Click for Text-Only version
Back to CUA Home
The Catholic University of America - Campus Legal Clearinghouse
 
 
Collage of Pictures

Affirmative Action

ADA Compliance

Copyright

Employment

Environment

FERPA

GLB/Security
Quick Clicks
FedLaw
Publications, Video, & Web Tutorials
Q & A
Resources, Forms, & Checklists 		 

Harassment

HIPAA

Immigration

Religious Issues

Research & Patents

Student Life Issues

IDEA Scholarships

Campus Security

Tax
CLIC Home        CUA Policies        Text-Only        FedLaw        DC Law        Compliance Calendar        Links

 Summary of Federal Laws

 

Miscellaneous Laws Affecting Universities

 

Financial Services Modernization Act of 1999 (the Gramm-Leach-Bliley Act)

 

15 U.S.C. § 6801 et seq., 16 CFR § 313.1 et seq.(privacy)16 CFR §314.1 et seq. (safeguarding)

 

This law regulates the disclosure of non-public personal information by financial institutions. Specifically, the law protects consumers or customers who are "individuals obtaining financial products or services to be used primarily for personal, family or other household purposes."  The law requires a financial institution to provide notice to customers about privacy policy and practices, describes the conditions under which a financial institution may disclose nonpublic personal information about consumers to nonaffiliated third parties, and provides a method for consumers to prevent disclosure of financial information by "opting out." This involves both notice on privacy policies to long term customers at the inception of the relationship, and annual notices thereafter.

 

Institutions of higher education, while not exempt from the definition of "financial institutions,"  are generally excluded from the requirement to comply with the requirements of the privacy policy regulations. See 65 Fed. Reg. 33646,   May 24, 2000. In the preamble to these final consumer financial information privacy regulations the FTC stated:

 

The Commission also received several comments from colleges and universities and their representatives requesting that institutions of higher education be excluded from the definition of financial institution. The Commission disagrees with those commenters who suggested that colleges and universities are not financial institutions. Many, if not all, such institutions appear to be significantly engaged in lending funds to consumers. However, such entities are subject to the stringent privacy provisions in the Family Educational Rights and Privacy Act ("FERPA"), 20 U.S.C. 1232g, and its implementing regulations, 34 CFR part 99, which govern the privacy of educational records, including student financial aid records. The Commission has noted in its final rule, therefore, that institutions of higher education that are complying with FERPA to protect the privacy of their student financial aid records will be deemed to be in compliance with the Commission's rule. 

Accordingly, the final regulations provide, in 16 CFR § 313.1:

 

Any institution of higher education that complies with the Federal Educational Rights and Privacy Act ("FERPA"), 20 U.S.C. 1232g, and its implementing regulations, 34 CFR part 99, and that is also a financial institution subject to the requirements of this part, shall be deemed to be in compliance with this part if it is in compliance with FERPA.

 

However, institutions are not exempt from the safeguarding regulations. The final rules on Safeguarding Customer Information contained at 67 Fed. Reg. 36484 (May 23, 2002) do not exempt educational institutions, and thus institutions must adopt an information security program. See the NACUBO website for information on what steps a university must take to be in compliance with the Safeguarding Provisions of this law. Key compliance requirements include designating an employee to coordinate an information security program, identifying risks to the security of customer information (including a risk assessment of computer information systems), and contractually requiring service providers to implement and maintain safeguards.

 

Selected Case Law

 

Guin v Brazos Higher Education Service Corp., U.S. Dist. Court, Minnesota, Civ. No. 05-668, Feb. 7, 2006

In this case involving a laptop stolen from an employee's  home, the court found no negligence on the part of Brazos Higher Education Service Corporation. Brazos is a non-profit corporation that originates and services student loans. An employee who worked as a financial analyst for the company and who analyzed loan porfolios before certain transactions, received electronic databases from Brazos. A detailed level of information, including customer personal information, was needed to complete his work.

 

In Sept. 2004 the employee's home in Silver Spring, Maryland was burglarized, and the company laptop was stolen along with other items. The laptop was not recovered, and the employee had not kept records of what databases, (which were unencrypted) might have been on the laptop. The company, pursuant to FTC suggested guidelines, and California law (which required notification to customers in that state) gave notice to all 550,000 customers advising some personal information may have been inappropriately accessed. Guidance was provided to the customers and a call center set up. One of the customers notified was plaintiff Guin. Although Guin did not find any indication that a third party has accessed his personal information, (and it was not even known that if his data was on the stolen laptop) Guin filed an action bringing three claims: (1) breach of contract, (2) breach of fiduciary duty, and (3) negligence.

 

In analyzing the claim for negligence and breach of duty, the plaintiff argued that Gramm Leach Bliley created a statutory based duty for Brazos to protect the security and confidentiality of customers' nonpublic personal information, and that failure to do so was negligence per se. The plantiff argued that Brazos breached the duty imposed by  GLB by (1) "providing Wright with personal information that he did not need for the task at hand," (2) "permitting Wright to continue keeping personal information in an unattended, insecure personal residence," and (3) "allowing Wright to keep personal informationon his laptop unencrypted.

 

The court concluded that Guin did not present significant evidence from which a fact finder could conclude failure to comply with GLB. Brazos had a written security plan in place as required by the law, and the employee had been trained pursuant to that plan. From the facts in the case, it did not appear anyone had suffered any harm from the burglary other than the employee. The court noted the following about GLB:

 

Brazos authorized Wright to have access to customers' personal information because Wright needed the information to analyze loan portfolios as part of Brazos's asset-liability management function for other lenders. Thus, his access to the personal information was within "the nature and scope of [Brazos's] activities." See 16 C.F.R. § 314.4(a). Furthermore, the GLB Act does not prohibit someone from working with sensitive data on a laptop computer in a home office. Despite Guin's persistent argument that any nonpublic personal information stored on a laptop computer should be encrypted, the GLB Act does not contain any such requirement. n2 Accordingly, Guin has not presented any evidence showing that Brazos violated the GLB Act requirements.


 

Footnote 2: While it appears that the FTC routinely cautions businesses to "provide for secure data transmission" when collecting customer information by encrypting such information "in transit," there is nothing in the GLB Act about this standard, and the FTC does not provide regulations regarding whether data should be encrypted when stored on the hard drive of a computer.

 (emphasis added by CLIC editor)

The court concluded that the theft of the laptop was not reasonably forseeable, a reasonable jury could not infer that the burglary caused plaintiff any injury, and the claim for negligence failed, with the case dismissed on defendant's motion for summary judgment.

 

Resources

 

Nov. 2004 FTC Enforces GLB Safeguards Rule against Mortgage Companies

 

The FTC web page also has information on how to comply with the Safeguards Rule. See Financial Institutions and Customer Data: Complying with the Safeguards Rule.

 

See also July 2002 Privacy Officers Advisor:  FTC Standards for Safeguarding Customer Information FTC Standards for Safeguarding Customer Information

 

For more information on GLB see http://counsel.cua.edu and click on Gramm Leach Bliley under topical headings on the left hand side of the page.

 

 IT Security For Higher Education: A Legal Perspective (March 20, 2003)  an Educause White Paper

 
 
 
 
 
links updated 3/17/06 pth
updated 2/12/06 to add Brazos case
links updated 6/18/08 rab
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

 



Last Revised 18-Jun-08 12:29 PM.