Last year, the Federal Trade Commission (FTC) amended the Safeguards Rule under the Gramm-Leach-Bliley Act (GLBA). The comprehensive amendment updated data security requirements for financial institutions, including all Title IV institutions of higher education. In response to reports of personnel shortages and supply chain issues, on November 15, 2022, the FTC announced that it has extended the compliance deadline by six months (to June 9, 2023) for provisions of the rule that were originally to become effective on December 9, 2022.
The GLBA is a federal law enforced by the FTC. It governs financial institutions regarding their use and collection of customer personally identifiable information. The specific cybersecurity requirements of the GLBA are set forth in the Safeguards Rule. The U.S. Department of Education―via the Program Participation Agreement, several Dear Colleague Letters, the FSA Handbook and the audit guide―has made it clear that Title IV schools are considered financial institutions and subject to the legal obligations to protect student information required under the GLBA. As such, Title IV schools must meet these strengthened security requirements to better protect consumer (student) financial information.
To view details about what Safeguards Rule provisions are included in the extension, please see our Alert.
These requirements are not policies and procedures that can be implemented overnight. Considering the shortage of qualified personnel to implement information security programs and the various supply chain issues, schools may need every bit of those six months to develop an information security program that meets the rule’s comprehensive requirements. Schools should work with legal counsel and an information security professional to draft or revise a comprehensive cybersecurity program to protect student records and ensure compliance with the updated Safeguards Rule.