Data Security Procedures

Data Security Policies

Information Technolgoy Data Security

Gramm – Leach – Bliley Act

The Graham-Leach Bliley (i.e., GLB) Act requires financial institutions to take steps to ensure the security and confidentiality of “customer” records such as names, addresses, phone numbers, bank and credit card account numbers, income and credit histories, and Social Security numbers.

The GLB Act broadly defines “financial institution” as any institution engaging in the financial activities enumerated under the Bank Holding Company Act of 1956, including “making, acquiring, brokering, or servicing loans” and “collection agency services.” Because higher education institutions participate in financial activities, such as making Federal Perkins Loans, FTC regulations consider them financial institutions for GLB Act purposes.

The GLB Act spells out several specific requirements regarding the privacy of “customer” financial information. The law imposes two fundamental requirements: explicit notification of information-sharing policies and the means for customers to "opt out" of those practices.  Privacy and opt-out notification is not a one-time procedure under GLBA. Such notification must occur at least annually. In addition, if an organization's privacy policies change in any way that would let information sharing occur other than as previously described, the new policy must be sent to all customers. When a new privacy policy is developed, the organization cannot share any information until the consumer has had a "reasonable opportunity" to opt out.

To be in compliance with GLBA, financial institutions must deliver a copy of their privacy policies to their customers in a "clear and conspicuous" manner no later than July 1, 2001. Although "clear and conspicuous" has not been formally defined, most financial organizations agree that such notification should consist of a written copy of an institution's privacy policy and practices. The institution would then mail a copy to each and every customer.

Under regulations promulgated in May 2000, colleges and universities are deemed to be in compliance with the privacy provisions of the GLB Act for student financial information if they are in compliance with the Family Educational Rights and Privacy Act (FERPA). However, higher education institutions are subject to the provisions of the Act related to the administrative, technical, and physical safeguarding of customer information. 

The GLB Act requires financial institutions to develop a written information security plan that describes the institution’s program to protect “customer” information. As part of the plan, the institutions must:

• Designate one or more employees to coordinate the safeguards.
   

• Identify and assess the risks to customer information in each relevant area operation, and evaluate the effectiveness of the current safeguards for controlling these risks.
   

• Design and implement a security safeguard program, and regularly monitor and test it.

• Select appropriate Internet Service Providers and contract with them to implement safeguards.
  
  

• Evaluate and adjust the program in light of relevant circumstances, including changes in operations, or the results of testing and monitoring of safeguards.

Non-compliance of GLBA can result in a variety of fines and up to 5 years imprisonment for EACH violation.