As the EdED previously reminded universities in gen-15-18 (July 29, 2015) and GEN-16-12 (July 1, 2016), these institutions are considered "financial institutions" under the GLBA and must therefore comply with their data security rules. The requirement to comply with GLBA`s cybersecurity requirements is defined in the agreement on the participation of University IV student assistance programs and in the registration agreement corresponding to the Internet Student Assistance Gateway (SAIG). The SAIG agreement provides for the connection of an institution`s or a third party`s data systems to ED data systems for the purpose of underwriting and paying federal aid to Title IV students. Post-secondary institutions (PSIs) that manage Title IV funds are required to report any data breaches covering FSA data, in accordance with the Participation Agreement (AAE) and the Student Internet Gateway agreement. In addition, the ED has established a Cybersecurity Team within the Office of Federal Student Aid. The cybersecurity team is also informed of the results of the glba tests and may request additional documents from the institution or service provider to assess the risk to student data provided by the institution or the service`s information security system. If the cybersecurity team finds that the institution or service poses a significant risk to the security of students` information, the cybersecurity team may temporarily or permanently disable the institution`s or service`s access to ED`s information systems. These systems would include Ed`s Title IV funding processing systems, which means that access for persons with disabilities could, following a glba review, significantly interrupt an institution`s obtaining of these funds. In addition, if the cybersecurity team finds that the institution or service provider has very serious data security deficiencies or a history of non-compliance with B GLBA requirements, EdEd may impose fines or take other administrative actions adverse to the institution or service provider. 3. That the institution or service provider be able to document a safety device for any risk covered in point 2. On February 28, 2020, the U.S. Department of Education (ED) issued an electronic announcement on the application of cybersecurity requirements under the Gramm-Leach Bliley Act (GLBA).
As explained in more detail below, the application of these requirements includes referrals to the Federal Trade Commission (FTC), as well as possible fines and other administrative actions of the e- and commercial committee. For more information on these GLBA requirements and other data protection issues related to educational institutions, check out our previous notifications and blog posts. one. Staff training and management.