The GLBA Safeguard Rule: What It Means

The safeguard rule establishes requirements for information security programs of all financial institutions subject to FTC jurisdiction. Colleges and universities are not considered “financial institutions” in the traditional sense; however, they are under the legal definition set by GLBA.

There have been no changes to the safeguard rule since it went into effect in 2003.  For higher education the current requirements are broad; there are relatively few of them and leaving compliance at the discretion of the institutions.  Last year in early 2019, the FTC proposed to change all of that by putting forward a plan to dramatically expand the requirements of the Safeguards Rule.

Some of the specific changes include:

  • Revising the requirement to designate a single individual responsible for overseeing and implementing the GLBA Information Security program;
  • Requirements for risk assessments that must be written describing how the institution will address the identified risks, and be performed periodically;
  • Requiring institutions to implement access controls on information systems, as well as restrict access to physical locations containing customer information only to authorized individuals;
  • Requiring customer/student information to be encrypted, both in transit and at rest;
  • Requiring implementation of multi-factor authentication for any individual accessing customer information;
  • Requiring information systems to include audit trails designed to detect and respond to security events;
  • Requiring institutions to develop procedures for the secure disposal of customer information in any format that is no longer necessary for business operations or other legitimate business purposes;
  • Requiring institutions to develop procedures for change management;
  • Requiring institutions to implement policies and procedures “to monitor the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information by such users;”
  • Requiring regular testing and continuous monitoring of relevant key controls, systems, and procedures;
  • Requiring institutions implement appropriate training and education, including verifying that key security personnel take steps to maintain current cybersecurity knowledge, and utilize qualified security personnel;
  • Expanding the requirement to oversee service providers requires institutions to periodically assess such service providers based on the information security risk they present;
  • Requiring institutions to establish incident response plans; and
  • Requiring the institution’s Information Security Officer (ISO) to report bi-annually to the BOR on issues related to the information security program.