For the past several years, institutions that participated in Title IV programs were subject to the Gramm Leach Bliley Act (GLBA) which was signed into law on November 12, 1999. In addition to agreeing to follow the tenets of GLBA, as a condition of accessing the Department’s systems, each institution and servicer must sign the Student Aid Internet Gateway (SAIG) Enrollment Agreement, which states that the institution must ensure that all federal student aid applicant information is protected from access by or disclosure to unauthorized personnel.
The U.S. Department of Education’s guidelines most recent, specific guidelines with respect to GLBA were presented in a “Dear Colleague” letter dated February 28, 2020. Generally, among other provisions of GLBA, institutions were expected to document – and their independent auditors were expected to evaluate the following:
1. The institution must designate an individual to coordinate its information security program.
2. The institution must perform a risk assessment that addresses three required areas described in 16 C.F.R. 314.4(b):
a) Employee training and management;
b) Information systems, including network and software design, as well as
information processing, storage, transmission and disposal; and
c) Detecting, preventing and responding to attacks, intrusions, or other
3. The institution must document a safeguard for each risk identified in Step 2 above.
Now, with the release of the 2023 Compliance Supplement, additional GLBA requirements have been stipulation by the Office of Management and Budget. These new “required elements” include:
Addressing the eight minimum safeguards as defined in the 2023 Compliance Supplement (in 16 CFR 314.4(c)(1) through (8)
Establishing processes to test and monitor the effectiveness of the program and the implemented safeguards
Implementing policies and procedures to ensure staff can enact the program
Addressing oversight of service providers
Evaluating and adjusting the program as a result of testing and monitoring, material changes to the environment, risk assessments, or other circumstances that could materially impact the program
The eight minimum safeguards are defined as follows:
Design and implement safeguards to control the risks you identity through risk assessment, including by:
(1) Implementing and periodically reviewing access controls, including technical and, as appropriate, physical controls to:
(i) Authenticate and permit access only to authorized users to protect against the unauthorized acquisition of customer information; and
(ii) Limit authorized users' access only to customer information that they need to perform their duties and functions, or, in the case of customers, to access their own information;
(2) Identify and manage the data, personnel, devices, systems, and facilities that enable you to achieve business purposes in accordance with their relative importance to business objectives and your risk strategy;
(3) Protect by encryption all customer information held or transmitted by you both in transit over external networks and at rest. To the extent you determine that encryption of customer information, either in transit over external networks or at rest, is infeasible, you may instead secure such customer information using effective alternative compensating controls reviewed and approved by your Qualified Individual;
(4) Adopt secure development practices for in-house developed applications utilized by you for transmitting, accessing, or storing customer information and procedures for evaluating, assessing, or testing the security of externally developed applications you utilize to transmit, access, or store customer information;
(5) Implement multi-factor authentication for any individual accessing any information system, unless your Qualified Individual has approved in writing the use of reasonably equivalent or more secure access controls;
(i) Develop, implement, and maintain procedures for the secure disposal of customer information in any format no later than two years after the last date the information is used in connection with the provision of a product or service to the customer to which it relates, unless such information is necessary for business operations or for other legitimate business purposes, is otherwise required to be retained by law or regulation, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained; and
(ii) Periodically review your data retention policy to minimize the unnecessary retention of data;
(7) Adopt procedures for change management; and
(8) Implement policies, procedures, and controls designed to monitor and log the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information by such users.
Note that the new rules go into effect June 9, 2023 and are applicable to institutions with fiscal years ending June 30, 2023 and beyond.
We will all continue to monitor and evaluate the specifics of these new stipulations.
David C. Moja, CPA www.mojacompany.com
The information provided herein presents general information and should not be relied on as accounting, tax, or legal advice when analyzing and resolving a specific tax issue. If you have specific questions regarding a particular fact situation, please consult with competent accounting, tax, and/or legal counsel about the facts and laws that apply.