By: Brittany Holmes, Corporate Communications Manager
It’s no secret that higher education institutions have become top targets for cybercriminals and ransomware groups. For example, news stories like those about cyberattacks disrupting classes at Clackamas Community College where classes were cancelled, making this the second attack against schools in the Portland area this year, add to the growing statistics. Microsoft reported the education industry makes up 80% of enterprise malware encounters.
To help mitigate the risk of student’s personal data, compliance regulations are becoming stricter when it comes to cybersecurity, starting with recent changes to how the Gramm-Leach-Biley Act (GLBA) applies to higher education. While GLBA is often associated with financial institutions, its relevance extends far beyond that. For higher education institutions handling financial aid, student loans, and other financial activities, compliance with GLBA is important.
The GLBA compliance checklist focuses on safeguarding students’ personal data and fostering trust within the education community. Failing to comply puts students at risk of identity theft and financial fraud and exposes institutions to penalties and reputational harm. Ensuring GLBA compliance is not just a legal requirement but a measure to protect students and institutional security amid increasing cyberthreats.
This blog details how the GLBA compliance checklist applies to higher education, security program requirements, and opportunities.
Understanding GLBA in Higher Education: A Brief Overview
Originally enacted in 1999 under the Federal Trade Commission (FTC), GLBA mandates transparency in information-sharing practices and protection of sensitive data within financial institutions. To comply with GLBA, higher education institutions must tell their students and employees how they share their data and follow specific parameters to protect it.
While GLBA has existed for years, its impact on higher education institutions has become more pronounced within the last four years. Specifically, GLBA applies to colleges and universities in terms of collecting, storing, and utilizing student financial records containing personally identifiable information.
In July 2019, the Office of Management and Budget (OMB) Compliance Supplement introduced a new audit objective to evaluate institutional compliance with the Safeguards Rule, a key component of GLBA. Subsequently, in December 2021, the FTC revised its Safeguards Rule, with specific provisions taking effect 30 days later and others becoming enforceable by December 9, 2022. To allow institutions enough time for adaptation, the FTC granted a six-month extension, extending the compliance deadline to June 9, 2023.
What Higher Education Needs to Know
Universities and colleges have significant responsibilities when it comes to managing sensitive financial data, including student aid, loans, tuition payments, and payroll information. The Safeguards Rule includes nine elements that higher education’s cybersecurity programs must consist of.
Below are elements from the GLBA compliance checklist that higher education must include in their security program:
- Designate a qualified individual for information security oversight: Appoint an individual knowledgeable in cybersecurity, beyond just IT, to lead the institution’s security efforts. This person should understand the complexities of safeguarding student data and coordinating with various departments and service providers. Even if a service provider or affiliate helps, the institution remains responsible for compliance.
- Conduct periodic risk assessments: Regularly assess the risks associated with student data, research information, and institutional assets. This includes evaluating internal and external threats to data integrity, confidentiality, and availability, aligning with frameworks like NIST, and tailoring them to higher education needs.
- Implement safeguards based on risk assessments: Deploy encryption for sensitive data, enforce multi-factor authentication, regularly review access controls, maintain asset inventories, securely dispose of data, and anticipate network changes. Employ a Security Operations Platform to detect and respond to threats effectively.
- Train employees on cybersecurity awareness: Develop a proactive security awareness program tailored to the higher education environment. Educate faculty, staff, and students on recognizing and reporting suspicious activities to bolster the institution’s security posture.
- Maintain oversight of third-party service providers: Evaluate service providers with expertise in securing educational data. Utilize Security Operations platforms and Managed Detection and Response (MDR) services to monitor vendor access and activities for compliance.
- Conduct regular vulnerability scanning and penetration testing: Schedule routine vulnerability scans and penetration tests to identify weaknesses in the IT infrastructure. Utilize progressive penetration testing to simulate different attack scenarios, ensuring critical data remains protected.
- Keep security programs current: Continuously update security programs to adapt to evolving threats and operational changes within the institution. Employ Security Operations Platforms to provide real-time insights into network health, compliance, and at-risk programs.
- Develop a written incident response plan: Establish a comprehensive incident response plan outlining roles, responsibilities, and steps to mitigate cyberattacks. Conduct tabletop exercises to ensure stakeholders are prepared to respond effectively to security incidents.
- Provide an annual security program report: Deliver a comprehensive report to the Board of Trustees or relevant governing body detailing the institution’s security posture, compliance status, risk assessments, incident response activities, and recommended improvements. Utilize specialized reporting tools to streamline compliance reporting processes.
Compliance with GLBA is not just a legal obligation, it is a commitment to protecting sensitive data, upholding student privacy, and safeguarding institutional integrity. Embracing GLBA compliance mitigates risks and fosters a culture of security consciousness essential in today’s digital landscape. For more details, the FTC outlines all nine elements here.
What Happens to Non-Compliant Institutions?
Significant repercussions exist if a higher education institution fails to comply with the GLBA. First, if discovered during the annual audit, the institution’s access to Department of Education information systems may be restricted by the Federal Student Aid’s Postsecondary Institution Cybersecurity Team. Repeated or serious breaches could lead to fines or other administrative actions.
In addition, penalties outlined in the GLBA include fines of up to $100,000 for institutions and individuals. However, the most severe consequence of non-compliance is the risk of a security breach. In such an event, sensitive student data could be compromised, leading to potential ransom payments to recover the information without guaranteeing its return. The higher education’s reputation would suffer, impacting its ability to attract prospective students who may question its ability to safeguard their personal information.
An Opportunity to Strengthen Your Cybersecurity Posture
Higher education institutions have a unique opportunity to enhance their security measures while simultaneously complying with GLBA regulations. By proactively adhering to GLBA standards, these institutions protect sensitive financial information and strengthen trust and reputation within their communities.
Compliance ensures legal adherence and mitigates risks, fostering a culture of transparency and integrity. It also secures funding, supports financial stability, and enables investments in cybersecurity infrastructure, ultimately preserving accreditation and academic excellence. Through efficient compliance management, institutions optimize resources and focus on core educational objectives while safeguarding data and enhancing overall security posture.
Many rely on a Security Operations platform to help with their journey toward compliance. Their proactive approach to threat detection and response aligns seamlessly with the demands of GLBA regulations, ensuring constant vigilance against cyber threats. XDR alleviates the burden on internal teams, streamlining compliance management processes. By harnessing the power of XDR, higher education institutions can navigate the complexities of regulatory compliance more efficiently, safeguarding data integrity and elevating their overall security posture.
Stay Informed
Subscribe to Adlumin’s blog series and gain access to actionable advice and step-by-step guides from cybersecurity experts.