As the EdED previously reminded universities in gen-15-18 (July 29, 2015) and GEN-16-12 (July 1, 2016), these institutions are considered “financial institutions” under the GLBA and must therefore comply with their data security rules. The requirement to comply with GLBA`s cybersecurity requirements is defined in the agreement on the participation of University IV student assistance programs and in the registration agreement corresponding to the Internet Student Assistance Gateway (SAIG). The SAIG agreement provides for the connection of an institution`s or a third party`s data systems to ED data systems for the purpose of underwriting and paying federal aid to Title IV students. On February 28, 2020, the U.S. Department of Education (ED) issued an electronic announcement on the application of cybersecurity requirements under the Gramm-Leach Bliley Act (GLBA). As explained in more detail below, the application of these requirements includes referrals to the Federal Trade Commission (FTC), as well as possible fines and other administrative training and personnel management measures. For example, information systems, including network and software design, as well as information processing, storage, transfer and disposal. c. Detection, prevention and response to attacks, intruders or other system failures. In its communication of February 28, 2020, the EStK states that the legal auditor must include this non-compliance as a finding in the audit report of the institution or service provider when a legal auditor finds that he has not met the above GLBA requirements. When an audit report containing a finding of B GLBA has been received following Review E, it will refer it to the FTC and, in most cases, the FTC will determine what action may be required following the glba review finding. FSA has developed an infographic to help ISP employees understand what an injury is and where violations can be reported when they occur.
3. That the institution or service provider be able to document a safety device for any risk covered in point 2. 1. That the institute or service provider has appointed a person to coordinate its information security program. In addition, the ED has established a Cybersecurity Team within the Office of Federal Student Aid. The cybersecurity team is also informed of the results of the glba tests and may request additional documents from the institution or service provider to assess the risk to student data provided by the institution or the service`s information security system. If the cybersecurity team finds that the institution or service poses a significant risk to the security of students` information, the cybersecurity team may temporarily or permanently disable the institution`s or service`s access to ED`s information systems. These systems would include Ed`s Title IV funding processing systems, which means that access for persons with disabilities could, following a glba review, significantly interrupt an institution`s obtaining of these funds. In addition, if the cybersecurity team finds that the institution or service provider has very serious data security deficiencies or a history of non-compliance with B GLBA requirements, EdEd may impose fines or take other administrative actions adverse to the institution or service provider.
Post-secondary institutions (PSIs) that manage Title IV funds are required to report any data breaches covering FSA data, in accordance with the Participation Agreement (AAE) and the Student Internet Gateway agreement. Please note that almost immediately after the release of this electronic announcement, the U.S. Department of Education (ED) repealed it with the referenced infographic. To date, it has not been replaced by up-to-date information. In 2019, the project, in collaboration with the Office of Management and Budget, required that GLB`s compliance