Understanding GLBA in Higher Education

Why Protecting Student Financial Data Matters for UC Staff

Universities manage a significant amount of sensitive financial information every day, including student loan applications, account numbers, and payment plans. Protecting this information is not only a good security practice—it’s also required under federal law.

Why GLBA Applies to Higher Education

The Gramm-Leach-Bliley Act (GLBA) is a federal law that protects customers’ financial information. The law was not originally enacted with a focus on higher education institutions. However, universities administer student loans and other federal financial aid under Title IV of the Higher Education Act, which is considered providing financial services. Therefore, they must protect the financial information associated with those services. This means higher education organizations must implement safeguards to protect student financial data.

As a result, universities must ensure that nonpublic personal financial information, such as bank account numbers, account balances, student loan information, and Social Security numbers, is protected from unauthorized access or disclosure.

The Three Key Components of GLBA

GLBA includes three primary rules that govern how organizations collect, protect, and share financial information.

#1 Privacy Rule

The Privacy Rule limits how financial information can be shared. In higher education, institutions that comply with the Family Educational Rights and Privacy Act (FERPA) are generally considered compliant with the GLBA Privacy Rule, since FERPA already regulates how student records can be disclosed.

#2 Safeguards Rule

The Safeguards Rule is the most operationally significant part of GLBA for universities. It requires institutions to implement a comprehensive Information Security Program designed to protect financial data.

The Safeguards Rule emphasizes that protecting financial data requires ongoing evaluation—not just a one‑time compliance.

#3 Pretexting Rule

The Pretexting Rule focuses on preventing social engineering and impersonation attempts used to obtain financial information. Some methods used to obtain financial information include phishing emails, fraudulent phone calls, or other attempts to trick employees into sharing sensitive financial data.

How GLBA Affects Campus Operations

GLBA compliance impacts multiple departments across a university. While security teams implement many of the technical safeguards, protecting financial information requires coordination across several functions, such as:

IT and information security teams
Financial aid offices
Procurement and vendor management teams
Risk management and compliance offices
Departments that collect or transmit financial documentation

GLBA also places strong emphasis on vendor oversight. Institutions remain responsible for protecting financial information even when it is processed or stored by third‑party service providers.

What This Means for UC Staff

While many safeguards are implemented at the institutional level, all members of UC play a critical role in protecting sensitive financial information. It’s vital that employees:

Understand what qualifies as student financial information
Follow secure authentication and password practices
Handle financial documents carefully and store them in approved systems
Be aware of phishing and social engineering attempts
Complete required training related to GLBA compliance
If unsure, ask before sharing financial information

What UC Is Doing

The University of California maintains a systemwide program to support GLBA compliance and protect sensitive financial data. This includes:

A formal Information Security Program aligned with federal requirements
Regular GLBA risk assessments and compliance reviews
Ongoing risk management and reporting
Third‑party supplier oversight and monitoring

GLBA in Everyday Work

Supporting GLBA compliance is everyone’s responsibility and often comes down to following basic security practices. Employees should:

Report suspicious emails or possible phishing attempts
Use encryption when sending sensitive documents
Verify identity before sharing financial information
Only use approved university systems to store sensitive data

Protecting Students Through Security

GLBA compliance is ultimately about protecting students’ financial privacy and maintaining trust in the university. By following security best practices and remaining aware of potential risks, UC staff can help ensure that sensitive financial information remains protected.

When it comes to financial data, security is everyone’s job. Every employee who works with this information helps protect our students and supports UC’s commitment to strong data security.