Data Privacy Regulations

FSA Details Data Security Requirements Taking Effect June 9

These 9 Elements Must Be Implemented in Institutions' Written InfoSec Program

• By Kristal Kuykendall
• 02/22/23

The U.S. Department of Education’s Federal Student Aid office recently published detailed information security requirements for higher education institutions that previously or currently service, administer, or aid in the administration of a Federal Student Aid program, noting that IHEs participating in FSA programs fall under the Gramm-Leach-Bliley Act and must comply with its mandates by June 9, 2023.

In a notice dated Feb. 9, FSA explained that final changes to the act’s Standards for Safeguarding Customer Information published by the Federal Trade Commission — which oversees compliance with the Gramm-Leach-Bliley Act — are applicable to educational institutions’ FSA-related “customer information,” which is defined as “information obtained as a result of providing a financial service to a student (past or present). Institutions or servicers provide a financial service when they, among other things, administer or aid in the administration of the Title IV programs; make institutional loans, including income share agreements; or certify or service a private education loan on behalf of a student.”

The FTC’s amendedrequirements under GLBA’s Safeguards Rule spell out the exact elements of a cyber risk management protocol that covered agencies and businesses must implement to protect personal identifiable information processed by or stored on the organizations’ digital systems. Prior to the updates to the Safeguards Rule, the requirements for protecting PII contained general language requiring institutions to “develop, implement and maintain a comprehensive, written information security program containing administrative, technical, and physical safeguards.”

In its Feb. 9 notice, FSA detailed the updated GLBA Safeguards Rule requirements, how they impact post-secondary institutions, and how ED will enforce the requirements. “Institutions should coordinate with their leadership and appropriate staff to implement the requirements by June 9,” FSA advised. 

Updated GLBA Requirements Applicable to Higher Ed

FSA said the purpose of updated GLBA rules is “to ensure the security and confidentiality of student information; protect against any anticipated threats or hazards to the security or integrity of such information; and protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any student (16 C.F.R. 314.3(b)).” FSA recommended that higher ed IT and data governance leaders seeking additional information should refer to the text of the Safeguards Rule itself and GLBA guidance provided by the FTC.

Every IHE participating in FSA programs must have each of the following elements implemented as part of its written information security program starting June 9, verbatim from the FSA notice: 

• Element 1: Designates a qualified individual responsible for overseeing and implementing the institution’s or servicer’s information security program and enforcing the information security program (16 C.F.R. 314.4(a)).
• Element 2: Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution or servicer) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 C.F.R. 314.4(b)).
• Element 3: Provides for the design and implementation of safeguards to control the risks the institution or servicer identifies through its risk assessment (16 C.F.R. 314.4(c)). At a minimum, the written information security program must address the implementation of the minimum safeguards identified in 16 C.F.R. 314.4(c)(1) through (8).
• Element 4: Provides for the institution or servicer to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 C.F.R. 314.4(d)).
• Element 5: Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 C.F.R. 314.4(e)).
• Element 6: Addresses how the institution or servicer will oversee its information system service providers (16 C.F.R. 314.4(f)).
• Element 7: Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the information security program (16 C.F.R. 314.4(g)).
• Element 8: For an institution or servicer maintaining student information on 5,000 or more consumers, addresses the establishment of an incident response plan (16 C.F.R. 314.4(h)).
• Element 9: For an institution or servicer maintaining student information on 5,000 or more consumers, addresses the requirement for its Qualified Individual to report regularly and at least annually to those with control over the institution on the institution’s information security program (16 C.F.R. 314.4(i)).

Institutions that maintain student information for fewer than 5,000 “customers” are required to address only the first seven elements, the agency said.

FSA also urged institutions to “encrypt customer information while it is in transit outside its systems or stored on its system” and to “implement multi-factor authentication for anyone accessing customer information on its systems,” noting that such safeguards are considered significant steps to reducing the risk of a data breach.

Enforcement and Compliance by ED

Under the updated requirements, an institution that does not implement the minimum Safeguards would be considered as “not administratively capable” to participate in FSA programs, and that finding could result in the institution’s removal from FSA programs, according to the agency’s notice. 

After June 9, 2023, “any GLBA findings identified through a compliance audit, or any other means, will be resolved by the Department during the evaluation of the institution’s or servicer’s information security safeguards required under GLBA as part of the Department’s final determination of an institution’s administrative capability,” said the FSA notice. 

“In cases where no data breaches have occurred and the institution’s or servicer’s security systems have not been compromised, if the Department determines that an institution or servicer is not in compliance with all of the Safeguards Rule requirements, the institution or servicer will need to develop and/or revise its information security program and provide the Department with a Corrective Action Planwith timeframes for coming into compliance with the Safeguards Rule. Repeated non-compliance by an institution or a servicer may result in an administrative action taken by the Department, which could impact the institution’s or servicer’s participation in the Title IV programs.”

FSA also published new cybersecurity guides to help IHEs boost their cyber risk efforts, including a factsheet on how to establish an Incident Response Plan and a factsheet on data sanitization best practices. 

“In the event of a cyber attack, an IRP mitigates risk and limits damage by establishing plans, procedures, roles, and responsibilities,” FSA said. Learn more by downloading the Cybersecurity Incident Planning for Institutes of Higher Education guide.

The agency’s Media Sanitization and Disposal Best Practices guide explains how to permanently destroy media containing any confidential personal data and proprietary information. “Physical documents, mobile devices, external hard drives, USB drives, memory devices, and computers can harbor abundant sensitive student data. If not properly disposed of, confidential data may be wrongly disclosed,” FSA said.

Find more information about GLBA requirements as well as other cybersecurity resources on the FSA Partner Connect website’s Cybersecurity page.