U.S. Department of Education Ramps Up Enforcement of Cybersecurity Requirements Under the Gramm-Leach-Bliley Act

On February 28, 2020, the U.S. Department of Education (ED) issued an electronic announcement regarding its enforcement of cybersecurity requirements under the Gramm-Leach Bliley Act (GLBA). As described in more detail below, the enforcement of these requirements includes referrals to the Federal Trade Commission (FTC), as well as potential fines and other administrative actions by the ED.

As the ED previously reminded higher education institutions in Dear Colleague Letters GEN-15-18 (July 29, 2015) and GEN-16-12 (July 1, 2016), such institutions are considered “financial institutions” under the GLBA and, accordingly, must comply with its data security provisions. The obligation to satisfy GLBA cybersecurity requirements is set forth in a higher education institution’s Title IV Federal Student Aid Program Participation Agreement and the related Student Aid Internet Gateway (SAIG) Enrollment Agreement. The SAIG agreement governs the interfacing of an institution’s or third-party servicer’s data systems with the ED’s data systems for the purpose of drawing and disbursing Title IV federal student aid.

In 2019, together with the Office of Management and Budget, the ED required GLBA compliance to be audited as part of each institution’s annual federal compliance audits. Specifically, an institution’s independent auditors are expected to evaluate the following three information safeguard requirements of GLBA in audits of postsecondary institutions or third-party servicers under the regulations in 16 C.F.R. Part 314:

1. Whether the institution or servicer has designated an individual to coordinate its information security program.

2. Whether the institution or servicer has performed a risk assessment that addresses:

a. Employee training and management.
b. Information systems, including network and software design, as well as information processing, storage, transmission and disposal.
c. Detection, prevention and responses to attacks, intrusions or other systems failures.

3. Whether the institution or servicer can document a safeguard for each risk identified under item 2, above.

The ED’s February 28, 2020 announcement states that when an auditor determines that an institution or servicer has failed to comply with any of the above GLBA requirements, the auditor must include that noncompliance as a finding in the institution’s or servicer’s audit report. When an audit report that includes a GLBA audit finding is received by the ED, it will refer the audit to the FTC, and in most cases the FTC will then determine what action may be needed as a result of the GLBA audit finding.

Additionally, the ED has established a Postsecondary Institution Cybersecurity Team (Cybersecurity Team) within the Office of Federal Student Aid. The Cybersecurity Team will also be informed of any GLBA audit findings and may request additional documentation from the institution or servicer in order to assess the level of risk to student data presented by the institution or servicer’s information security system. If the Cybersecurity Team determines that the institution or servicer poses substantial risk to the security of student information, the Cybersecurity Team may temporarily or permanently disable the institution’s or servicer’s access to ED information systems. Such systems would include the ED’s systems for processing Title IV federal student aid funds, meaning that disabled access following a GLBA audit finding could severely interrupt an institution’s receipt of such funds. Further, if the Cybersecurity Team determines that the institution or servicer has very serious internal control weaknesses as related to data security, or a history of non-compliance with GLBA requirements, the ED may issue fines or take other adverse administrative actions against the institution or servicer.

For additional information regarding these GLBA requirements, and other data privacy matters relevant to educational institutions, please see our previous alerts and blog posts.