Skip to Content
Troubled bridge over water
Article

Safeguards Rule: Seven questions higher education is asking

March 6, 2018 / 4 min read

Higher education institutions must have the proper controls and processes in place to comply with the Safeguards Rule of the Gramm-Leach Bliley Act. Here are the top questions institutions are asking about compliance.

Higher education institutions have been required to comply with the provisions of the Safeguards Rule of the Gramm-Leach Bliley Act (GLBA) for more than a decade. Since its inception, however, there has been little oversight by the Department of Education (DoE) related to the GLBA. This is about to change.

The DoE recently made it clear to institutions that it expects the proper controls and processes in place and will begin monitoring compliance in the near future through the annual single audits performed on Title IV student financial aid funds received.

What does this mean to my institution?

Institutions' external auditors will be required to conduct expanded audit testing and report significant noncompliance findings if the required security is not in place.

Where should I start?

Many institutions are asking this same question. Here's what we recommend:

Institutions' external auditors will be required to conduct expanded audit testing and report significant noncompliance findings if the required security is not in place.

Remind me — what are the current rules?

The overall expectations of the Safeguards Rule can be found at the Federal Trade Commission (FTC).

Specifically, some of the key requirements call for institutions to:

Examples of higher education data that need to be protected include:

How are these changes expected to impact single audits?

The Safeguards Rule isn't currently tested as part of the federal compliance audit (or single audit) of Title IV funds. But communications from the DoE consistently indicate it will become part of this testing in the near future. Currently, testing steps are expected to be included in the 2019 release of the Office of Management and Budget Compliance Supplement for external auditors to follow when testing the Student Financial Assistance cluster.

As reported in the Federal Student Aid: Better Program Management and Oversight of Postsecondary Schools Needed to Protect Student Information report issued by the U.S. Government Accountability Office (GAO) in December 2017, the DoE requested the following suggested audit procedures be tested in the external auditor's compliance audit: 

Whether the steps above (as written) or another version of these steps are ultimately decided upon by the DoE, external audit firms will have to complete this testing when the compliance supplement includes them. As a result, institutions will have to demonstrate compliance with the underlying requirements of the Safeguards Rule during the audit period. This may entail more individuals or departments at institutions being involved in responding to audit requests than in the past, and it certainly will mean more time spent by external auditors and auditees to complete the testing.

Where can I find more information?

We've compiled a list of resources to help higher education institutions more fully understand compliance with the GLBA Safeguards Rule, including:

External auditors may be testing compliance sooner than you think.

What should I do now?

Assess the Safeguards Rule at your institution. External auditors may be testing compliance sooner than you think, and you'll want to make sure your institution is in compliance.

What if I need help?

Plante Moran has a cybersecurity team with years of experience assisting organizations with GLBA Safeguards Rule concerns. Please contact our team if you have any questions about the Safeguards Rule expectations.

Related Thinking

Business professionals in a conference room discussing FFIEC CAT sunset
December 16, 2024

FFIEC CAT sunset: Considerations for choosing a new cybersecurity framework

Article 6 min read
Business professional checking the multifactor authentication code on their cell phone.
November 1, 2024

Preparing for the inevitable: Navigating third-party tech failures

Article 7 min read
Parent sitting on the floor with their child and learning about how school districts can proactively manage cyber risk to protect student data.
October 30, 2024

Cybersecurity essentials for K-12 schools: Protecting students and data

Article 6 min read