Consumer Protection Coming to Colleges and Universities: Is Your Institution Ready?
As cybersecurity attacks continue to dominate today’s headlines, it was only a matter of time before increased compliance on consumer data protection became a necessity for institutions of higher education. Compliance with the Gramm-Leach-Bliley Act (GLBA) — which has been in existence for more than a decade — now appears to be a priority of the Department of Education with additional procedures expected to be included in the federal single audit compliance supplement for fiscal year 2019.
Requirements of Gramm-Leach-Bliley Act
Institutions of higher education are currently required to be in compliance with both the Privacy Rule and the Safeguard Rule contained in the GLBA. However, procedures related to compliance have not previously been included in the federal single audit compliance supplement and that seems likely to change.
Colleges and universities currently in compliance with the Family Rights and Privacy Act (FERPA) are considered to be compliant with the Privacy Rule of GLBA as this protects personally identifiable information related to students and their academic records.
There are no such caveats for compliance with the Safeguard Rule of GLBA. To be compliant with the Safeguard Rule, institutions will need to develop and maintain an information security program which will address the following elements and areas of concern:
- An employee must be designated to oversee the institution’s security program.
- Institutions must identify both internal and external risks to the security, confidentiality and integrity of student information with an emphasis on preventing misuse and unauthorized disclosure.
- Safeguards and key controls over information systems must be designed and implemented, as well as monitored, to ensure their effectiveness.
- Colleges and universities must evaluate vendors and take steps to ensure that those vendors are capable of maintaining appropriate safeguards over student information.
- There must be an ongoing process of evaluating, monitoring and updating the institution’s security programs to reflect changes in operations and business arrangements.
With less than a year to go until procedures are expected to be implemented, institutions of higher education should begin to evaluate their progress in meeting the requirements of the Act. Institutions who fail to do so may find themselves subjected to significant deficiencies or material weaknesses reported by their external auditors as a result of noncompliance.
Departments with the highest exposure to risks include student financial aid, financial services, and information technology. An appropriate assessment needs to be made and documented in each of these departments to address all areas of vulnerability related to student applications, records, tuition payments, student aid, etc
We recommend that college and university leadership reach out to your external auditors to begin to assess the compliance requirements associated with the Act and minimize your institution’s exposure to unwanted scrutiny.
If you have any questions or comments about GLBA or would like assistance implementing its requirements, please contact any of the following individuals or your PKF O’Connor Davies engagement team:
Joseph N. Russell, CPA
Mark D. Bednarz, CPA, CISA, CFE
Kelsey A. Cannici, CPA