To protect student information, colleges and universities are required to comply with the Safeguards Rule of the Gramm-Leach-Bliley Act (GLBA). By existing law and regulation, the Federal Trade Commission (FTC) is the Safeguard Rule enforcement agency.
FTC regulations under 16 CFR Part 314, published in May 2002, mandate extensive new privacy protections for consumers stemming from the Gramm-Leach-Bliley Act. The GLBA requires financial institutions to take steps to ensure the security and confidentiality of customer records such as names, addresses, phone numbers, bank and credit card account numbers, income and credit histories, and Social Security numbers. The compliance deadline for the safeguards rule was May 23, 2003.
The GLBA broadly defines “financial institution” as any institution engaging in the financial activities enumerated under the Bank Holding Company Act of 1956, including “making, acquiring, brokering, or servicing loans” and “collection agency services.” Because higher education institutions participate in financial activities, such as making Federal Perkins Loans, FTC regulations consider them financial institutions for GLBA purposes.
The GLBA spells out several specific requirements regarding the privacy of customer financial information. Following its passage, NACUBO and other higher education associations worked to have colleges and universities exempted from the jurisdiction of the FTC because they did not fit the typical definition of a financial institution under the GLBA. As a result, under regulations promulgated in May 2000, colleges and universities are deemed to be in compliance with the privacy provisions of the GLBA if they are in compliance with the Family Educational Rights and Privacy Act (FERPA). However, higher education institutions are subject to the provisions of the act related to the administrative, technical, and physical safeguarding of customer information.
In the Office of Management and Budget Compliance Supplement released in July of 2019, a new audit objective designed to assess institutional compliance with the Safeguards Rule was announced. In February of 2020 ED released additional guidance for schools explaining the Department’s procedures for enforcing the requirements and the potential consequences for institutions or servicers that fail to comply.
In April 2016, the European Union adopted a new set of data protection regulations that expands the personal privacy rights of EU citizens. The effective date of these new regulations was May 25, 2018. These regulations apply even to entities with no physical EU presence as long as they control or process covered personal information of EU residents. Colleges and universities with EU-resident students or faculty should be taking steps to ensure compliance with these new regulations.