Nonprofit Resources


FTC Amends GLBA Safeguards Rule to Require Data Security Breach Reporting

If your higher education institution participates in Title IV programs, you are likely familiar with the Gramm-Leach-Bliley Act (GLBA) requirement to have an incident response plan that can help you respond to and recover from security events that affect the student personally identifiable information (PII) you maintain or access.

Hopefully, you will never have a security event that results in a breach of this sensitive information. But as the frequent news headlines show, breaches are rampant. It’s critical to have proper procedures for responding to an event that becomes a breach.

The state you operate in may have requirements for notifying affected constituents of a breach. If you are unsure of the requirements in your state, we recommend reaching out to your legal counsel or cyber insurance provider for guidance.

There also is a new requirement that institutions participating in Title IV programs should be mindful of when planning their breach response. The Federal Trade Commission (FTC) has added an amendment to the Safeguards Rule (the Rule) of GLBA, which applies to Title IV institutions. The new amendment requires non-banking institutions to report certain data breaches and security events to the FTC. The amendment will go into effect 180 days after it is published in the Federal Register.


Key Points to Know

The amendment to the Rule indicates that covered institutions must notify the FTC as soon as possible but no later than 30 days after the discovery of a security event that involves the unauthorized acquisition of unencrypted information of at least 500 consumers. Notification is not required for unauthorized access of encrypted information if unauthorized access of the encryption key did not occur.

The notification to the FTC should be provided via and include the following information:

  • Name and contact information for your institution
  • Description of the types of information involved in the event
  • The dates(s) of the event, if determined
  • The number of consumers affected
  • A description of the event
  • Details on whether law enforcement officials have told you in writing that notifying the public of the breach would impact a criminal investigation or cause damage to national security, as well as a means for the FTC to contact the officials


What You Should Do Now

We recommend that you:

  • Assess the impact the new requirement will have on your incident response plan
  • Walk through the notification process to ensure you know what you would say about a breach and how you would report it
  • Consider drafting a template you can use as the basis for your notification in the event you need to report a breach to the FTC

This type of planning can increase the efficiency and effectiveness of your response and help you meet the reporting requirements.


Additional Recommendations

The new amendment also highlights several key safeguards noted in GLBA. First, 16 CFR 314.4(c)(3) emphasizes the importance of encrypting consumer information at rest and in transit over external networks.

Encryption reduces the risk that bad actors who monitor traffic or data flows or gain access to your systems can access the data within. Perform a detailed assessment of where your data is stored, how it flows into and out of your institution, and the encryption mechanisms in place. While primary systems such as your student information system come to mind, also consider ancillary locations, such as:

  • Workstation and server hard drives that may store reports with consumer details
  • Backup files or backup media
  • Removable media such as USB drives or external drives

In addition, 16 CFR 314.4(c)(6) highlights the importance of purging data when it is no longer required for business purposes. As a higher education institution, you likely have extensive needs for retaining certain data sets about your students, but retaining larger data sets increases the potential impact if a system is breached.

We recommend that you revisit your data inventory. Make sure you understand where your data sets are stored and evaluate whether any data sets are not required after a certain period.

Also consider the final resting places of your data. For example, if you obtain information about prospective students in your online enrollment portal but that information is then transferred into your student information system, can the information in the enrollment portal be purged after a certain period? If the answer is yes, consider establishing a retention period to reduce the volume of data stored in that system.

GLBA also includes guidelines for recording activities within relevant systems and establishing processes to identify unauthorized activities. Evaluate the mechanisms you have in place to identify these issues within the systems, devices, and networks that store, transmit, or provide access to consumer data. Do you have the visibility you need into your endpoints and internal network traffic, at the perimeter of your network, and within cloud environments? If not, determine the steps you need to take to gain this visibility.

Please contact us with questions about the new breach notification requirement or if you would like to discuss how we can assist your institution. We offer a wide range of resources and services to assist organizations working toward GLBA compliance.

Allison Davis Ward

Allison Davis Ward is a Partner at CapinTech. Throughout her time as an information systems auditor and senior manager, Allison has provided information security assessment and consulting services primarily for nonprofit organizations, financial institutions, and health facilities. In addition to these services, she has provided clients with consulting services in risk assessment and policy development engagements.

Leave a Comment