The Catholic University of America

Summary of Federal Laws

Miscellaneous Laws Affecting Universities

Compliance Partners

IT Security Program Manager

Associate Director of Enrollment Management Systems

Director of Enrollment Services, Business System

General Counsel

Related Policies

Information Security and Assurance

Identity Theft Prevention

 Financial Services Modernization Act of 1999 (the Gramm-Leach-Bliley Act)

15 U.S.C. § 6801 et seq., 16 CFR § 313.1 et seq.(privacy)16 CFR §314.1 et seq. (safeguarding)

This law regulates the disclosure of non-public personal information by financial institutions. Specifically, the law protects consumers or customers who are "individuals obtaining financial products or services to be used primarily for personal, family or other household purposes." The law requires a financial institution to provide notice to customers about privacy policy and practices, describes the conditions under which a financial institution may disclose nonpublic personal information about consumers to nonaffiliated third parties, and provides a method for consumers to prevent disclosure of financial information by "opting out." This involves both notice on privacy policies to long term customers at the inception of the relationship, and annual notices thereafter.

Institutions of higher education, while not exempt from the definition of "financial institutions," are generally excluded from the requirement to comply with the requirements of the privacy policy regulations. See 65 Fed. Reg. 33646, May 24, 2000. In the preamble to these final consumer financial information privacy regulations the FTC stated:

The Commission also received several comments from colleges and universities and their representatives requesting that institutions of higher education be excluded from the definition of financial institution. The Commission disagrees with those commenters who suggested that colleges and universities are not financial institutions. Many, if not all, such institutions appear to be significantly engaged in lending funds to consumers. However, such entities are subject to the stringent privacy provisions in the Family Educational Rights and Privacy Act ("FERPA"), 20 U.S.C. 1232g, and its implementing regulations, 34 CFR part 99, which govern the privacy of educational records, including student financial aid records. The Commission has noted in its final rule, therefore, that institutions of higher education that are complying with FERPA to protect the privacy of their student financial aid records will be deemed to be in compliance with the Commission's rule.

Accordingly, the final regulations provide, in 16 CFR § 313.1:

Any institution of higher education that complies with the Federal Educational Rights and Privacy Act ("FERPA"), 20 U.S.C. 1232g, and its implementing regulations, 34 CFR part 99, and that is also a financial institution subject to the requirements of this part, shall be deemed to be in compliance with this part if it is in compliance with FERPA.

However, institutions are not exempt from the safeguarding regulations. The final rules on Safeguarding Customer Information contained at 67 Fed. Reg. 36484 (May 23, 2002) do not exempt educational institutions, and thus institutions must adopt an information security program. Key compliance requirements include designating an employee to coordinate an information security program, identifying risks to the security of customer information (including a risk assessment of computer information systems), and contractually requiring service providers to implement and maintain safeguards.

 

Resources

Resources for Information Assurance Web Page

Financial Institutions and Customer Data: Complying with the Safeguards Rule.

 

EPIC web page on Gramm-Leach-Bliley Act

 

 

 
 
 
 
 
 
 
 
 

updated 5-7-14 mlo