Is Your Organization Keeping Up with GLBA? What Nonprofit and Higher Education Leaders Should Know

The Gramm-Leach-Bliley Act (GLBA) has been on the books since 1999. For many organizations, GLBA compliance may have settled into the background — one more item on a long list of regulatory obligations that gets reviewed periodically but rarely treated as urgent.

It’s worth reconsidering that check-the-box mentality. Significant updates to GLBA’s Safeguards Rule took effect in 2023, followed by a breach notification requirement that became enforceable in 2024. These weren’t minor adjustments — they added specific, operational requirements that many existing programs didn’t reflect. If your organization addressed GLBA years ago and you haven’t revisited it since, you may have meaningful gaps in your compliance.

More Organizations Are Covered Than You Might Expect

GLBA is commonly associated with banks, credit unions, and other traditional financial companies. But the Federal Trade Commission (FTC), which enforces the law for organizations outside the banking sector, uses a broad definition of “financial institution” — broad enough to include many nonprofits and higher education institutions.

Under that definition, a financial institution is any organization whose business involves financial activities or activities incidental to financial services. For nonprofits, that can include offering payment plans, providing financial counseling, making or servicing loans, or even providing tax preparation assistance. For higher education institutions, offering federal loans to students or parents under Title IV is itself enough to bring an institution under GLBA’s requirements.

The key question is whether your organization is “significantly engaged” in financial activities. If the answer is yes — or even maybe — it’s worth taking a closer look.

One nuance worth noting for higher education leaders: Compliance with the Family Educational Rights and Privacy Act (FERPA) satisfies GLBA’s Privacy Rule, which governs how organizations communicate their information-sharing practices. But FERPA compliance does not satisfy the Safeguards Rule, which governs how organizations protect that information. Those are two separate obligations, and the Safeguards Rule requires its own program.

What GLBA Requires

GLBA has three main components:

The Privacy Rule requires covered organizations to notify customers about their information-sharing practices and give them the opportunity to limit certain types of sharing.

The Pretexting Rule protects against social engineering schemes in which someone obtains customer information under false pretenses.

The Safeguards Rule — the most operationally demanding of the three — requires organizations to develop, implement, and maintain a written information security program that formalizes policies and procedures to address the following nine elements:

1. Designating a qualified individual to oversee and implement the information security program
2. Conducting a written risk assessment that identifies reasonably foreseeable threats to customer information
3. Implementing specific safeguards outlined by GLBA to address the risks identified in that assessment
4. Regularly testing and monitoring those safeguards, through either continuous monitoring or periodic vulnerability assessments and penetration testing
5. Training and preparing staff to enact the information security program
6. Overseeing vendors and ensuring they maintain appropriate safeguards
7. Keeping the information security program current as the threat environment and business operations evolve
8. Establishing an incident response plan
9. Regular written reporting to the board or governing body on the status of the program

Note that some of the more prescriptive elements of the updated rule apply only to organizations with 5,000 or more records. These carveouts apply to the written risk assessment, continuous monitoring, written incident response plan, and requirement for written reporting to the board.

Organizations with fewer records may have more flexibility in how they implement certain requirements, but the core obligation to maintain a written information security program applies regardless of size. It should also be noted that when identifying the number of records, the organization should consider both current records and records retained for historical purposes. Each individual piece of personally identifiable information, such as information on each student and each parent, counts as a record. Because of this, even small organizations can accumulate thousands of records.

Service Provider Management: A Commonly Overlooked Piece

One of the more challenging aspects of GLBA compliance involves third-party service providers, often referred to as vendors. Many organizations have shifted toward cloud-based systems and outsourced technology services — a practical and often cost-effective approach. But outsourcing technology doesn’t transfer compliance responsibility.

If a vendor stores, accesses, or transmits your customers’ information, you need to ensure the vendor maintains appropriate safeguards. That responsibility extends to what are sometimes called fourth-party relationships — vendors your vendors rely on. A breach at that level can still compromise your data and trigger your notification obligations.

A formal vendor management program can help. At a minimum, it should include a process for vetting new vendors before contracts are signed, ongoing monitoring of critical vendor relationships, and clear criteria for how vendors are tiered based on the sensitivity of the data they handle and the criticality of the services they provide. Vendors that store sensitive customer data or have access to your network warrant a higher level of scrutiny than those with limited or incidental contact.

What Happens When Organizations Fall Short

The FTC has authority to bring enforcement actions against organizations that fail to comply with GLBA, and that authority extends to nonprofits and higher education institutions within its jurisdiction. Penalties can include fines and required remediation, and enforcement actions become part of the public record.

The 2024 breach notification requirement adds a specific timeline to that risk: If a security event affects the information of 500 or more individuals, the organization must notify the FTC within 30 days of discovering the breach. Being unprepared when an incident occurs — without a tested incident response plan or a clear chain of communication — can compound the impact considerably.

For higher education institutions that participate in Title IV programs, GLBA compliance is also a Single Audit matter. Beginning with the Office of Management and Budget’s 2023 Compliance Supplement, auditors must now confirm that a written information security program has been established and verify that the program addresses the required critical elements.

Where to Start

If your organization hasn’t revisited its GLBA program since the 2023 updates took effect, a good starting point is a gap assessment — a structured review of your current information security program against what the updated Safeguards Rule requires. That review can help you identify which elements of the nine-point program are in place, which need strengthening, and where documentation may be incomplete. Make sure the gap assessment looks at what’s been completed and submitted for insurance renewals. Most cybersecurity insurance mandates GLBA-level protection as a threshold for coverage.

Following a gap assessment, priorities often include:

• Updating the risk assessment
• Formalizing the vendor management process
• Ensuring that staff training covers current threats and your organization’s specific policies
• Confirming that the board or governing body is receiving the required annual report

For many organizations, the challenge isn’t a lack of willingness to comply — it’s bandwidth and expertise. GLBA compliance involves both technical and operational dimensions, and keeping pace with evolving requirements takes sustained attention. Working with an advisor who has experience in this area can help your organization close gaps efficiently and build a program that holds up over time.

Ready to close gaps in your organization’s GLBA compliance? Reach out to a CRI advisor to discuss where your organization stands and what steps might make sense for your organization.