Home > Insights > Blogs > REGucation > FSA issues GLBA Safeguards Rule guidance

FSA issues GLBA Safeguards Rule guidance

In February, the Federal Student Aid (FSA) office of the U.S. Department of Education issued Electronic Announcement General-23-09 on the updated and strengthened requirements of the Federal Trade Commission’s (FTC) Gramm-Leach-Bliley Act Safeguards Rule. The new Electronic Announcement summarizes many of the requirements added by the FTC in the Safeguards Rule, most of which become effective June 9, 2023, and includes requirements to:

  • designate a qualified individual to oversee the required information security program,
  • develop a written risk assessment,
  • limit and monitor who can access sensitive customer information,
  • encrypt all sensitive information,
  • train security personnel,
  • develop an incident response plan,
  • periodically assess the security practices of service providers, and
  • implement multi-factor authentication or another method with equivalent protection for any individual accessing customer information.

FSA notes that the Department will be enforcing the legal requirements of GLBA through annual compliance audits, explaining that “[e]ach institution that participates in the Title IV programs has agreed in its Program Participation Agreement (PPA) to comply with the GLBA Safeguards Rule under 16 C.F.R. Part 314.”  FSA also notes several issuances by the agency since 2015 relating to GLBA requirements and enforcement.

With all of these questions surrounding the GLBA Safeguards Rule, we have drafted an FAQ for institutions. Click here to download our Guide to Understanding GLBA Requirements for Institutions of Higher Education.

Additionally, Thompson Coburn will host a webinar for higher education institutions on the increased requirements of the Safeguards Rule and mitigating enforcement risks. The webinar will be held on March 28. We encourage institutions of higher education (and others subject to the Safeguards Rule) to join us to discuss the requirements and strategies.

Jim Shreve is the chair of Thompson Coburn's Cybersecurity group. Scott Goldschmidt is a partner in Thompson Coburn's Higher Education group.