Learn about specialized measures and protocols to safeguard educational institutions’ digital infrastructure, data, and online learning platforms from cyber threats.

Transforming Cutting-Edge Threat Research into Defense Strategies

Event Details

Date: June 28, 2024
Time: 10AM PT  /  1PM ET

About this Talk

Educational institutions face unique cyber threats, and staying ahead requires not just awareness, but actionable strategies to defend against adversaries. This webinar dives deep into the latest threat research and explores how to apply it to your defenses.

Why you can’t miss this webinar:

  • Live Demonstration: Witness a demonstration of MFA bypass techniques used by cybercriminals, showing you exactly how these attacks unfold.
  • Actionable Intelligence: Discover how to convert threat research into practical defense measures for your organization.
  • Tailored Solutions: Learn specific strategies for protecting against the unique challenges faced by K-12 and higher education institutions.


Mark Sangster
VP, Chief of Strategy, Adlumin

Bryan LangleyModerator
Senior Fellow, Center for Digital Government

Protecting Student Privacy with GLBA Compliance

By: Brittany Holmes, Corporate Communications Manager

It’s no secret that higher education institutions have become top targets for cybercriminals and ransomware groups. For example, news stories like those about cyberattacks disrupting classes at Clackamas Community College where classes were cancelled, making this the second attack against schools in the Portland area this year, add to the growing statistics. Microsoft reported the education industry makes up 80% of enterprise malware encounters.

To help mitigate the risk of student’s personal data, compliance regulations are becoming stricter when it comes to cybersecurity, starting with recent changes to how the Gramm-Leach-Biley Act (GLBA) applies to higher education. While GLBA is often associated with financial institutions, its relevance extends far beyond that. For higher education institutions handling financial aid, student loans, and other financial activities, compliance with GLBA is important.

The GLBA compliance checklist focuses on safeguarding students’ personal data and fostering trust within the education community. Failing to comply puts students at risk of identity theft and financial fraud and exposes institutions to penalties and reputational harm. Ensuring GLBA compliance is not just a legal requirement but a measure to protect students and institutional security amid increasing cyberthreats.

This blog details how the GLBA compliance checklist applies to higher education, security program requirements, and opportunities.

Understanding GLBA in Higher Education: A Brief Overview

Originally enacted in 1999 under the Federal Trade Commission (FTC), GLBA mandates transparency in information-sharing practices and protection of sensitive data within financial institutions. To comply with GLBA, higher education institutions must tell their students and employees how they share their data and follow specific parameters to protect it.

While GLBA has existed for years, its impact on higher education institutions has become more pronounced within the last four years. Specifically, GLBA applies to colleges and universities in terms of collecting, storing, and utilizing student financial records containing personally identifiable information.

In July 2019, the Office of Management and Budget (OMB) Compliance Supplement introduced a new audit objective to evaluate institutional compliance with the Safeguards Rule, a key component of GLBA. Subsequently, in December 2021, the FTC revised its Safeguards Rule, with specific provisions taking effect 30 days later and others becoming enforceable by December 9, 2022. To allow institutions enough time for adaptation, the FTC granted a six-month extension, extending the compliance deadline to June 9, 2023.

What Higher Education Needs to Know

Universities and colleges have significant responsibilities when it comes to managing sensitive financial data, including student aid, loans, tuition payments, and payroll information. The Safeguards Rule includes nine elements that higher education’s cybersecurity programs must consist of.

Below are elements from the GLBA compliance checklist that higher education must include in their security program:

  1. Designate a qualified individual for information security oversight: Appoint an individual knowledgeable in cybersecurity, beyond just IT, to lead the institution’s security efforts. This person should understand the complexities of safeguarding student data and coordinating with various departments and service providers. Even if a service provider or affiliate helps, the institution remains responsible for compliance.
  2. Conduct periodic risk assessments: Regularly assess the risks associated with student data, research information, and institutional assets. This includes evaluating internal and external threats to data integrity, confidentiality, and availability, aligning with frameworks like NIST, and tailoring them to higher education needs.
  3. Implement safeguards based on risk assessments: Deploy encryption for sensitive data, enforce multi-factor authentication, regularly review access controls, maintain asset inventories, securely dispose of data, and anticipate network changes. Employ a Security Operations Platform to detect and respond to threats effectively.
  4. Train employees on cybersecurity awareness: Develop a proactive security awareness program tailored to the higher education environment. Educate faculty, staff, and students on recognizing and reporting suspicious activities to bolster the institution’s security posture.
  5. Maintain oversight of third-party service providers: Evaluate service providers with expertise in securing educational data. Utilize Security Operations platforms and Managed Detection and Response (MDR) services to monitor vendor access and activities for compliance.
  6. Conduct regular vulnerability scanning and penetration testing: Schedule routine vulnerability scans and penetration tests to identify weaknesses in the IT infrastructure. Utilize progressive penetration testing to simulate different attack scenarios, ensuring critical data remains protected.
  7. Keep security programs current: Continuously update security programs to adapt to evolving threats and operational changes within the institution. Employ Security Operations Platforms to provide real-time insights into network health, compliance, and at-risk programs.
  8. Develop a written incident response plan: Establish a comprehensive incident response plan outlining roles, responsibilities, and steps to mitigate cyberattacks. Conduct tabletop exercises to ensure stakeholders are prepared to respond effectively to security incidents.
  9. Provide an annual security program report: Deliver a comprehensive report to the Board of Trustees or relevant governing body detailing the institution’s security posture, compliance status, risk assessments, incident response activities, and recommended improvements. Utilize specialized reporting tools to streamline compliance reporting processes.

