The GLBA Safeguards Rule at 15

GLBA is an acronym that often leads to another one in the minds of information security professionals—FUD (fear, uncertainty, and doubt). Among higher education IT professionals, the Gramm-Leach-Bliley Act (GLBA)¹ is best known for its Safeguards Rule, which was designed to protect the security and confidentiality of certain types of customer financial information. The Federal Trade Commission (FTC) issued the Rule in May 2002, with industry compliance required by May 2003; the FTC also oversees higher education institutional compliance.²

This article reviews the history of the GLBA Safeguards Rule and offers some thoughts on where it might be headed in its late-adolescent years.

A Brief History of GLBA and the Safeguards Rule

GLBA is also known as the Financial Services Modernization Act of 1999. The law's original purpose wasn't to protect the security and privacy of consumer information. Instead, it was passed to allow different types of financial institutions to merge. Because these new merged institutions would have access to tremendous amounts of customer information, the law included new rules on how financial institutions would have to protect consumer financial information. These rules are known as the Privacy Rule,³ the Safeguards Rule,⁴ and the Pretexting Rule.⁵ They are enforced for various industries by their respective regulating bodies—the federal bank regulatory agencies, the Securities and Exchange Commission, and the FTC.

Understanding why GLBA and its rules even apply to higher education can sometimes be confusing. Reduced to its most basic concepts, GLBA applies to higher education institutions because colleges and universities participate in certain types of financial activities that are defined in banking law. Administering federal student loans is one of the main types of activities that pull institutions under the GLBA umbrella. However, because colleges and universities don't entirely fit the traditional model of a financial institution, the FTC has provided some flexibility on the privacy side.

The Privacy Rule regulations promulgated by the FTC specifically state that colleges and universities are deemed to be in compliance with the rule if they are in compliance with the Family Educational Rights and Privacy Act (FERPA).⁶ Thus, colleges and universities do not have to bear the unique burdens of the Privacy Rule in addition to those they must already address under FERPA.

Higher education compliance with the Safeguards Rule, however, was not similarly exempted. Colleges and universities must therefore meet the GLBA Safeguard Rule's requirements, which aim to:

• Ensure the security and confidentiality of customer records and information
• Protect against any anticipated threats or hazards to the security or integrity of that customer data
• Protect against unauthorized access to or use of customer data, which could result in substantial harm or inconvenience to customers

The FTC issued its Safeguards Rule standards in May 2002. Under those regulations, financial institutions (including higher education institutions) must

…develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to [the institution's] size and complexity, the nature and scope of [institutional] activities, and the sensitivity of any customer information at issue.⁷

In addition, in implementing its information security program, an institution must undertake five specific activities. First, it must designate an employee or employees to coordinate the institution's information security program. Second, it must identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information; it must then assess the sufficiency of any safeguards in place to control these risks. At a minimum, such a risk assessment should include consideration of risks in each relevant area of the institution's operations, including

• employee training and management;
• information systems, including network and software design, information processing, storage, transmission, and disposal; and
• detection and prevention of and response to attacks, intrusions, or other systems failures.

Third, it must design and implement information safeguards to control the risks that the institution identifies through risk assessment and regularly test or otherwise monitor the effectiveness of the safeguards' key controls, systems, and procedures.

Fourth, it must oversee service providers by

• taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue, and
• requiring the service providers, by contract, to implement and maintain such safeguards.

Finally, it must evaluate and adjust the institution's information security program in light of the results of the testing and monitoring required by the Safeguards Rule; of any material changes to the institution's operations or business arrangements; or of any other circumstances that the institution knows (or has reason to know) may materially impact its information security program.⁸

FTC-regulated financial institutions had until May 2003 to comply with the rule. At higher education institutions, IT and business office professionals have since worked together to understand the GLBA Safeguards Rule's scope and how to best comply with it. Likewise, associations such as EDUCAUSE and the National Association for College and University Business Officers (NACUBO) continue to work together to provide guidance for their respective members as new developments arise. This most recently occurred in 2015, when the US Department of Education (ED) wrote GLBA Safeguards Rule compliance into its Title IV Program Participation Agreement (PPA) [https://ifap.ed.gov/qadocs/Sampling/BlankPPA.pdf] (for details, see the ED's 2015 and 2016 "Dear Colleague" letters; note, however, that EDUCAUSE has raised concerns about aspects of those letters that institutions should consider).

