Nonprofit Resources


FSA Clarifies Certain Information Security Requirements Under GLBA

Financial institutions — including higher education institutions that participate in Title IV programs — must protect the personally identifiable information of the customers they serve (i.e., PII or customer data) under the requirements in the Standards for Safeguarding Customer Information Rule component of the Gramm-Leach-Bliley Act (GLBA).

Ensuring applicable service providers are managed appropriately and establishing plans for adequate incident response are two key components of protecting PII. On April 24, 2024, the U.S. Department of Education (ED) Office of Federal Student Aid (FSA) issued an announcement, GENERAL-24-46, with clarification about whether service provider oversight needs to include ED and FSA, and about the timeframe for breach notification.


Service Provider Oversight Does Not Need to Include ED and FSA

As required by 16 CFR § 314.4(f), institutions must manage their service providers by:

  • Establishing procedures to evaluate service providers before contracting with them to ensure the service providers can adequately safeguard the institution’s customer data;
  • Holding these service providers contractually responsible for maintaining adequate safeguards for securing this data; and
  • Establishing procedures to periodically evaluate the continued adequacy of the customer data safeguards these service providers maintain.

When establishing procedures for this management, it is imperative to understand which service providers the requirements apply to. As defined in 16 CFR § 314.2(q), a service provider is “any person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to a financial institution that is subject to this part.”

Service providers that meet this definition could include vendors that host, support, or access student information, financial aid, enrollment, and payroll systems. Governmental agencies and entities that support financial aid processing, by definition, would also appear to be within the scope of this requirement, and institutions began asking FSA about its information security practices.

In GENERAL-24-46, FSA clarified that for the purposes of complying with 16 CFR § 314.4(f), ED and FSA are not considered service providers or vendors due to the nature of the relationship and the laws and regulations surrounding program participation. Therefore, institutions do not need to request information about ED and FSA’s security practices.

We still encourage institutions to assess the risks of using these service providers to comply with 16 CFR § 314.4(b) and ensure that the necessary safeguards have been established. Examples of safeguards include user access management procedures, encryption, authentication and access controls, and activity monitoring.


FSA Must be Notified of a Breach Within 24 Hours

Under 16 CFR § 314.4(h), institutions must establish a written incident response plan that allows them to identify, respond to, and adequately mitigate potential impacts that could affect the confidentiality, integrity, or availability of the customer information they control. Notifying applicable parties about a breach has become a significant component of incident response.

Institutions must notify FSA about a breach by using the FSA Cybersecurity Intake Page. FSA’s GENERAL-24-46 announcement clarified that institutions must notify FSA within 24 hours of the breach incident becoming known or identified.

As a reminder, the Federal Trade Commission also requires that it be notified of breaches that impact 500 or more consumers as soon as possible and no later than 30 days after discovery.

We encourage you to discuss these requirements and any other applicable laws and regulations with your institution’s management team, cyber insurance provider, and legal counsel and update your plans accordingly to ensure compliance.


How We Can Help

CapinCrouse offers resources and services to help you meet the GLBA compliance requirements. Visit our GLBA Compliance Resources and Services page to learn more and access free, informative articles, videos, sample documents, and other resources.

Please contact us with questions or to learn more about how we can assist you.

Allison Davis Ward

Allison Davis Ward is a Partner at CapinTech. Throughout her time as an information systems auditor and senior manager, Allison has provided information security assessment and consulting services primarily for nonprofit organizations, financial institutions, and health facilities. In addition to these services, she has provided clients with consulting services in risk assessment and policy development engagements.

Leave a Comment