Gramm-Leach-Bliley Act and Cybersecurity

What Colleges Need to Know

Every year, colleges and universities fall victim to cybersecurity breaches. From stolen data to ransomware, cleaning up after a breach can be a significant drain on financial resources. A report published by IBM Security found that the average cost of a data breach for educational institutions is $3.9 million, which includes legal fees, fines, payments to victims, IT assistance, and professional services like PR for breach notifications and crisis communications.¹  

Protect Data

Data breaches are expensive and time consuming, and failure to protect data can negatively affect the ability to participate in certain federal programs. For example, colleges and universities that participate in the Federal Student Aid Program under Title IV must comply with the Gramm-Leach-Bliley Act (GLBA). The Act requires higher education institutions to safeguard the privacy and security of parent and student information. Read more about the Act in the article Prepare for the Gramm-Leach-Bliley Act Cybersecurity Audit Enforcement found in the Brotherhood Mutual Safety Library.

While the Act is not new, the increasing scrutiny of cybersecurity efforts as well as the sophistication in the types of attacks make it more important than ever to protect your data. Colleges should develop and maintain strong data security policies and internal controls to defend against unauthorized access or disclosure of private information. Don’t forget to evaluate any third-party providers you may use for services like advancement, tuition management, learning management, payment services, and others. Cyber breaches of those providers can affect your college, as well.²

Cybersecurity Requirements

To protect your institution from attack and to comply with the GLBA, the Department of Education outlines the following cybersecurity requirements as found in part 314 of the Act. They are:

• Designate one or more employees to coordinate your information security program
• Identify and assess risks to student and parent information
• Design and implement information safeguards
• Select and retain service providers that can maintain appropriate safeguards
• Evaluate and update your information security program

To accomplish these requirements, the Department of Education strongly advises institutions to follow the guidelines provided by the National Institute of Standards and Technology (NIST). The guidelines can be found in the publication NIST SP 800-171. These robust standards are designed to protect sensitive information against unauthorized use. Some of the recommended requirements include³:

• Limit information system access to authorized users
• Properly train system users
• Create information system audit records
• Identify and authenticate users appropriately
• Maintain information systems
• Protect media, both paper and digital, containing sensitive information
• Screen individuals prior to authorizing access
• Limit physical access to systems
• Conduct risk assessments
• Assess security controls periodically and implement action plans
• Monitor, control, and protect organizational communications
• Identify, report, and correct information flaws in a timely manner

Evaluate and Improve

As higher education faces the increasing threat of cyberattacks, protecting sensitive information is critical to reducing the threat of a costly and disruptive breach. This is true of all colleges and universities, but it is especially important for any institutions that participate in the Federal Student Aid Program. The Department of Education strongly encourages any institution that doesn’t meet current NIST standards to take steps to improve their information security.

References

1. IBM Security, Cost of a Data Breach Report 2020. https://www.ibm.com/security/digital-assets/cost-data-breach-report/#/ Accessed December 3, 2020.
2. Wood, Colin. 9 times cyberattacks disrupted education this year. Edscoop. https://edscoop.com/list/2020-university-k12-cyberattacks-ransomware/ Accessed December 2020.
3. Dear Colleague Letter GEN-16-12. Published July 1, 2016. https://ifap.ed.gov/dear-colleague-letters/07-01-2016-gen-16-12-subject-protecting-student-information Accessed December 2020.

Published December 28, 2020.