The Catholic University of America

Student Records and Confidentiality of Financial Information:
University Obligations and the Gramm-Leach-Bliley Act

WHAT IS GRAMM-LEACH-BLILEY?

The Gramm-Leach-Bliley Act (GLB or Act) requires "financial institutions" (which includes colleges and universities) to protect the privacy of their customers, including customers' nonpublic, personal information. Because universities are governed by GLB,* The Catholic University of America has a responsibility to secure the personal records of its students and employees. To ensure this protection, GLB mandates all institutions establish appropriate administrative, technical and physical safeguards. In an effort to set safeguarding standards, the Act directs that all financial institutions implement an Information Security Program, and designate a program coordinator. CUA has designated the Director of Academic Technology Services for Center for Planning and Information Technology as the Program's coordinator.

*GLB also requires financial institutions to provide notice to customers about their privacy policies and practices, but institutions of higher education are generally exempt from this requirement because they already do so under the Federal Educational Rights and Privacy Act (FERPA). Colleges and universities complying with FERPA are considered in compliance with GLB.

The Information Security Program must include five main elements: designation of an employee(s) as coordinator of the information security program, identification of internal and external risks to the security and confidentiality of customer information and evaluation of current safeguards, employee training, oversight of service providers, and evaluation of the information security program.

WHAT ABOUT OTHER RELATED LAWS?

The Family Educational Rights and Privacy Act (FERPA) stipulates that before receipt of federal educational funding, institutions must provide student access to, and maintain the privacy of, education records. However, institutions may designate directory information that may be released without permission of the student, which may include a student's name or address. For the University's policy regarding FERPA, see the Student Records Policy online http://policies.cua.edu. FERPA pertains to GLB in that the goal of both Acts is to ensure the privacy of student information. An institution's compliance with FERPA is regarded as compliance with a separate, privacy aspect of GLB.

To ensure that all university employees are in compliance with the law, this guide sets out the basics for ensuring the protection of student and employee records. Because of the expanse of personal information generated into and through the University, security is essential. Also, students, applicants, faculty and staff are entitled to assurances that the personal information they submit to the University will be safeguarded.

HOW WILL THIS LAW AFFECT MY JOB?

Nonpublic, personal information may be sought via phone or even email from outside vendors or other persons. Before releasing any information, it is important to report requests for personal information to university employees who have undergone the information security training. This includes requests from persons who, in an effort to gain your trust, offer a few pieces of personal information regarding a student already in their possession. This method of seeking nonpublic, personal information is called pretext calling and is a popular scam. You may release a student's personal information only if the student has specifically authorized you to do so by way of written waiver, or if the release meets one of the enumerated exceptions in the CUA Student Records policy (Please see the Student Records policy at http://policies.cua.edu). Never give out a student's Social Security number over the phone and never confirm information a caller provides.

WHAT TYPE OF INFORMATION MUST I PROTECT?

Upon receipt of student names, addresses, phone numbers, bank and credit card account numbers, income and credit histories and Social Security numbers, be aware that all such information is protected under GLB. Directory information may be released pursuant to the CUA student record policy. Generally, any student or parent financial information must be safeguarded. The protection applies whether the information is in paper or electronic form.

WHAT ELSE CAN I DO TO SAFEGUARD CUSTOMER INFORMATION?

Always make sure sensitive customer information is transmitted over encrypted networks. Do not request that customers send credit card numbers or Social Security numbers over non-encrypted networks. To prevent access by unauthorized persons, do not give anyone else your password.

WHICH UNIVERSITY EMPLOYEES MUST PARTICIPATE IN TRAINING?

All CUA employees with access to credit card numbers and other nonpublic information included in student records (such as Social Security numbers) must undergo training. This training will vary by department and will be coordinated by the Office of General Counsel.

IF I RECEIVE CALLS OR REQUESTS FOR CUSTOMER INFORMATION, TO WHOM SHOULD I REFER THEM?

Refer callers requesting private, customer information only to those university employees who have undergone the information security training. If you suspect fraud, or an attempt to fraudulently obtain any financial customer information, please report to the Registrar for student record issues, to the internal auditor for financial issues, or to the Director of Academic Technology Services for the Center for Planning and Information Technology for computer issues. For all other issues, report to the Office of General Counsel. Also, inform the student about whom the information is sought of any suspect requests.

WHAT IS CUA DOING IN ORDER TO SAFEGUARD PRIVATE INFORMATION?

