The Federal Trade Commission (FTC) issued a final rule on December 9, 2021, amending the customer information safeguard requirements under the federal Gramm-Leach-Bliley Act (GLBA), also known as the “Safeguards Rule.” Since 1999, the GLBA has set the standards for maintaining customer data for financial institutions, including colleges and universities that participate in the Title IV federal student aid programs.
While the revised Safeguards Rule took effect on January 10, 2022, schools will have until December 2022 to implement most of the required changes in the rule. Some of the notable mandates include:
- Concentrating program oversight under a single qualified individual rather than shared by a team or group of employees. While this oversight likely will be centered under an institution’s information technology department, look for the school’s chief information security officer (CISO) or chief information officer (CIO) to be the responsible party.
- Ensuring that information security programs are based on a written risk assessment that looks at “foreseeable internal and external risks to the security, confidentiality, and integrity” of any consumer (student) information held by the institution. Written documentation is now a mandatory requirement under the Rule.
- Designing information security programs to control assessed risks that include eight specific types of safeguards:
- Monitoring and testing of internal controls and procedures regularly to protect against actual and attempted hacks of information systems.
- Overseeing and assessing service providers when contracting for outside services. This will include actual periodic assessments of vendor systems by the institution.
- Reporting annually to the institution’s board about its information security program and compliance with the updated Safeguards Rule.
Because higher education institutions are frequent targets of hackers and victims of data breaches, a strong and well-understood infrastructure and program to maintain and protect student information is critical. These programs require institution-wide accountability. It is vital that all employees be aware of changes and take responsibility to protect personal data.