Postsecondary institutions participating in the Federal Student Aid Programs agree to comply with The Gramm-Leach Bliley Act (GLBA) when they sign their program participation agreement with the U.S. Department of Education. The rules require institutions to implement safeguards and internal controls to ensure the confidentiality, security and integrity of student and parent information in their systems. These rules also obligate an institution’s third-party servicers to maintain strong security policies and controls to prevent unauthorized access or disclosure of sensitive information.

In a recent electronic announcement, FSA announced enforcement of the GLBA requirements that went into effect back in 1999 through required annual compliance audits. Those same rules allow the Federal Trade Commission to take enforcement action against an institution that fails to protect student information from unauthorized access or disclosure.

According to the announcement, auditors are expected to evaluate three information safeguard requirements of GLBA in audits of postsecondary institutions or third-party servicers under the regulations in 16 C.F.R. Part 314:

1 – The institution must designate an individual to coordinate its information security program.

2 – The institution must perform a risk assessment that addresses three required areas described in 16 C.F.R. 314.4(b):
a) Employee training and management;
b) Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and
c) Detecting, preventing and responding to attacks, intrusions, or other systems failures.

3 – The institution must document a safeguard for each risk identified in Step 2 above.

When an auditor determines that an institution or servicer has failed to comply with any of these GLBA requirements, the finding will be included in the institution’s audit report. When an audit report that includes a GLBA audit finding is received by the Department, they will refer the audit to the FTC for further review and if necessary, they will take enforcement action against an institution which may include disabling or revoking access to ED’s information systems such as COD, NSLDS, and other systems needed to process aid.