Home > Insights > Blogs > REGucation > FSA issues GLBA Safeguards Rule guidance
digital security concept

FSA issues GLBA Safeguards Rule guidance

James Shreve Scott Goldschmidt March 10, 2023

Links

Contributors

Contributors

Stephanie Cohan

Stephanie Cohan

Jeff Fink

Jeff Fink

Scott Goldschmidt

Scott Goldschmidt

Aaron Lacey

Aaron Lacey

Sonette Magnus

Sonette Magnus

Emily Wang Murphy

Emily Wang Murphy

Christopher Murray

Christopher Murray

Kayla Siam

Kayla Siam

Roger Swartzwelder

Roger Swartzwelder

Hope Watson

Hope Watson

Katie Wendel

Katie Wendel

RELATED EVENTS

RELATED EVENTS

July 20
2023

Affirmative Action in Higher Education: Impact of SFFA v. Harvard and SFFA v. UNC
June 6
2023

ED’s Proposed Financial Value Transparency and Gainful Employment Rule
March 28
2023

Safeguarding the Data and Your Compliance Program – USED and GLBA
January 24
2023

The Higher Education Regulatory Outlook for 2023

In February, the Federal Student Aid (FSA) office of the U.S. Department of Education issued Electronic Announcement General-23-09 on the updated and strengthened requirements of the Federal Trade Commission’s (FTC) Gramm-Leach-Bliley Act Safeguards Rule. The new Electronic Announcement summarizes many of the requirements added by the FTC in the Safeguards Rule, most of which become effective June 9, 2023, and includes requirements to:

  • designate a qualified individual to oversee the required information security program,
  • develop a written risk assessment,
  • limit and monitor who can access sensitive customer information,
  • encrypt all sensitive information,
  • train security personnel,
  • develop an incident response plan,
  • periodically assess the security practices of service providers, and
  • implement multi-factor authentication or another method with equivalent protection for any individual accessing customer information.

FSA notes that the Department will be enforcing the legal requirements of GLBA through annual compliance audits, explaining that “[e]ach institution that participates in the Title IV programs has agreed in its Program Participation Agreement (PPA) to comply with the GLBA Safeguards Rule under 16 C.F.R. Part 314.”  FSA also notes several issuances by the agency since 2015 relating to GLBA requirements and enforcement.

With all of these questions surrounding the GLBA Safeguards Rule, we have drafted an FAQ for institutions. Click here to download our Guide to Understanding GLBA Requirements for Institutions of Higher Education.

Additionally, Thompson Coburn will host a webinar for higher education institutions on the increased requirements of the Safeguards Rule and mitigating enforcement risks. The webinar will be held on March 28. We encourage institutions of higher education (and others subject to the Safeguards Rule) to join us to discuss the requirements and strategies.

Jim Shreve is the chair of Thompson Coburn's Cybersecurity group. Scott Goldschmidt is a partner in Thompson Coburn's Higher Education group.