The Catholic University of America

Summary of Federal Laws

Miscellaneous Laws Affecting Universities

 Financial Services Modernization Act of 1999 (the Gramm-Leach-Bliley Act)

15 U.S.C. § 6801 et seq., 16 CFR § 313.1 et seq. (privacy)16 CFR §314.1 et seq. (safeguarding)

This law regulates the disclosure of non-public personal information by financial institutions. Specifically, the law protects consumers or customers who are "individuals obtaining financial products or services to be used primarily for personal, family or other household purposes." The law requires a financial institution to provide notice to customers about privacy policy and practices, describes the conditions under which a financial institution may disclose nonpublic personal information about consumers to nonaffiliated third parties, and provides a method for consumers to prevent disclosure of financial information by "opting out." This involves both notice on privacy policies to long term customers at the inception of the relationship, and annual notices thereafter.

Institutions of higher education, while not exempt from the definition of "financial institutions," are generally excluded from the requirement to comply with the requirements of the privacy policy regulations. See65 Fed. Reg. 33646, May 24, 2000. In the preamble to these final consumer financial information privacy regulations the FTC stated:

The Commission also received several comments from colleges and universities and their representatives requesting that institutions of higher education be excluded from the definition of financial institution. The Commission disagrees with those commenters who suggested that colleges and universities are not financial institutions. Many, if not all, such institutions appear to be significantly engaged in lending funds to consumers. However, such entities are subject to the stringent privacy provisions in the Family Educational Rights and Privacy Act ("FERPA"), 20 U.S.C. 1232g, and its implementing regulations, 34 CFR part 99, which govern the privacy of educational records, including student financial aid records. The Commission has noted in its final rule, therefore, that institutions of higher education that are complying with FERPA to protect the privacy of their student financial aid records will be deemed to be in compliance with the Commission's rule.

Accordingly, the final regulations provide, in 16 CFR § 313.1:

Any institution of higher education that complies with the Federal Educational Rights and Privacy Act ("FERPA"), 20 U.S.C. 1232g, and its implementing regulations, 34 CFR part 99, and that is also a financial institution subject to the requirements of this part, shall be deemed to be in compliance with this part if it is in compliance with FERPA.

However, institutions are not exempt from the safeguarding regulations. The final rules on Safeguarding Customer Information contained at 67 Fed. Reg. 36484 (May 23, 2002) do not exempt educational institutions, and thus institutions must adopt an information security program. Key compliance requirements include designating an employee to coordinate an information security program, identifying risks to the security of customer information (including a risk assessment of computer information systems), and contractually requiring service providers to implement and maintain safeguards.

 Updated info as of 12-19-17: At the end of 2017, the Department of Education announced that it would be requiring insitutions of higher education to report any security breach of personally identifiable information. The Department is taking this position under Title IV Program Participation Agreements (which include Gramm-Leach-Bliley Act commitments) and Student Aid Internet Gateway agreements. A recorded session presented at the Federal Student Aid Conference in Nov-Dec. 2017 is online. The presenter is Tiina K.O. Rodrigue. (spelling not a typo) The power point can be found at item 37 in the program link. Note breach not defined with great particularity in these documents. 

Educause Letter to the Department of Education's Office of Federal Student Aid on Data Breach notification and Information Security Reporting, Jan. 30, 2018-Calls into question DOE authority for guidance referenced below. 

IFAP FAQ about Cybersecurity Compliance

The Student Aid Internet Gateway (SAIG) Agreement requires that as a condition of continued participation in the federal student aid programs, PSIs report actual data breaches, as well as suspected data breaches. Title IV PSIs must report on the day that a data breach is detected or even suspected. The U.S. Department of Education (the Department) has the authority to fine institutions—up to $54,789 per violation per 34 C.F.R. § 36.2 —that do not comply with the requirement to self-report data breaches.

The Department has reminded all institutions of this requirement through Dear Colleague Letters
 (GEN 15-18, GEN 16-12), electronic announcements, and the annual FSA Handbook.
 

Duane Morris article titled Schools Must adhere to Cybersecurity Regulations or Risk losing Title IV eligiblity (Sept. 14, 2017)

 

 

Resources

One-day Breach Notification for Colleges and Universities? by Marci Rozen, ZwillGen blog, June 27, 2018 

NACUANOTES:  Key Issues in Managing Data Breach Risk In Higher Education:Practical Tips for Before, During and After, By Sandra Brown and Scott Schneider, Oct. 12, 2018.

Resources for Information Assurance Web Page

DCL ID GEN -15-18 (7-29-15)

 

 

updated 11-29-18