Recent GLBA Safeguards Rule Activity

Historically, Safeguards Rule compliance issues have been a staple of discussions among higher education information security practitioners. They have written numerous presentations, articles, blogs, and resource pages on the subject, and it is among the compliance topics regularly mentioned in EDUCAUSE discussion groups.

The initial furor over GLBA Safeguards Rule compliance initially subsided roughly two years after the rule was promulgated. The requirements to craft an information security program were relatively straightforward and, as perhaps most information security practitioners would agree, they contained elements that would arguably be part of any modern information security program, even if they weren't legally mandated. These requirements include the following:

• Create an information security program based on a risk level relevant to your institution's size and complexity and that accounts for the sensitivity of data you use? This is Information Security 101.
• Do a risk assessment and mitigate the risks that you identify? This is a foundational methodology of information security practice.
• Designate an official responsible for the program? This one makes sense if you want to insure accountability and responsibility and develop a culture of information security at the institution—after all, you need someone to rally the troops.
• Include training and awareness as part of the program? Making sure employees receive training and awareness on information security best practices is itself an acknowledged best practice for mitigating information security risk.
• Pay attention to what service providers are doing with your data? Also Information Security 101.

As time passed, GLBA Safeguards Rule compliance became "business as usual" for higher education institutions, taking a central position in the set of laws and regulations that institutions must comply with from a technology standpoint (such as HIPAA, PCI, FACTA, and FERPA). In 2016, the FTC sought public comment on the Safeguards Rule during its regular regulations review. At that time, EDUCAUSE and NACUBO joined together to urge the FTC to preserve the flexibility organizations have under the Safeguards Rule to develop information security programs that best fit their unique contexts. Thus far, the FTC has made no changes to the rule.

Following the 2015 and 2016 "Dear Colleague" letters mentioned above, ED began working to incorporate a Safeguards Rule audit objective into the federal single audit process, which public and private nonprofit colleges and universities generally must follow. Its goal is to establish institutional accountability for Safeguards Rule compliance based on the PPA provision. In both 2017 and 2018, EDUCAUSE worked with other higher education associations to properly outline and scope the audit objective that ED's Office of Federal Student Aid (FSA) and the White House's Office of Management and Budget (OMB) proposed to use. Subsequently, in January 2018, EDUCAUSE submitted a letter to FSA expressing concern about its then-recent actions on data breach notification and information security program reporting. Those particular FSA actions relied on the PPA's GLBA compliance language, as well as a breach notification provision of the Student Aid Internet Gateway (SAIG) agreement.

At the moment, the Safeguards Rule audit objective is on hold until at least the Fiscal Year 2019 audit process. EDUCAUSE and its association partners anticipate that, when the audit objective text does reemerge, it will be roughly the same as what we previously negotiated with FSA and OMB. The higher education and audit communities won't know for certain, however, until the two federal agencies share what they propose to include in the federal single audit compliance supplement for the relevant fiscal year. (At this point, FY19 remains a strong possibility, but it still has not been officially confirmed.) In the meantime, the text that all the parties agreed to in 2017 provides the best guidance on what the federal audit process might entail in relation to the Safeguards Rule. IT, business office, and audit professionals can use that text as a starting point for getting prepared.

What Happens Next?

Higher education institutions have had to comply with the Safeguards Rule's provisions for well over a decade, and those provisions have been largely unchanged since their inception. What has changed, however, is growing consumer weariness over data breaches and growing government recognition that securing student financial aid data is critical.⁹

No one has yet gone broke betting against the capacity of Congress to pass comprehensive information security and privacy legislation. Massive data breaches in the public and private sectors have come and gone, but agreement on national breach notification, information security, and data privacy standards to help stem the tide remains elusive. In the absence of such legislation, federal agencies' reliance on existing laws and regulations to shield the personally identifiable information entrusted to their care has only increased.

The US Department of Education, through FSA, has chosen to use its contracts with colleges and universities to leverage the Safeguards Rule—which higher education institutions have long been subject to under FTC enforcement—to address concerns that student and parent data may not be adequately secured. The good news for higher education institutions is that the rule emphasizes the development and maintenance of information security plans based on the institution's unique context. The elements that the Safeguards Rule does mandate are essentially foundational; thus, establishing compliance with its requirements should largely be a matter of assembling the right documentation in the right way for the institution's auditors or FSA compliance officials.

