With only four months left before most changes to the federal Standards for Safeguarding Customer Information (“Safeguards Rule”) – a component of the Gramm-Leach Bliley Act (“GLBA”) that provides for the protection of consumers’ privacy and personal information – take effect, the Federal Student Aid Office is focused squarely on postsecondary educational institutions and third-party servicers, according to its recent announcement. Is your institution ready for the June 9, 2023 deadline?

Colleges and universities that participate in federal student financial aid programs authorized under Title IV of the Higher Education Act of 1965 (“Title IV”) are obligated to protect student information under the GLBA. As belts and suspenders, each institution that participates in Title IV programs expressly agrees to comply with the GLBA Safeguards Rule through its Program Participation Agreement with the United States Department of Education. Third party servicers have similar obligations. Along with postsecondary institutions, servicers must sign the Student Aid Internet Gateway Enrollment Agreement, ensuring that all federal student aid applicant information is protected and guarded against unauthorized access in the administration of Title IV programs.

On December 9, 2021, the Federal Trade Commission issued final regulations to strengthen consumer protections under the Safeguards Rule, which take effect June 9, 2023. Among the June 9 requirements, covered schools and servicers are required to have a written, comprehensive information security program that contains specific administrative, technical, and physical safeguards. Other mandates include risk assessments, implementation of risk control and testing safeguards, staff preparedness (necessitating training) to enact the information security program, and an incident response plan for institutions and servicers that maintain student information on 5,000 or more consumers.

Foreshadowing these expectations were multiple Dear Colleague Letters and electronic announcements from the Federal Student Aid Office over the past decade, informing schools of ways to strengthen their cybersecurity infrastructure to protect student financial aid information and emphasizing plans to enforce the GLBA through annual compliance audits. While all elements of the Safeguards Rule are vital, the Federal Student Aid Office indicates that an institution or servicer may significantly reduce the risk of a security breach “by encrypting customer information while it is in transit outside its systems or stored on its system and by implementing multi-factor authentication for anyone accessing customer information on its systems.”

Amendments to the Safeguard Rule come at a time when educational institutions remain significant targets of crippling ransomware attacks, including at least 35 colleges and universities in 2022 alone. In this environment, it is no surprise that failure to comply with the Safeguards Rule carries the potential for a heavy penalty – the inability to participate in Title IV programs. As the June 9 deadline approaches, schools and servicers should act now to ensure that their information security programs include the specific administrative, technical, and physical safeguards imposed by the Safeguards Rule and staff are effectively trained to implement these requirements.