U.S. Department of Education Ramps Up Enforcement of Cybersecurity Requirements Under the Gramm-Leach-Bliley Act

Faegre Drinker Biddle & Reath LLP
Contact

Faegre Drinker Biddle & Reath LLP

On February 28, 2020, the U.S. Department of Education (ED) issued an electronic announcement regarding its enforcement of cybersecurity requirements under the Gramm-Leach Bliley Act (GLBA). As described in more detail below, the enforcement of these requirements includes referrals to the Federal Trade Commission (FTC), as well as potential fines and other administrative actions by the ED.

As the ED previously reminded higher education institutions in Dear Colleague Letters GEN-15-18 (July 29, 2015) and GEN-16-12 (July 1, 2016), such institutions are considered “financial institutions” under the GLBA and, accordingly, must comply with its data security provisions. The obligation to satisfy GLBA cybersecurity requirements is set forth in a higher education institution’s Title IV Federal Student Aid Program Participation Agreement and the related Student Aid Internet Gateway (SAIG) Enrollment Agreement. The SAIG agreement governs the interfacing of an institution’s or third-party servicer’s data systems with the ED’s data systems for the purpose of drawing and disbursing Title IV federal student aid.

In 2019, together with the Office of Management and Budget, the ED required GLBA compliance to be audited as part of each institution’s annual federal compliance audits. Specifically, an institution’s independent auditors are expected to evaluate the following three information safeguard requirements of GLBA in audits of postsecondary institutions or third-party servicers under the regulations in 16 C.F.R. Part 314:

1. Whether the institution or servicer has designated an individual to coordinate its information security program.

2. Whether the institution or servicer has performed a risk assessment that addresses:

a. Employee training and management.
b. Information systems, including network and software design, as well as information processing, storage, transmission and disposal.
c. Detection, prevention and responses to attacks, intrusions or other systems failures.

3. Whether the institution or servicer can document a safeguard for each risk identified under item 2, above.

The ED’s February 28, 2020 announcement states that when an auditor determines that an institution or servicer has failed to comply with any of the above GLBA requirements, the auditor must include that noncompliance as a finding in the institution’s or servicer’s audit report. When an audit report that includes a GLBA audit finding is received by the ED, it will refer the audit to the FTC, and in most cases the FTC will then determine what action may be needed as a result of the GLBA audit finding.

Additionally, the ED has established a Postsecondary Institution Cybersecurity Team (Cybersecurity Team) within the Office of Federal Student Aid. The Cybersecurity Team will also be informed of any GLBA audit findings and may request additional documentation from the institution or servicer in order to assess the level of risk to student data presented by the institution or servicer’s information security system. If the Cybersecurity Team determines that the institution or servicer poses substantial risk to the security of student information, the Cybersecurity Team may temporarily or permanently disable the institution’s or servicer’s access to ED information systems. Such systems would include the ED’s systems for processing Title IV federal student aid funds, meaning that disabled access following a GLBA audit finding could severely interrupt an institution’s receipt of such funds. Further, if the Cybersecurity Team determines that the institution or servicer has very serious internal control weaknesses as related to data security, or a history of non-compliance with GLBA requirements, the ED may issue fines or take other adverse administrative actions against the institution or servicer.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Faegre Drinker Biddle & Reath LLP | Attorney Advertising

Written by:

Faegre Drinker Biddle & Reath LLP
Contact
more
less

Faegre Drinker Biddle & Reath LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.