CUA is currently implementing its own Information Security Program, as required by GLB. For greater protection, CUA's Plan will safeguard all credit card information even though it may not be strictly required under GLB. The CUA Interim Plan is located on the General Counsel's website at http://counsel.cua.edu/glb. Here are the ways CUA is incorporating the safeguarding elements GLB requires:

1) Information Security Policy Coordinator

The Director of Academic Technology Services for Center for Planning and Information Technology will serve as the Policy Coordinator. The Coordinator will work closely with the General Counsel's office to implement CUA's Plan. The Coordinator will also interact with relevant University Departments to facilitate safeguarding measures. All general questions regarding CUA's Plan should be directed to the Coordinator.

3) Training

CPIT, the Office of General Counsel (OGC), and the Office of Human Resources are developing training and education programs for all employees with access to covered data, including social security numbers and financial information. Directors and supervisors will play a particularly important part in securing compliance with the information security policy.

2) Risk Identification and Evaluation of Current Safeguards

First, the Coordinator must identify all potential and actual risks to the security and confidentiality of customer information. Under the Coordinator's guidance, every School or Department head will conduct an annual data security review. Vice Presidents will identify any employees who work with covered data and information. The Center for Planning and Information Technology (CPIT) will review procedures, incidents, and responses quarterly, and will publish all relevant materials where the risk of security breach is not likely. CPIT is developing a registry of all computers connected to the University network and a registry of University community members with access to the covered data and information. CPIT is also creating a plan to ensure the encryption of all electronic covered information in transit.

4) Oversight of Service Providers

Business Services, in cooperation with the Office of General Counsel, will develop and send form letters to all covered contractors requesting assurances of GLB compliance. OGC will take steps to ensure that all relevant future contracts will include a privacy clause and that all existing contracts are in compliance with GLB.

Contracts entered into prior to June 24, 2002 are grandfathered until May 2004.

5) Program Evaluation

CUA's Information Security Plan will be subject to periodic review and adjustment, as required by GLB. Quarterly reviews will be conducted within CPIT, while other relevant University offices will undergo regular review. The Information Security Plan itself will be reevaluated annually.


WHAT IF CALLS/REQUESTS COME FROM SEEMINGLY VALID SOURCES?

Please report all suspicious calls to the appropriate persons on campus. Remember the so-called "pretext calling" is a method people may use to support their claim that they are calling from an official source. Be wary of callers seeking nonpublic information, regardless of the source. There are ways to verify requests for releases. You can call the person back after verifying his/her title/phone number over the Internet or confirming the validity of the request by talking to the student about whom the information is sought.

HOW CAN I TELL WHETHER INFORMATION SUBMITTED OVER THE INTERNET IS SECURED?

Web sites can be secured in a number of ways. One sign of a secured site is the letter "s" in your web address bar at the top of the screen following "http" so it reads: https. Another mark of a secured site is a yellow lock symbol in the lower right-hand corner of your screen. Take precautions when submitting or accepting credit card or other private information over web sites without these or similar symbols or indicators.

Office of General Counsel July 2003

WHAT IS ALL THE FUSS ABOUT SOCIAL SECURITY NUMBERS ANYWAY?

The unauthorized release of Social Security numbers can lead to identity theft. By fraudulently obtaining a person's SSN, someone can assume that person's identity and gain access to or establish new bank or credit accounts. Although not technically covered under GLB, CUA no longer uses Social Security numbers as student identifiers. However, student Social Security numbers remain in the student information system because some University employees continue to rely on them. CUA will assess who has access to Social Security numbers (including subcontractors and consortiums), in what systems they can be found, and when someone is inappropriately trying to obtain a student's SSN.

HOW DOES INFORMATION SECURITY AFFECT CAMPUS GROUPS OR DEPARTMENTS?

Departments or campus groups with access to or who collect financial information or Social Security numbers must be mindful when using or transmitting that information. Do not leave nonpublic information displayed on your computer screen when your computer is unattended. For example, access to certain University web sites such as Cardinal Students is limited; therefore users must prevent unauthorized access to student Social Security numbers. Also, because information sent via email is not encrypted, do not solicit financial information or a SSN in this manner for any reason. Physical records must also be secured, so do not leave forms or printouts containing nonpublic information where unauthorized persons may obtain them. Secure paper files containing private, covered information in locked filing cabinets or other secured storage areas.









links updated 6/30/08 rab