The less-welcome news, however, is that all institutions participating in FSA programs now must be prepared to demonstrate Safeguards Rule compliance. This is true regardless of whether a Safeguards Rule audit objective is implemented for the FY19 audit process or thereafter, or whether FSA has provided clear, publicly available standards and processes for establishing institutional compliance with the regulation. If your institution's PPA includes a Safeguards Rule compliance provision—which is increasingly likely because institutions renew their PPAs regularly and we are now three years removed from the provision's inclusion in the agreement's standard text—then FSA could rightfully ask the institution for information illustrating its compliance. This is unlikely to happen out of the blue, and FSA has signaled its desire to collaborate with institutions in assessing and addressing potential compliance issues. Given the existing data breach risks, however, institutions would be well advised to have their Safeguards Rule compliance information in order should the question arise.

Without public documentation of FSA standards and processes or a published, final Safeguards Rule audit objective in place, "watchful waiting" and "continuous improvement" remain the order of the day. Some steps to take right now, however, include the following:

1. Review your written information security program documentation, specifically with respect to GLBA compliance. Ensure that any documentation that was written originally for GLBA compliance (circa 2002–2003) is updated for your current circumstances, size, and complexity.
2. Have you done a risk assessment lately for GLBA-covered information? If you haven't done a formal risk assessment since the Safeguards Rule was implemented, now might be a good time to review your original risk assessment and update it for changed conditions.
3. Make sure that your campus information security training and awareness activities reflect the current risks to GLBA-covered information and offer best practices on how to handle and secure those data.
4. Pay attention to contracts and other documents that may mandate GLBA compliance or impose other information security and privacy compliance requirements. Are there any gaps that you need to address?
5. Follow the FTC enforcement actions related to the GLBA Safeguards Rule. These enforcement actions can give you a sense of the types of cases that the FTC investigates, which may help you identify gaps in your information security program as well.
6. Follow the EDUCAUSE Policy Spotlight blog for information about how the federal government is addressing IT policy issues that affect higher education. GLBA compliance and enforcement is one of the areas that EDUCAUSE specifically monitors. As EDUCAUSE learns about federal activity impacting GLBA, the Policy Spotlight is one of the first places we will share that information.

At fifteen, the GLBA Safeguards Rule is largely unchanged from its original form, and most higher education information security practitioners are well versed in applying the law to their institutional information security programs. However, the need to demonstrate Safeguards Rule compliance as a condition of participation in FSA programs is still a relatively new phenomenon with which we must now contend.

While EDUCAUSE continues to work with other associations and relevant federal agencies to map the contours of that compliance, colleges and universities should seize the opportunity now to prepare their case for why they are in compliance. This will serve them well both in the near term, should they be asked while FSA standards and processes remain undefined, and in the long term, so they won't have to start from scratch if FSA seeks to impose requirements rapidly.

Notes

1. Protection of Nonpublic Personal Information, 15 U.S.C. sec. 6801 (2011). ↩
2. Enforcement, Protection of Nonpublic Personal Information, 15 U.S.C. sec. 6805 (2011). ↩
3. Protection of Nonpublic Personal Information, 15 U.S.C. secs. 6801–6803 (2011). ↩
4. Protection of Nonpublic Personal Information (2011). ↩
5. Privacy Protection for Customer Information of Financial Institutions, 15 U.S.C. sec. 6821 (2010); the Pretexting Rule is beyond the scope of this article. ↩
6. For the FERPA compliance exemption, see the last sentence in Purpose and Scope, Privacy Protection for Customer Information of Financial Institutions, 16 U.S.C. sec. 313.1 (2010). ↩
7. Standards for Safeguarding Customer Information, 16 C.F.R. sec. 314.3 (2011). ↩
8. Elements, Standards for Safeguarding Customer Information, 16 C.F.R. sec. 314.4 (2003). ↩
9. Better Program Management and Oversight of Postsecondary Schools Needed to Protect Student Information, U.S. Government Accountability Office, December 15, 2017, 55. ↩

---

Joanna Lyn Grama is a Senior Consultant at Vantage Technology Consulting Group.

Jarret Cummings is the Senior Advisor for Policy and Government Relations at EDUCAUSE.