Skip to content Menu

To protect student information, colleges and universities are required to comply with the Safeguards Rule of the Gramm-Leach-Bliley Act (GLBA).

By existing law and regulation, the Federal Trade Commission (FTC) is the Safeguards Rule enforcement agency. However, NACUBO recently learned that the Department of Education has proposed adding a GLBA compliance check to the audit requirements for the student financial assistance cluster for FY17 under the Single Audit Act.

NACUBO member institutions should evaluate and document their current campus compliance with the Safeguards Rule.


While the GLBA primarily regulates financial institutions, colleges and universities—largely due to their involvement in lending activities—are also subject to some provisions. The Safeguards Rule requires a campus to make a good faith effort to identify its specific information security risks and develop risk management and contingency plans accordingly.

In 2003, NACUBO published Advisory Report 2003-01, which provides a summary and explanation of the Federal Trade Commission (FTC) final regulations related to the safeguarding of customer information.

More recent ED “Dear Colleague Letters” also reminded colleges and universities about their obligations:

Upon learning that ED is considering adding a GLBA compliance check, NACUBO, together with EDUCAUSE, the Council on Governmental Relations, and the National Association of Student Financial Aid Administrators, wrote to the Office of Management and Budget (OMB) to express some concerns with the proposed audit objective. The associations are mindful that securing the privacy and confidentiality of student information is critical but were uneasy with the overly broad scope and lack of specificity in the draft, and asked OMB to revise the approach. It appears OMB was amenable and will likely revise the audit test to contain objective criteria.

However, NACUBO believes the requirement will likely be included in OMB’s publication of the Compliance Supplement for FY17, despite a request to delay implementation until FY18. The OMB Compliance Supplement provides auditors with guidelines for reviewing compliance with federal rules when auditing the student financial assistance cluster as a major program.

Take Action

NACUBO urges member institutions to evaluate and document their current campus compliance with the Safeguards Rule.

The “Student Financial Services” chapter of NACUBO’s College and University Business Administration offers these suggestions:

  • Designate an employee or employees to coordinate the information security program.

  • Identify reasonable, foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks.

  • At a minimum, such a risk assessment should include consideration of risks in each of the following operational areas:
    1. Employee training and management,
    2. Information systems, including network and software design as well as information processing,
    3. Storage, transmission, and disposal, and
    4. Detecting, preventing, and responding to attacks, intrusions, or other systems failures.
  • Design and implement information safeguards to control the risks identified through risk assessment and regularly test or monitor the effectiveness of the safeguards’ key controls, systems, and procedures.

  • Oversee service providers by taking steps to select and retain providers that are capable of maintaining appropriate safeguards for customer information.

  • Contractually require service providers to implement and maintain such safeguards.

  • Periodically evaluate and adjust the information security program, based on the results of the testing and monitoring mentioned above, any material changes to operations, or any other circumstances that are known to have or that may have a material impact on the information security program.

Another helpful resource is the EDUCAUSE Information Security Guide, which is developed and maintained by its Higher Education Information Security Council. This is a comprehensive guide on planning and implementing institutional information security.

Additionally, the FTC offers this guidance for complying with the Safeguards Rule.


Megan Schneider

Senior Director, Government Affairs


Related Content

IRS Revises 1098-T Guidance on Emergency Grants to Students

Following advocacy from NACUBO, the IRS has clarified that colleges and universities will not need to separately track or note emergency grants to students for purposes of 2021 Form 1098-T reporting, nor should they issue Forms 1099-MISC.

NACUBO Updates Student Agreement Language to Address Assessment of Collection Fees

NACUBO’s updated advisory, Best Practices for Student Financial Responsibility Agreements, includes model language for the agreements and addresses court decisions affecting the ability of an institution to recover costs associated with collections, among other topics of interest to business officers.

ED Shares Details on New Borrower Defense Policy

When considering approved borrower defense to repayment claims, the Department of Education will now apply a presumption of full relief as the starting point and will reduce the amount of relief offered, if warranted, by evidence provided by a school, a borrower, or other sources.