Prepare for Gramm-Leach-Bliley Act Cybersecurity Audit Enforcement

The Gramm-Leach-Bliley Act (GLBA) requires colleges and universities to protect the personal data of parents and students participating in the Federal Student Aid (FSA) program. While some private colleges and universities may not participate in this program, many do. With an increase in the frequency and severity of cyberattacks, the Department of Education has stepped up its enforcement of various aspects of the Act. Make sure your college is following the rules to avoid losing access to the FSA program.

Gramm-Leach-Bliley Act

Colleges and universities that participate in the federal student aid program under Title IV must comply with the Gramm-Leach-Bliley Act. The Act requires educational institutions to safeguard the privacy and security of parent and student information. It is important for colleges to develop and maintain strong data security policies and internal controls to protect against unauthorized access or disclosure of private information. Colleges must carefully follow the Act, which requires institutions to:¹

• Develop, implement, and maintain a written information security program
• Designate the employees responsible for coordinating the information security program
• Identify and assess risks to personal information
• Design and implement an information safeguards program
• Select service providers that can maintain appropriate safeguards
• Periodically evaluate and update their security program

The Department of Education advises that at a minimum, colleges and universities should evaluate and document their current security practices and compare them against the requirements in GLBA. For more information about the cybersecurity requirements of GLBA, read the article Gramm-Leach-Bliley Act and Cybersecurity – What Colleges Need to Know, found in the Brotherhood Mutual Safety Library.

Compliance Audit

To further enhance the safety and security of protected information, the Department of Education enforces the legal requirements of the Act by requiring compliance audits. By now incorporating the GLBA security controls into the Annual Audit Guide, the Department of Education can assess and confirm compliance. This means that colleges and universities will want to pay careful attention to the audit requirements found within the Act. In an announcement issued by the Department of Education, it was communicated that auditors must evaluate three information safeguard requirements found in 16 C.F.R. Part 314 for both the institution and any third-party provider. The requirements are²:

1. The institution must designate an individual to coordinate its information security program
2. The institution must perform a risk assessment that addresses three required areas described in 16 C.F.R. 314.4(b):
   • Employee training and management
   • Information systems, including network and software design, as well as information processing, storage, transmission and disposal
   • Detecting, preventing, and responding to attacks, intrusions, or other systems failures
3. The institution must document a safeguard for each risk identified in Step 2 above

When an auditor determines that an institution or servicer has failed to comply with any of these GLBA requirements, the finding will be included in the institution’s audit report.

Failure to Comply

Failing to comply with the cybersecurity requirements found in the Gramm-Leach-Bliley Act can cost your college or university time, money, and reputation. Potential penalties for not adequately complying with the requirements include temporary or permanent suspension of access to the Department’s information systems, fines, or loss of access to FSA funds.

Insurance to Protect Your Institution

Regardless of how stringent your cybersecurity is, the fact remains that colleges and universities are a top target of data thieves. With an average cost of $3.9 million³, a cyber breach can cost time and pull resources away from your core goals.

Brotherhood Mutual Insurance Company offers cyber liability coverages to help protect educational institutions against property damage, financial damage, or emotional injury claims resulting from your activities related to computer use and electronic data.

This coverage helps pay for the cost to send required notifications after a breach, the fees associated with credit monitoring services, or the fees paid to a public relations firm to protect your reputation. It also offers special defense coverage for responding to subpoenas, regulatory actions, or non-compensatory lawsuits related to computer use or electronic data.

1. https://ifap.ed.gov/dear-colleague-letters/07-01-2016-gen-16-12-subject-protecting-student-information
2. Enforcement of Cybersecurity Requirements under the Gramm-Leach-Bliley Act. February 28, 2020. https://ifap.ed.gov/electronic-announcements/022820EnforcCyberReqGrammLeachBlileyAct Accessed December 2020.
3. IBM Security, Cost of a Data Breach Report 2020. https://www.ibm.com/security/digital-assets/cost-data-breach-report/#/ Accessed December 3, 2020.

Published December 28, 2020.