The Gramm Leach Bliley Act
(GLBA) is a law that applies to financial institutions and includes privacy and information security provisions that are designed to protect consumer financial data. This law applies to how higher education institutions collect, store, and use student financial records (e.g., records regarding tuition payments and/or financial aid) containing personally identifiable information. GLBA regulations include both a Privacy Rule (16 CFR 313) and a Safeguards Rule (16 CFR 314), both of which are enforced by the Federal Trade Commission (FTC) for higher education institutions. Colleges and universities are deemed to be in compliance with the GLBA Privacy Rule if they are in compliance with the Family Educational Rights and Privacy Act (FERPA). The Safeguards Rule was promulgated in 2002, with compliance required in May 2003.
How Does the Gramm Leach Bliley Act (GLBA) Apply to JSU?
The Jackson State University must comply with GLBA’s safeguarding regulations, based on GLBA’s final rules on Safeguarding Customer Information. Educational institutions are not exempt and must adopt an information security program. Key compliance requirements include:
- Designating an employee to coordinate an information security program.
- Identifying risks to the security of customer information (including a risk assessment of computer information systems).
- Contractually requiring service providers to implement and maintain safeguards.
Colleges and universities are deemed to be in compliance with the privacy provisions of the GLB Act if they are in compliance with the Family Educational Rights and Privacy Act (FERPA). However, higher education institutions are still subject to the provisions of the GLB Act related to the administrative, technical, and physical safeguarding of customer information.
To comply with GLBA:
- Jackson State University has designated an official Chief Information Security Officer.
- University units that are significantly engaged in financial activities that involve the collection or utilization of customer financial information must identity themselves to the University’s Information Security Officer. Examples of activities that GLB would apply to include administering financial aid, processing of credit card information, and collecting of any other form of customer financial information. JSU departments engaging in these activities must document all such collection and processing activities. They must describe the nature and extent of their utilization of customer information. And an employee must be appointed to oversee the unit’s information safeguards practices.
- University units must assess their current customer information practices, identify vulnerabilities, and take appropriate measures to secure customer information.
What are the Key Information Protection Requirements under GLBA?
The Gramm-Leach-Bliley Act put several major requirements into place to govern the collection, disclosure, and protection of consumers’ nonpublic personal information (NPI) or personally identifiable information (PII).
Financial Privacy Rule – This rule requires financial institutions to provide each consumer with a privacy notice at the time the consumer relationship is established and annually thereafter. The privacy notice must explain the information collected about the consumer, where that information is shared, how that information is used, and how that information is protected. The notice must also identify the consumer’s right to opt out of the information being shared with unaffiliated parties pursuant to the provisions of the Fair Credit Reporting Act. The unaffiliated parties receiving the nonpublic information are held to the acceptance terms of the consumer under the original relationship agreement.
Safeguards Rule – This rule requires financial institutions to develop a written information security plan describing its processes and procedures for protecting clients’ NPI. Covered entities must construct a thorough risk analysis on each department handling the nonpublic information, as well as develop, monitor, and test a program to secure the information. If there are changes in how information is collected, stored, and used, the safeguards must be updated as well. The Federal government provides a set of standards for safeguarding customer information.
More information on GLBA can be found here: https://federalregister.gov/a/07-1476.