Compliance with GLBA is not just a legal obligation, it is a commitment to protecting sensitive data, upholding student privacy, and safeguarding institutional integrity. Embracing GLBA compliance mitigates risks and fosters a culture of security consciousness essential in today’s digital landscape. For more details, the FTC outlines all nine elements here.

What Happens to Non-Compliant Institutions?

Significant repercussions exist if a higher education institution fails to comply with the GLBA. First, if discovered during the annual audit, the institution’s access to Department of Education information systems may be restricted by the Federal Student Aid’s Postsecondary Institution Cybersecurity Team. Repeated or serious breaches could lead to fines or other administrative actions.

In addition, penalties outlined in the GLBA include fines of up to $100,000 for institutions and individuals. However, the most severe consequence of non-compliance is the risk of a security breach. In such an event, sensitive student data could be compromised, leading to potential ransom payments to recover the information without guaranteeing its return. The higher education’s reputation would suffer, impacting its ability to attract prospective students who may question its ability to safeguard their personal information.

An Opportunity to Strengthen Your Cybersecurity Posture

Higher education institutions have a unique opportunity to enhance their security measures while simultaneously complying with GLBA regulations. By proactively adhering to GLBA standards, these institutions protect sensitive financial information and strengthen trust and reputation within their communities.

Compliance ensures legal adherence and mitigates risks, fostering a culture of transparency and integrity. It also secures funding, supports financial stability, and enables investments in cybersecurity infrastructure, ultimately preserving accreditation and academic excellence. Through efficient compliance management, institutions optimize resources and focus on core educational objectives while safeguarding data and enhancing overall security posture.

Many rely on a Security Operations platform to help with their journey toward compliance. Their proactive approach to threat detection and response aligns seamlessly with the demands of GLBA regulations, ensuring constant vigilance against cyber threats. XDR alleviates the burden on internal teams, streamlining compliance management processes. By harnessing the power of XDR, higher education institutions can navigate the complexities of regulatory compliance more efficiently, safeguarding data integrity and elevating their overall security posture.

Stay Informed

Subscribe to Adlumin’s blog series and gain access to actionable advice and step-by-step guides from cybersecurity experts.

RIC ONE DPSS 2024 Annual Conference

Join Adlumin during the Annual RIC ONE DPSS Statewide Conference, the essential gathering for K-12 Data Protection Officers and data privacy experts in New York State. This conference is the ultimate platform to connect with peers, collaborate on industry challenges, and deepen your understanding of data protection and cybersecurity in the K-12 education sector.

Don’t miss this exclusive opportunity to engage with industry leaders, gain valuable insights from expert speakers, and explore innovative solutions to safeguard student data and privacy.

Secure your spot today to stay ahead of the curve in protecting sensitive information and ensuring compliance with evolving regulations.

Dates: May 2-3, 2024
Location: Albany, NY

Contact: marketingevents@adlumin.com

NCTIES 2024 Conference

The NCTIES Annual Conference provides a platform for thousands of educators and education leaders to advance excellence in learning and teaching through technology.

Attendees gain insights from influential speakers and discover valuable tools and insights to benefit their schools and districts, allowing for personalized learning and professional growth.

Dates: March 6-8, 2024
Location: Raleigh, NC


NERCOMP Annual Conference

The NERCOMP Annual Conference serves as the nexus for our collective community of IT professionals, faculty, researchers, students, and institutions, fostering collaboration, networking, and knowledge exchange. In partnership with EDUCAUSE, the NorthEast Regional Computing Program (NERCOMP) convenes leaders in higher education IT, uniting voices from across the region to drive innovation and leadership in academia.

Dates: March 25-27, 2024
Location: Providence, RI

Contact: marketingevents@adlumin.com

NJECC 38th Annual Conference

Experience 48 hours of dynamic educator-led keynotes, presentations, and workshops, blending in-person and virtual formats, aimed at revolutionizing your teaching methods to captivate digitally savvy learners. Tailored strands cater specifically to special education teachers, library media specialists, and school district IT professionals.

Date: March 12, 2024
Location: Montclair, NJ

Contact: marketingevents@adlumin.com