GLBA Safeguards Rule Compliance Deadline Extension

Senior Analyst

Top of Mind: GLBA Safeguards Rule Compliance Deadline Extension
Estimated Reading Time: 3 minutes

As most of you know, the Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, was designed to regulate, control, and take affirmative precautions to safeguard sensitive nonpublic personal information (NPI) collected by organizations classified as “financial institutions” from individuals to obtain a financial product or service. The GLBA rules, which went into effect in 2003, are enforced by the Federal Trade Commission (FTC) for higher education. Since Title IV higher education institutions receive federal funding and store financial aid information, the FTC has deemed higher education institutions a nonbanking financial institution that must adhere to GLBA regulations.

The three key rules of GLBA include:

  • Financial Privacy Rule – requires financial organizations to protect the security and confidentiality of customer data (personal data, bank and credit card data, and income and credit history information). The Financial Privacy Rules provide that higher education institutions that comply with the Family Educational Rights and Privacy Act (FERPA) are deemed compliant with the GLBA Privacy Rule.
  • Safeguards Rule – requires financial organizations to form and maintain a documented information security program that leverages administrative, technical, and physical safeguards to protect sensitive customer data.
  • Pretexting Rule – prohibits the solicitation or disclosure of NPI using false pretenses or deception.

Since the initial release of GLBA, there have been several revisions. In July 2019, the Office of Management and Budget released a Compliance Supplement outlining provisions for assessing institutional compliance with the GLBA Safeguards Rule. Leading up to the July 2019 GLBA update, compliance was self-regulated, and institutions were not held accountable for noncompliance. However, due to several high-profile cybersecurity issues across US higher education, GLBA compliance checks are now required as part of annual federal compliance audits.

In October 2021, the FTC approved changes to the Safeguards Rule that require additional specificity in implementing information security programs. While some of these updated provisions took effect 30 days after publication, other sections were slated to go into effect on December 9, 2022. However, due to personnel shortages and supply chain issues, the FTC issued a statement on November 15, 2022, extending the deadline by six months to June 9, 2023.

According to the FTC, the following provisions of the updated Safeguards Rule are included in the six-month extension.

  • 314.4(a) Designate a qualified and trained security officer responsible for overseeing, implementing, and enforcing the institution’s information security program. This rule was extended to also require that a senior member be responsible for the direction and oversight of the designated security officer.
  • 314.4(b)(1) Design an information security program based on risk assessment. This rule was extended requiring institutions to periodically produce written risk assessments about newly mandated requirements on customer information that re-examine the reasonably foreseeable internal and external risks to security.
  • 314.4(c)(1)-(8) Institutions must design and implement safeguards to control risks that are identified in the risk assessment, including:
    • Limit, authenticate, and monitor user access to sensitive customer data using technical, logical, and physical controls.
    • Encryption of all sensitive customer data in transit over external networks and at rest
    • Implement multifactor authentication (MFA) for any individual accessing any information system.
  • 314.4(e) Regular information security awareness training for security staff to ensure qualified staff are managing the information security program, and that information security staff are qualified and receive regular security updates and training to address security risks
  • 314(f)(3) Periodically assess the security practices of service providers based on the risk they present and the continued adequacy of their safeguards.
  • 314.4(h) Develop a written incident response plan, including specific elements, to validate management has designed a program to respond promptly and recover from any security events.

The following provisions of the updated Safeguards Rule were not extended and are scheduled for compliance on December 9, 2022.

  • 314.4(c)(1)-(8) Institutions must design and implement safeguards to control risks that are identified in the risk assessment, including:
    • Implement secure development procedures for developing in-house applications that transmit, store, and access customer data. This rule also requires procedures to assess the security of third-party applications that touch customer information.
    • Implement secure procedures (requirements and time frames) to dispose of customer data in any format no later than two years after the last usage date.
    • Implement and review the data retention policy.
    • Change management procedures
    • Establishment of policies, procedures, and controls to monitor and log the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information
    • Inventory of relevant IT environment and management of the same consistent with their business priority and the institution’s risk strategy
  • 314.4(d)(2) Regular monitoring and testing of the effectiveness of information system controls, plus a new requirement for annual penetration testing and vulnerable assessments
  • 314.4(i) A qualified institutional representative must submit a written annual status report on the information security program to the institution’s governing board.

In speaking with higher education CIOs, a common best practice is to keep an inventory of all networked computers and associated employees that can access NPI. Some institutions also require new employees to complete online training on NPI. Another best practice is to notify all relevant third-party contractors asking them to acknowledge that they are aware and in compliance with GLBA requirements. Lastly, Directors of Network Infrastructure are commonly identified as the GLBA Coordinator with the Director of Financial Aid as a co-sponsor.

Share Article:

Senior Analyst
As a senior analyst for Tambellini Group, Mary Beth Cahill focuses her research on CRM and advancement initiatives. She has led numerous research efforts, specifically in vendor administrative systems and student information systems (SIS) software solutions, data and learning analytics, CRM, learning management, and social networking. Mary Beth is also the co-author of several published industry reports, including Tambellini Group's "Upgrade or Replace" and "Vendor Review" series of reports.

Other Posts From this Author:

Realize Your Institution's Goals Faster with The Tambellini Group®

Higher Education Institutions


Solution Providers & Investors

market insights

Become a Client of the Tambellini Group.

Get exclusive access to higher education analysts, rich research, premium publications, and advisory services.

Be a Top of Mind Podcast featured guest

Request a Briefing with a Tambellini Analyst

Suggest your research topics

Subscribe to Tambellini's Top of Mind.

Weekly email featuring higher education blog articles, infographics or podcasts.