On February 9, the U.S. Department of Education (ED) released an announcement about updates that postsecondary institutions must make to their cybersecurity and data protection policies in order to comply with the Federal Trade Commission’s amended Standards for Safeguarding Customer Information (Safeguards Rule), a component of the Gramm-Leach-Bliley Act (GLBA). The effective date for most of the changes to the Safeguards Rule is June 9, 2023. The announcement provides a summary of the changes to the Safeguards Rule, explains the impacts of the changes on postsecondary institutions, and describes changes to ED’s enforcement of the GLBA requirements.

As background, and as discussed here, the Safeguards Rule requires nonbanking financial institutions to develop, implement, and maintain a comprehensive information security program to keep their customers’ information safe. The amended Safeguards Rule requires more specific criteria for what safeguards financial institutions must implement as part of their information security programs. Title IV schools that have agreed to participate in federal student financial aid programs must comply with the Safeguards Rule to protect student financial aid information.

Notably, the Safeguards Rule uses the terms “customer” and “customer information.” For a postsecondary institution, customer information is information obtained when providing a financial service to a student (past or present). According ED’s announcement, institutions provide a financial service when they, among other things; make institutional loans, including income share agreements; or certify or service a private education loan on behalf of a student. The inclusion of income share agreements to the announcement is consistent with ED’s prior statement that income share agreements are private education loans under the Truth-in-Lending Act and Regulation Z.

An institution’s written information security program must include the following nine elements (seven if the institution maintains information on less than 5,000 students):

1. A designated qualified individual responsible for overseeing and implementing the institution’s security program.
2. A risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of student information.
3. Safeguards to control the risks the institution identifies through its risk assessment.
4. Regular testing and monitoring of the safeguards.
5. Policies and procedures to ensure that personnel can enact the information security program.
6. Oversight of the information system service providers.
7. Evaluation and adjustment of its information security program in light of the results of the required testing and monitoring
8. The establishment of an incident response plan.
9. Periodic (at least annual) reports from the designated qualified individual to those with control over the institution.

ED plans to conduct compliance audits and any GLBA findings will have the same effect on an institution’s participation in the Title IV programs as any other determination of non-compliance and will require resolution through a Corrective Action Plan (CAP) or put the institution’s participation in the Title IV programs at risk.