The Department of Education has made it clear that Title IV schools must comply with certain cybersecurity regulations, including those found in the Gramm-Leach-Bliley Act (GLBA). At a minimum, Title IV schools must understand the requirements of the new law and ensure compliance with those requirements. GLBA requires Title IV schools to take specific actions in order to protect a student’s personal information held by the institution. Schools must develop their own cybersecurity programs that include the following:
- Ability to assess the personal information collected, stored, accessed, used, and transmitted by the school.
- Appointed employee or group of employees to manage the school’s cybersecurity program.
- The implementation of physical and technical safeguards for all personal data.
- Written policies and procedures governing the handling, management and transmission of the school’s personal information.
- The ability to audit the school’s technical, physical, and procedural protections to make sure that they are performing as expected and making adjustments to any protections not performing as expected.
- Ensurance that vendors, contractors, consultants and other service providers having access to sensitive information are subject to and bound by the cybersecurity policy.