The Gramm-Leach-Bliley Act (Act or GLBA) requires schools that participate in Title IV to comply with the standards for safeguarding student information as set forth in 16 CFR Part 314. Student information is defined as any record containing nonpublic personal information whether in paper, electronic, or other form that is handled by you or on behalf of you or your affiliates.
Prior to October 30, 2019, the September 2016 Guide for Audits of Proprietary Schools and for Compliance Attestation Engagements of Third-Party Servicers Administering Title IV Programs (For-Profit Guide) did not contain any audit steps for checking compliance. Similarly, until recently, neither did the Compliance Supplement for audits conducted under 2 CFR Part 200 (Uniform Guidance) for Single Audits which covers nonprofit institutions.
Because it was not required, we have not been auditing a school’s compliance with this regulation. However, an amendment to the For-Profit Guide has recently been issued in Dear CPA Letter 19-01 and guidance was issued in the 2019 Compliance Supplement to the Uniform Guidance for auditing the institution’s compliance with the Act .
This new guidance specifies that the auditor should determine whether the institution designated an individual to coordinate the school’s information security program, performed a risk assessment that addresses the three areas noted in 16 CFR 314.4 (b), and documented safeguards for each risk identified.
The three areas noted in 16 CFR 314.4(b) are 1) Employee training and management; 2) Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) Detecting, preventing and responding to attacks, intrusions, or other systems failures.
While these audit requirements are not very in-depth, they require us to request new documentation from institutions. We suggest that you review your current GLBA documentation and verify it meets the standards of 16 CFR 314.
As always, McClintock & Associates is available to answer any questions you may have.