Policy Number: 1-5-4
Effective Date: nd
Policy Applies To: University wide
Responsible Office: University Counsel
INTRODUCTION AND STATEMENT OF PURPOSE
Gramm-Leach-Bliley Act of 1999 (GLBA, PL106-102, passed by the 106th Congress). The Gramm Leach Bliley Act or The Financial Modernization Act, a federal law passed in 1999, provides for privacy protections for consumer information held by financial institutions. In 2003, the Federal Trade Commission (FTC), the enforcing body for the law and its regulations, confirmed that higher education institutions are considered financial institutions under this federal law. Consequently, this federal "Safeguards Rule" of the GLBA requires financial institutions, including institutions of higher education, to have a security plan to protect the confidentiality and integrity of personal information contained in its files. Because the University complies with the Family Educational Rights and Privacy Act (FERPA), it is deemed by federal authorities as to be in compliance with the privacy rules under the GLBA (See Undergraduate Catalog and Gothic Guide).
It is interesting to note that the regulations published by the FTC in May 2002 in response to the GLBA define a financial institution as one that engages in financial activities including "making, acquiring, brokering, or service loans" and "collection agency services" (16 CFR Part 314). Since the regulations promulgated by the FTC consider higher education institutions as financial institutions for the purposes of the GLBA and our University participates in financial activities such as making federal Perkins Loans, our institution must follow the GLBA guidelines.
Consequently, as with FERPA, the University is required to and does take steps to ensure the security and confidentiality of student/customers records such as names, addresses, phone numbers, bank and credit cart account numbers, income and credit histories, and Social Security numbers (commonly referred to as "personally identifying information").
Although FERPA mandated procedures are in place to ensure the protection of privacy interests of students and "customers" in their financial information, the University is currently expanding its finance and ITS administrative policies and procedures with regard to security and privacy protections for data collected and maintained by the University for the purposes contained in the GLBA. University employees who work in financial departments (e.g. financial aid, bursar, controller, etc.) have been oriented to the GLBA and its provisions with plans for further training. The University through its ITS Department and its financial offices and departments are developing a comprehensive security program to ensure full compliance with the GLBA. Periodic assessments of the University's electronic security vulnerability and potential risks have resulted in revising and updating ITS network security measures and computer usage policies. Privacy statements, such as the FERPA student information statements, describe the University's information privacy practices and are available to students by means of catalog, online and print, as well as the student guide. The University is also, as a regular practice, including a statement of obligations in its agreements with third parties that may have access to financial records covered by the safeguards contained in the GLBA.
For more information about the GLBA and its impact on higher education institutions, please refer to the following URLs:
For general guidance on the GLBA Safeguards Rule, see Financial Institutions and Customer Data: Complying with the Safeguards Rule (September 2002), available at:
For information concerning obligations for educational institutions under the GLBA, see the National Association of College and University Business Officers (NACUBO) January 31, 2003 Advisory Report, entitled Colleges and Universities Subject to New FTC Rules Safeguarding Customer Information, available at:
DATE TO INITIATE REVIEW AND UPDATE
As deemed necessary or appropriate by the Policy Coordinator but at a minimum, at least every 5 years from the effective date.