The Catholic University of America

Summary of Federal Laws

Miscellaneous Laws Affecting Universities

Compliance Partners

Directory Of Information Security

Associate Director of Enrollment Management Systems

Director of Enrollment Services, Business System

General Counsel

Related Policies

Information Security and Assurance

Identity Theft Prevention

 Financial Services Modernization Act of 1999 (the Gramm-Leach-Bliley Act)

15 U.S.C. § 6801 et seq., 16 CFR § 313.1 et seq.(privacy)16 CFR §314.1 et seq. (safeguarding)

This law regulates the disclosure of non-public personal information by financial institutions. Specifically, the law protects consumers or customers who are "individuals obtaining financial products or services to be used primarily for personal, family or other household purposes." The law requires a financial institution to provide notice to customers about privacy policy and practices, describes the conditions under which a financial institution may disclose nonpublic personal information about consumers to nonaffiliated third parties, and provides a method for consumers to prevent disclosure of financial information by "opting out." This involves both notice on privacy policies to long term customers at the inception of the relationship, and annual notices thereafter.

Institutions of higher education, while not exempt from the definition of "financial institutions," are generally excluded from the requirement to comply with the requirements of the privacy policy regulations. See 65 Fed. Reg. 33646, May 24, 2000. In the preamble to these final consumer financial information privacy regulations the FTC stated:

The Commission also received several comments from colleges and universities and their representatives requesting that institutions of higher education be excluded from the definition of financial institution. The Commission disagrees with those commenters who suggested that colleges and universities are not financial institutions. Many, if not all, such institutions appear to be significantly engaged in lending funds to consumers. However, such entities are subject to the stringent privacy provisions in the Family Educational Rights and Privacy Act ("FERPA"), 20 U.S.C. 1232g, and its implementing regulations, 34 CFR part 99, which govern the privacy of educational records, including student financial aid records. The Commission has noted in its final rule, therefore, that institutions of higher education that are complying with FERPA to protect the privacy of their student financial aid records will be deemed to be in compliance with the Commission's rule.

Accordingly, the final regulations provide, in 16 CFR § 313.1:

Any institution of higher education that complies with the Federal Educational Rights and Privacy Act ("FERPA"), 20 U.S.C. 1232g, and its implementing regulations, 34 CFR part 99, and that is also a financial institution subject to the requirements of this part, shall be deemed to be in compliance with this part if it is in compliance with FERPA.

However, institutions are not exempt from the safeguarding regulations. The final rules on Safeguarding Customer Information contained at 67 Fed. Reg. 36484 (May 23, 2002) do not exempt educational institutions, and thus institutions must adopt an information security program. Key compliance requirements include designating an employee to coordinate an information security program, identifying risks to the security of customer information (including a risk assessment of computer information systems), and contractually requiring service providers to implement and maintain safeguards.

Selected Case Law

Guin v Brazos Higher Education Service Corp., U.S. Dist. Court, Minnesota, Civ. No. 05-668, Feb. 7, 2006

In this case involving a laptop stolen from an employee's home, the court found no negligence on the part of Brazos Higher Education Service Corporation. Brazos is a non-profit corporation that originates and services student loans. An employee who worked as a financial analyst for the company and who analyzed loan porfolios before certain transactions, received electronic databases from Brazos. A detailed level of information, including customer personal information, was needed to complete his work.

In Sept. 2004 the employee's home in Silver Spring, Maryland was burglarized, and the company laptop was stolen along with other items. The laptop was not recovered, and the employee had not kept records of what databases, (which were unencrypted) might have been on the laptop. The company, pursuant to FTC suggested guidelines, and California law (which required notification to customers in that state) gave notice to all 550,000 customers advising some personal information may have been inappropriately accessed. Guidance was provided to the customers and a call center set up. One of the customers notified was plaintiff Guin. Although Guin did not find any indication that a third party has accessed his personal information, (and it was not even known that if his data was on the stolen laptop) Guin filed an action bringing three claims: (1) breach of contract, (2) breach of fiduciary duty, and (3) negligence.

In analyzing the claim for negligence and breach of duty, the plaintiff argued that Gramm Leach Bliley created a statutory based duty for Brazos to protect the security and confidentiality of customers' nonpublic personal information, and that failure to do so was negligence per se. The plantiff argued that Brazos breached the duty imposed by GLB by (1) "providing Wright with personal information that he did not need for the task at hand," (2) "permitting Wright to continue keeping personal information in an unattended, insecure personal residence," and (3) "allowing Wright to keep personal informationon his laptop unencrypted.

The court concluded that Guin did not present significant evidence from which a fact finder could conclude failure to comply with GLB. Brazos had a written security plan in place as required by the law, and the employee had been trained pursuant to that plan. From the facts in the case, it did not appear anyone had suffered any harm from the burglary other than the employee. The court noted the following about GLB:

Brazos authorized Wright to have access to customers' personal information because Wright needed the information to analyze loan portfolios as part of Brazos's asset-liability management function for other lenders. Thus, his access to the personal information was within "the nature and scope of [Brazos's] activities." See 16 C.F.R. § 314.4(a). Furthermore, the GLB Act does not prohibit someone from working with sensitive data on a laptop computer in a home office. Despite Guin's persistent argument that any nonpublic personal information stored on a laptop computer should be encrypted, the GLB Act does not contain any such requirement. n2 Accordingly, Guin has not presented any evidence showing that Brazos violated the GLB Act requirements.

Footnote 2: While it appears that the FTC routinely cautions businesses to "provide for secure data transmission" when collecting customer information by encrypting such information "in transit," there is nothing in the GLB Act about this standard, and the FTC does not provide regulations regarding whether data should be encrypted when stored on the hard drive of a computer.

(emphasis added by CLIC editor)

The court concluded that the theft of the laptop was not reasonably forseeable, a reasonable jury could not infer that the burglary caused plaintiff any injury, and the claim for negligence failed, with the case dismissed on defendant's motion for summary judgment.

Resources

 

Financial Institutions and Customer Data: Complying with the Safeguards Rule.

For more information on GLB see http://counsel.cua.edu and click on Gramm Leach Bliley under topical headings on the left hand side of the page.

IT Security For Higher Education: A Legal Perspective (March 20, 2003) an Educause White Paper


EPIC web page on Gramm-Leach-Bliley Act

 

updated 10-16-12

 
 
 
 
updated 4/29/09 to add compliance partners
compliance box links updated 6/3/09 rab
updated 6/14/09 by mlo to add related policies
Links checked and updated June 30th, 2010, FJL.