new additions that must be included in an information security program. Each institution leader should review and promptly address these elements as they must be incorporated by December 9, 2022. The key changes that will affect all institutions include:
- Designate a qualified individual. This person should be a trained security officer responsible for overseeing and implementing your information security program.
- Designate a senior member of your personnel responsible for direction and oversight of the qualified individual
- Design an information security program that is based on a risk assessment. While this is a current requirement, the new standard offers expanded descriptions to underline the importance of the risk assessment to the construction of a security program.
- An expanded description is the requirement to periodically perform additional risk assessments to re-examine the reasonably foreseeable internal and external risks to security
- Design and implement security controls identified in the risk assessment. This should include:
- User access controls to include logical and physical controls, to both authenticate and limit access based on the needs of the individual to perform their duties and functions
- Data encryption of customer information, both in transit and at rest
- Adoption of secure development practices for in-house developed applications used by you for transmitting, accessing, or storing customer information
- Implementation of multifactor authentication for any individual accessing any information system
- Specific requirements and time frames relating to the secure disposal of customer information in any format no later than two years after the last date the information is used in connection with the provision of a product or service to the customer
- Implementation and review of a data retention policy
- Adoption of procedures for change management
- Implementation of policies, procedures, and controls designed to monitor and log the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information by such users
- Regular testing and monitoring of the effectiveness of implemented controls. While this is part of the current requirements, it is expanded with new requirements to address:
- Annual penetration testing
- Vulnerable assessments
- Information security training. A strong emphasis on ongoing information security training for those in charge of security includes:
- Security awareness training that is updated and relevant
- Putting qualified information security personnel in place to manage and oversee the information security program
- Providing information security personnel with security updates and training sufficient to address relevant security risks
- Verifying that key information security personnel take steps to maintain current knowledge of changing information security threats and countermeasures
- Oversee service providers. While this section is addressed in current requirements, it was expanded to address “periodically assessing your service providers based on the risk they present and the continued adequacy of their safeguards.”
- A written incident response plan. This step contains specific requirements to validate management has designed a program to promptly respond to, and recover from, any security events.
- Annual status reports on the information security program. This will require your qualified individual to report in writing, regularly and at least annually, to your board of directors or equivalent governing body to address the overall status of the program and report material matters as they relate to security.
Continued diligence is recommended to strengthen your institution’s overall information security and further combat cyber-related attacks. Securing email, implementing backups, and training your staff on phishing awareness are a few best practices to help strengthen your defenses and recovery strategy. Following security standards addressed in the GLBA and those of the National Institute of Standards and Technology (NIST) 800-171R2 also can help with overall security of your institution while maintaining important compliance requirements. If you have questions, please contact your advisor or submit the Contact Us form below.