If you’re involved with cybersecurity initiatives in higher education, it’s important to be aware of the significant regulatory changes going into effect on June 9, 2023.
In December 2022, the Federal Trade Commission (FTC) introduced final amendments to the Standards for Safeguarding Customer Information, also known as the Safeguards Rule. These changes effectively enhance the Gramm-Leach-Bliley Act (GLBA) by focusing on consumer privacy and the security of personal information. These changes to the GLBA specifically affect higher education institutions and their handling of student financial records, encompassing the collection, storage, and use of personally identifiable information (PII).
Passed in 1999 as part of a financial systems modernization push, Congress showed uncharacteristic cybersecurity foresight with the GLBA by mandating protections for client data in the new era of information sharing. Later developments would requireinstitutions to establish an information security program for protecting customer information. These standards were intended to maintain the privacy and security of client information, defend against potential threats or hazards that could compromise the integrity of such data, and prevent unauthorized access or misuse of information, which may cause significant harm or inconvenience to clients (16 C.F.R. 314.3(b)). While originally intended to improve privacy and security in banking institutions, the U.S. Department of Education explicitly made GLBA a part of higher education responsibilities in 2019, and these new changes have expanded those requirements.
Below is a summary of revisions to the Safeguards Rule that will impact higher education institutions:
1. Qualified Individual (16 CFR 314.4(a)):Organizations must now designate a CISO, vCISO, or another responsible party to manage the information security program. The individual can be an employee, affiliate, or service provider
2. Risk Assessment (16 CFR 314.4(b)(1)):Organizations must now perform an annual risk assessment and potentially additional assessments in response to major changes in the organization's environment
3. Security Controls (16 CFR 314.4(c)(1)-(8)):Organizations must also implement sufficient safeguards for access management, data encryption, secure software development among third party suppliers, MFA, a two-year retention policy for outdated customer information, change management procedures, and security monitoring
4. Regular Control Testing (16 CFR 314.4(d)(2)): Organizations must now carry out annual penetration testing and vulnerability assessments
5. Personnel Policies (16 CFR 314.4(e)): Organizations must provide appropriate security awareness training for staff and additional training to support qualifications of individuals assuming responsibility for cybersecurity
6. Service Providers (16 CFR 314.4(f)(3)): The revised rule further enforces the supervision of service providers, ensuring their support of controls and processes in compliance with GLBA
7. Incident Response (16 CFR 314.4(h)): Organizations must develop an incident response plan to address material security incidents
8. Reporting to Governance (16 CFR 314.4(i)):The individual assigned in 314.4(a) must submit a written annual report to the institution's governing body concerning the overall status and material matters related to the information security program.
While some colleges and universities will experience no change in their current strategies, others will now have the burden (or justification) to expand and improve their security operations. A comprehensive understanding of the new requirements will be critical to appropriately implement any necessary modifications with minimum disruption and expense.
At NuHarbor, we’ve been advising higher education clients on these types of standards, controls, and assessments for years. Whether you’re just starting to develop an information security program or preparing for a GLBA audit, NuHarbor experts will meet you where you’re at with actionable guidance tailored to your specific needs.
Contact us today for a free consultation. We’ll walk through any questions you may have on these new regulations and discuss a plan for achieving compliance.
Justin (he/him) is the founder and CEO of NuHarbor Security, where he continues to advance modern integrated cybersecurity services. He has over 20 years of cybersecurity experience, much of it earned while leading security efforts for multinational corporations, most recently serving as global CISO at Keurig Green Mountain Coffee. Justin serves multiple local organizations in the public interest, including his board membership at Champlain College.