Skip to content Menu

Advisory Report

NACUBO's Advisory Report 2003-01 includes a summary explanation of the Federal Trade Commission's final regulations on safeguarding consumer information.

Download Report

The FTC Safeguards Rule Promulgated Under the Gramm-Leach-Bliley Act

To protect student information, colleges and universities are required to comply with the Safeguards Rule of the Gramm-Leach-Bliley Act (GLBA). By existing law and regulation, the Federal Trade Commission (FTC) is the Safeguard Rule enforcement agency. 

FTC regulations under 16 CFR Part 314, published in May 2002, mandate extensive new privacy protections for consumers stemming from the Gramm-Leach-Bliley Act. The GLBA requires financial institutions to take steps to ensure the security and confidentiality of customer records such as names, addresses, phone numbers, bank and credit card account numbers, income and credit histories, and Social Security numbers. The compliance deadline for the safeguards rule was May 23, 2003.

The GLBA broadly defines “financial institution” as any institution engaging in the financial activities enumerated under the Bank Holding Company Act of 1956, including “making, acquiring, brokering, or servicing loans” and “collection agency services.” Because higher education institutions participate in financial activities, such as making Federal Perkins Loans, FTC regulations consider them financial institutions for GLBA purposes.

The GLBA spells out several specific requirements regarding the privacy of customer financial information. Following its passage, NACUBO and other higher education associations worked to have colleges and universities exempted from the jurisdiction of the FTC because they did not fit the typical definition of a financial institution under the GLBA. As a result, under regulations promulgated in May 2000, colleges and universities are deemed to be in compliance with the privacy provisions of the GLBA if they are in compliance with the Family Educational Rights and Privacy Act (FERPA). However, higher education institutions are subject to the provisions of the act related to the administrative, technical, and physical safeguarding of customer information.

In the Office of Management and Budget Compliance Supplement released in July of 2019, a new audit objective designed to assess institutional compliance with the Safeguards Rule was announced. In February of 2020 ED released additional guidance for schools explaining the Department’s procedures for enforcing the requirements and the potential consequences for institutions or servicers that fail to comply.  


NACUBO's Advisory Report 2003-01 provides a summary and explanation of the FTC final regulations related to the safeguarding of customer information.

GLBA Resources

Compliance with the EU General Data Protection Regulation (GDPR)

In April 2016, the European Union adopted a new set of data protection regulations that expands the personal privacy rights of EU citizens. The effective date of these new regulations was May 25, 2018. These regulations apply even to entities with no physical EU presence as long as they control or process covered personal information of EU residents. Colleges and universities with EU-resident students or faculty should be taking steps to ensure compliance with these new regulations.

GDPR Resources

Additional Data Security Resources


Other topics related to Department of Education Regulations are available here: ED Regulations


Liz Clark

Vice President, Policy and Research



The EU General Data Protection Regulation Has Arrived. Is Your Campus Ready?

May 29, 2018

Numerous resources are available to help colleges and universities ensure compliance with the new European Union General Data Protection Regulation.

Read Full Article
  • July 03, 2019

    New OMB Policy Requires Title IV Privacy and Data Security Audit Checks

    The long-awaited Office of Management and Budget 2019 Compliance Supplement has been released and features a new privacy and data security audit objective for Title IV program audits.

    Read More
  • May 13, 2019

    What Did I Miss in Washington? April 30-May 13, 2019

    In this edition: House appropriators approve increased FY20 funding for ED, the IRS announces retirement and deferred compensation plan audits, and more.

    Read More
  • January 22, 2019

    What Did I Miss in Washington? January 8-22, 2019

    The Trump administration’s proposed overtime rule moves forward, NASPA provides Title IX NPRM Resources, and more.

    Read More
  • July 31, 2018

    What Did I Miss in Washington? July 10-August 1, 2018

    In this edition: NACUBO guidance on closing out Perkins Loan programs, an update on borrower defense, a new tax bill on Capitol Hill, and more.

    Read More