Gramm-Leach-Bliley Act Compliance

Title: Gramm-Leach-Bliley Act Compliance
Approved by: Office of the President
Date approved by President or Board of Trustees: July 11, 2018
Effective date: July 11, 2018
Responsible Official: Chief Information Security Officer
Responsible University Office: UTech Security and Policy
Revision History: 3
Related legislation and University policies:

Review Period: 3 Years
Date of Last Review: July 26, 2024
Related to: Faculty, Staff, Financial Aid

Summary

This document describes the scope and impact of the Gramm-Leach-Bliley Act (GLBA) compliance activities at ÐÇ¿Õ´«Ã½.

Purpose

The Gramm-Leach-Bliley Act ( was signed into law in 1999 as part of an effort to enhance competition in the financial services industry. Section 501 of this Act calls for the protection of non-public personal information. Although they are not part of the financial services industry, higher education institutions such as ÐÇ¿Õ´«Ã½ are considered financial institutions under this Act due to their significant role in servicing student loans. The Federal Trade Commission, the statutory authority for implementation of the GLBA, published a Final Rule entitled to implement privacy provisions of GLBA.

Similarly, higher education institutions are subject to broad privacy compliance provisions of the 1974 Family Educational Rights and Privacy Act (FERPA), which is administered by the U.S. Department of Education. The FERPA requirements are understood to override any other compliance activities when dealing with educational records.

In 2001, the Federal Trade Commission published a Final Rule entitled . This Rule states that financial institutions must "[...] develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue." (16 CFR 314.3) Within the scope of its role as a financial institution, institutions of higher education are required to conform with this rule.

The university standards that apply to privacy of educational records are encompassed within the , and administered by the University Registrar.

The university standards that apply overall privacy in IT systems and services are encompassed within the ÐÇ¿Õ´«Ã½ Acceptable Use of Information Technology (AUP).

The scope of the GLBA compliance activities shall be restricted to financial information associated with the awarding of financial aid and student loans, in workflows administered by the Office of University Financial Aid.

The university’s Information Security Office manages these elements of GLBA compliance in the overall scope of the information security program:

  • The university Chief Information Security Officer has been designated to coordinate the information security program
  • Through the conduct of regular risk assessments and evaluation of security incidents, the information security office maintains an index of risks to university operations in accordance with the Risk Management Plan
  • As part of the University risk management, security controls and processes are selected, designed, and implemented to address causal risks in accordance with the risk tolerance of the university
  • Monitoring of ongoing risks and testing efficacy of implemented controls, provide user security training and awareness
  • Maintaining and exercising incident response capabilities, as well as disaster recovery and business continuity plans

Responsibility

Information Security Office: administer the information security program

University Registrar: administer and maintain the ÐÇ¿Õ´«Ã½ FERPA Policy

Office of University Financial Aid: manage and maintain financial aid records and any information received from external partners associated with financial aid