The Department of Education (Department) continues to take steps to ensure the confidentiality, security, and integrity of student and parent information related to the federal student aid programs. Protecting that information is a shared obligation among the Department, institutions, third-party servicers, and other partners in the financial aid system. We expect all of our partners to maintain strong security policies and effective internal controls to prevent unauthorized access or disclosure of sensitive information.
The Gramm-Leach-Bliley Act (GLBA), which was signed into law on November 12, 1999, created a requirement that financial institutions must have certain information privacy protections and safeguards in place. The Federal Trade Commission (FTC) has enforcement authority for the requirements and has determined that institutions of higher education (institutions) are financial institutions under GLBA.
Each institution has agreed to comply with GLBA in its Program Participation Agreement with the Department. In addition, as a condition of accessing the Department’s systems, each institution and servicer must sign the Student Aid Internet Gateway (SAIG) Enrollment Agreement, which states that the institution must ensure that all federal student aid applicant information is protected from access by or disclosure to unauthorized personnel.
Institutions and third-party servicers are also required to demonstrate administrative capability in accordance with 34 C.F.R. § 668.16, including the maintenance of adequate checks and balances in their systems of internal control. An institution or servicer that does not maintain adequate internal controls over the security of student information may not be considered administratively capable.
In Dear Colleague Letter GEN-15-18 and GEN-16-12, we reminded institutions about the longstanding requirements of GLBA and notified them of our intention to begin enforcing legal requirements of GLBA through annual compliance audits. In Dear CPA Letter CPA-19-01, we explained the procedures for auditors to determine whether institutions were in compliance with GLBA. This announcement explains the Department’s procedures for enforcing those requirements and the potential consequences for institutions or servicers that fail to comply.
Auditors are expected to evaluate three information safeguard requirements of GLBA in audits of postsecondary institutions or third-party servicers under the regulations in 16 C.F.R. Part 314:
The institution must designate an individual to coordinate its information security program.
The institution must perform a risk assessment that addresses three required areas described in 16 C.F.R. 314.4(b):
a) Employee training and management; b) Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and c) Detecting, preventing and responding to attacks, intrusions, or other systems failures.
The institution must document a safeguard for each risk identified in Step 2 above.
When an auditor determines that an institution or servicer has failed to comply with any of these GLBA requirements, the finding will be included in the institution’s audit report.
Federal Trade Commission
When an audit report that includes a GLBA audit finding is received by the Department, we will refer the audit to the FTC. Once the finding is referred to the FTC, that finding will be considered closed for the Department’s audit tracking purposes. The FTC will determine what action may be needed as a result of the GLBA audit finding.
Federal Student Aid’s Postsecondary Institution Cybersecurity Team (Cybersecurity Team) will also be informed of findings related to GLBA, and may request additional documentation from the institution in order to assess the level of risk to student data presented by the institution or servicer’s information security system.
If the Cybersecurity Team determines that the institution or servicer poses substantial risk to the security of student information, the Cybersecurity Team may temporarily or permanently disable the institution or servicer’s access to the Department’s information systems. Additionally, if the Cybersecurity Team determines that as a result of very serious internal control weaknesses of the general controls over technology that the institution’s or servicer’s administrative capability is impaired or it has a history of non-compliance, it may refer the institution to the Department’s Administrative Actions and Appeals Service Group for consideration of a fine or other appropriate administrative action by the Department.
If you have questions about the Department’s enforcement of the GLBA, please contact the Cybersecurity Team at firstname.lastname@example.org or by phone at 202-245-6550.
We recognize the substantial investments in time and resources that institutions and servicers have devoted to protection of student data and we thank our partners for their willingness to address evolving cybersecurity threats.