Advisory Report
NACUBO's Advisory Report 2003-01 includes a summary explanation of the Federal Trade Commission's final regulations on safeguarding consumer information.
The FTC Safeguards Rule Promulgated Under the Gramm-Leach-Bliley Act
To protect student information, colleges and universities are required to comply with the Safeguards Rule of the Gramm-Leach-Bliley Act (GLBA). By existing law and regulation, the Federal Trade Commission (FTC) is the Safeguard Rule enforcement agency.
FTCregulations under 16 CFR Part 314, published in May 2002, mandate extensive new privacy protections for consumers stemming from the Gramm-Leach-Bliley Act. The GLBA requires financial institutions to take steps to ensure the security and confidentiality of customer records such as names, addresses, phone numbers, bank and credit card account numbers, income and credit histories, and Social Security numbers. The compliance deadline for the safeguards rule was May 23, 2003.
The GLBA broadly defines “financial institution” as any institution engaging in the financial activities enumerated under the Bank Holding Company Act of 1956, including “making, acquiring, brokering, or servicing loans” and “collection agency services.” Because higher education institutions participate in financial activities, such as making Federal Perkins Loans, FTC regulations consider them financial institutions for GLBA purposes.
The GLBA spells out several specific requirements regarding the privacy of customer financial information. Following its passage, NACUBO and other higher education associations worked to have colleges and universities exempted from the jurisdiction of the FTC because they did not fit the typical definition of a financial institution under the GLBA. As a result, under regulations promulgated in May 2000, colleges and universities are deemed to be in compliance with the privacy provisions of the GLBA if they are in compliance with the Family Educational Rights and Privacy Act (FERPA). However, higher education institutions are subject to the provisions of the act related to the administrative, technical, and physical safeguarding of customer information.
In the Office of Management and Budget Compliance Supplement released in July of 2019, a new audit objective designed to assess institutional compliance with the Safeguards Rule was announced. In February of 2020 ED released additional guidance for schoolsexplaining the Department’s procedures for enforcing the requirements and the potential consequences for institutions or servicers that fail to comply.
NACUBO's Advisory Report 2003-01provides a summary and explanation of the FTC final regulations related to the safeguarding of customer information.
- Model Policy #1: Sample A
- Model Policy #2: Catholic University
- Model Policy #3: University of Minnesota (Draft)
- Model Policy #4: Sample B
- Model Policy #5: Shenandoah University
GLBA Resources
- ED GLBA Safeguards Rule Audit Objective Additional Guidance (February 2020)
- GLBA Safeguards Rule OMB Audit Objective
- Catholic University of America, Office of the General Counsel
- Federal Trade Commission (FTC) on the Safeguards Rule
- International Association of Privacy Professionals
- Internet2 Middleware Initiative
- Information Security Risk Evaluation at the CERT Coordination Center at Carnegie Mellon
Compliance with the EU General Data Protection Regulation (GDPR)
In April 2016, the European Union adopted a new set of data protection regulations that expands the personal privacy rights of EU citizens. The effective date of these new regulations was May 25, 2018. These regulations apply even to entities with no physical EU presence as long as they control or process covered personal information of EU residents. Colleges and universities with EU-resident students or faculty should be taking steps to ensure compliance with these new regulations.
GDPR Resources
- EDUCAUSE GDPR Resource webpage
- EU GDPR Information Portal
- The American Association of Collegiate Registrars and Admissions Officers (AACRAO) GDPR Compliance Resources
- College and University Professional Association for Human Resources (CUPA-HR) Blog: What Higher Ed Professionals Need to Know About New Data Privacy Rules in the EU
Additional Data Security Resources
- EDUCAUSE Information Security Guide: Effective Practices and Solutions for Higher Education
- ED FSA Cybersecurity Resources
- Congressional Internet Caucus
- National Institutes of Standards and Technology (NIST) Cyber Security Framework
Other topics related to Department of Education Regulations are available here: ED Regulations
