What is GLBA and how are higher educational institutions involved in this?
Also known as the Financial Services Modernization Act of 1999, the Gramm-Leach-Bliley Act requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (FTC). The term “financial institutions” is inclusive of all those businesses that deal in financial activities, from mortgage lenders to career counsellors. Since Institutions of Higher Education (IHEs) engage in financial activities (for example, providing Federal Perkins Loan), FTC considers them fit for GLBA compliance.

The Safeguard Rule under GLBA
The implications of GLBA compliance are outlined in the Safeguards Rule (16 CFR 314). Most educational institutions collect personal information from their students and staff (addresses, phone numbers, financial records, social security numbers). As part of GLBA implementation, the Safeguards Rule ensures the protection of such information by developing a written security plan that describes their data protection activities. The higher education institutions are subject to the Safeguards Rule of the Act related to the administrative, technical, and physical safeguarding of customer information.

Compliance with the Act
To maintain GLBA compliance, educational institutions must follow the guidelines in the Safeguards Rule. GLBA requires IHEs to:

  • Develop, implement, and maintain a written information security program
  • Designate an employee(s) responsible for coordinating the information security program
  • Identify and assess risks to student and staff information
  • Design and implement an information safeguards program
  • Select appropriate service providers that can maintain the safeguards
  • Periodically evaluate and update their security program

The consequences of non-compliance with the Act
Students are increasingly moving to digital platforms, and the faculty and staff are constantly sharing information online. With a series of recent ransomware and cyber-attacks (WannaCry, Petya, Locky, CrySis), the need to reinforce cybersecurity planning and training has become crucial. Around 562 data breaches have been reported at 324 IHEs between 2005 and 2014, with doctoral institutions marking the majority of those reported (EDUCAUSE, 2014). Without compliance to GLBA, there can be operational, reputational, and/or financial impacts, as well as national security and privacy concerns, as some IHEs are also involved in Federal defense contractor research projects.