Questions and Answers about Gramm-Leach-Bliley
See Note below about the Data Accountability and Trust Act ("DATA Act") and the fact that it does not apply to non-profit colleges and universities.
Chart of Frequently Considered Areas presented at Annual NACUA Conference: June 2003 A reference chart on whether or not certain types of data is in or out under Gramm Leach Bliley : Prepared for the Gramm Leach Bliley session at the Annual NACUA Conference
Notes following were drafted for the Educause 2003 Networking Conference
Information Security Programs Under Gramm-Leach-Bliley
Q. What is the law?
A. The law is Financial Services Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLB). It regulates the disclosure of non-public personal information by financial institutions. Institutions of higher education (IHEs) are covered by the law's definition of "financial institutions" as they participate in financial activities, such as offering Federal Perkins Loans.
Q. What does the law require of IHEs?
A. IHES must have a written information security program. The purposes are threefold:
- To insure the security and confidentiality of customer information;
- To protect against any anticipated threats or hazards to the security or integrity of such information; and
- To protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.
Q. Who is a customer ?
A. A customer is defined as a consumer who has a customer relationship with you. A consumer means an individual who obtains or has obtained a financial product or service from you that is used primarily for personal, family, or household purposes, or that individual's legal representative. This would include a student who obtained a loan from the school or parents who sent in income tax information in connection with their child's application for a financial aid package.
However, as it does not make sense to have safeguards in place for only those students who have obtained loans from the university given practical issues as well as other laws such as FERPA, most IHEs will be considering a comprehensive security program. In the same vein, if you are protecting customer credit card information under the law, it makes sense to apply the security controls to all credit card information held by the IHE.
The law covers both paper copies of information and electronic copies. The safeguarding provision applies not only to all such information about persons with whom the university has a customer relationship, but also pertains to customers of other financial institutions that have provided such information.
Q. What is customer information?
A.In a general sense, customer information typically gathered in connection with obtaining a financial product or service to includes names, addresses, phone numbers, bank and credit card account numbers, income and credit histories and Social Security numbers.
Q. What is a financial product or service?
A. The term financial product or service is defined in16 CFR 313.3(l)(1)as "any product or service that a financial holding company could offer by engaging in a financial activity under section 4(k) of the Bank Holding Company Act of 1956." That, in turn, takes you to certain sections of the Federal Reserve Board's so-called "Regulation Y," specifically 12 CFR 225.26 and 225.28.
Regulation Y, which is permissive and therefore not a very apt vehicle for defining what GLB requires, includes the activities that we all agree are subject to GLB, like making student or faculty loans, as well as some oddities that may also be applicable to colleges and universities, like career counseling services to individuals who seek employment at financial institutions, and management consulting activities on any subject to a financial institution and on financial, economic, accounting, or audit matters to any company (which might apply to business school practicum programs).*
The FTC has agreed to work with the higher education community in defining how GLB applies to colleges and universities.
Q. What is the time frame?
A. The May 2002 regulations under this law dictate that by May 23, 2003 the IHE must have implemented an information security program. There are a number of components to the program, which will be addressed below. As long as the written plan is in place by May 23, 2003 (or a fairly comprehensive draft), it would seem the university would be exposed to minimal liability if the training is not completed by May 23, 2003, so long as implementation has begun.
Q. What are the general components of the program?
A. IHEs must develop, implement and maintain a comprehensive written information security program that contains administrative, technical and physical safeguards that are appropriate to the school's size and complexity, the nature and scope of the IHE's activities, and the sensitivity of any customer information at issue. The written program does not have to be all in one document, e.g. it can be a combination of policies, (perhaps some already in existence) that together equal a comprehensive policy. Review your existing policies and see where the gaps are.
Q. Didn't universities get an exemption from this law?
A. There are two different sets of rules under this law; the safeguarding rules at 16 CFR Part 314 and the privacy rules at 16 CFR Part 313. Institutions of higher education, while not exempt from the definition of "financial institutions," are generally excluded from the requirement to comply with the GLB privacy policy regulations as long as the institution complies with the Family Educational Rights and Privacy Act. IHEs are not exempt from the safeguards requirements of the law. The final rules on the safeguarding program came out in May 2002.
* This answer on financial product or service provided courtesy of Jeff Swope, Palmer and Dodge, LLP
Five key sections to GLB safeguarding program
Designate an employee or employees to coordinate your information security program.
Who should be the designated employee?
This will depend on the school. It might be the CIO, the HIPAA privacy officer, the Registrar, the Bursar, or a combination of the above. If the designated employee is the Security Officer, consider appointing a second designee who is not part of the information security operation for purposes of checks/balances.
Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information; evaluate the effectiveness of the current safeguards for controlling these risks; design and implement a safeguards program, and regularly monitor and test the program.
First identify information and systems to be protected. What offices will be covered?
Suggest taking an organizational chart of the university and look at who has access to customer information or oversees contracts with service providers that have access to customer information. Registrar's Office, Financial Aid, Business Services, Admissions, Development, and Athletics are examples of offices that might be covered.
Eight factors for protecting customer information:
- Access control
- Physical security at locations where customer information is stored
- Encryption of electronic customer information (especially in transit)
- Implement a change management process for customer information system modifications
- Dual control, segregation of duties and employee background checks for employees with access to customer information
- Monitoring systems and procedures to detect any actual or attempted attacks or intrusions on customer information systems
- Develop an incident response program for how to handle attempted and actual unauthorized access to customer information
- Disaster recovery program for the protection against destruction of customer information due to physical hazards and technical failures
Employee training and management
Training on security awareness should include supporting the information security program in general, as well as addressing the safeguarding of customer information. Training should cover anyone who has access to a system that has customer information, and also anyone who has access to paper copies of customer information. Train your employees not to confirm confidential information over the phone or by email, even if the other party provides it. Training might include attendance at industry conferences. Keep documentation of the training. Professors who have access to student information systems will need training, and GLB training for this group may be made a component of FERPA training.
Oversee service providers
· Take reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue; and
· Require your service providers by contract to implement and maintain such safeguards. Contracts entered into prior to June 24, 2002 are grandfathered in until May 24, 2004.
· Send form letters to third party business partners detailing GLB provisions and attach an amendment to contract where necessary.
· Ensure that as contracts come up for renewal, the privacy clause is included.
Evaluate and adjust your information security program
Some schools are considering audits by outside security firms.
Enforcement
Enforcement of the law is by the agency rather than by individual complaint. A review by the agency for compliance might be triggered by an industry wide review, a press release or a complaint. This may result in a non-public review, or an enforcement action by the FTC. Penalties at an IHE would most likely be equitable damages due to the loss, e.g. identity theft. Industry standards are likely to be considered. Alain Sheer of the FTC has stated that the FTC will work with IHEs to help bring them into compliance. Initial enforcement will focus on large scale violations. The FTC will follow a standard of reasonableness.
Issues the policy/policies might address:
Are all computers on the network registered? If not, the GLB policy would seem to indicate they should be.
Track the manner in which social security numbers are used at your institution. For what services are students required to provide a SSN. Can this be minimized? Note different rules apply to public v. private institutions with regard to SSNs. Also, note various state laws prohibiting use of the SSN as a student identifier.
What is your policy for release of student records pursuant to an electronic request? To be covered under FERPA, and GLB if it involves customer information as defined therein, the IHE should be able to show how it will authenticate the identity of the requester, and protect the integrity of the data in transmission and upon receipt at the IHE. The policy should also address how to attribute the request to the requester.
Q: Does GLB require notification to a college/university community when there's an intrusion into the school's information technology systems, as some state laws do (e.g., California)?
A: This answer comes courtesy of attorney Peter C. Cassat at the law firm of Dow, Lohnes & Albertson, LLC, from a NACUANet email exchange November 3, 2005.
"I don't think there is a notification requirement under the GLB Safeguards Rule. The inquirer may need to consider, however, whether other state security breach notification statutes would apply in addition to the security breach notification statute in his or her own state. Many of these statutes are modeled after the California law, which applies so as to require notice to California residents even if the breach occurs outside of California. I believe that approximately 15 states have now enacted security breach notification statutes and if residents of those states attend the institution it is possible that some of those statutes would apply. (And to the extent that there are conflicting state requirements or time periods for notifying it could make things complicated, which is why the federal notification legislation currently being debated might at least offer some benefit if it preempts state laws.)"
Q: Will colleges and universities fall under the new Data Accountability and Trust Act ("DATA Act")?
A: Answer provided by Rodney Petersen, Policy Analyst and Internet2 Security Task Force Coordinator for EDUCAUSE. Non-profit organizations, including colleges and universities, will fall outside of the scope for enforcement of the DATA Act - short for "Data Accountability and Trust Act". Enforcement would fall under the authority of the Federal Trade Commission Act which is intended for businesses. There are other proposals in the Congress that would encompass higher education. There will be a panel discussion at the EDUCAUSE Policy Conference (http://www.educause.edu/pol06) on April 26, 2006 that will look at the new state laws, Federal proposals, and international considerations with respect to data incident notifications.
Non-public personal information is defined as (i) Personally identifiable financial information; and (ii) Any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available. 16 CFR § 313.3(n).
links updated 6/30/08 rab
Last Revised 30-Jun-08 04:40 PM.
