Gramm-Leach-Bliley Act: Safeguarding Customer Information
The Gramm-Leach-Bliley Act (GLB Act) Safeguards Rule pertains to the safeguarding of customer financial information. The rule requires financial institutions, including colleges and universities, to develop plans and establish policies to protect such information.
The information below describes the various components of the university's information security program that are in accord with, and support compliance with, the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule, and provides references to additional materials and to applicable policies and guidelines.
The GBL Act broadly defines “financial institution” as any institution engaging in the financial activities enumerated under the Bank Holding Company Act of 1956, including “making, acquiring, brokering, or servicing loans” and “collection agency services.” Because higher education institutions participate in financial activities, such as making Federal Perkins Loans, FTC regulations consider them financial institutions for GLB Act purposes. The GLB Act spells out several specific requirements regarding the privacy of customer financial information.
The final rules indicate that the objectives of the information security program are:
- To ensure the security and confidentiality of customer information;
- To protect against any anticipated threats to the security or integrity of such information;
- To guard against the unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.
Examples of services or activities that the university may offer which result in the creation of customer information covered under the GLB Act could include but are not limited to:
- Student (or other) loans, including receiving application information, and the making or servicing of such loans
- Credit counseling services
- Collection of delinquent loans and accounts
- Check cashing services
- Long term payment plans involving interest charges
- Obtaining information from a consumer report
- Other miscellaneous financial services defined in 12 CFR § 225.28
Customer information means any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or another form, that is handled or maintained by or on behalf of you or your affiliates. 16 CFR Part 313.3(n)(1) defines nonpublic personal information as “personally identifiable financial information; and any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available.” An example for colleges and universities would be information that a student provides on the Free Application for Federal Student Aid (FAFSA).
Information security program means the administrative, technical, or physical safeguards you use to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customer information.
Service provider means any person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its direct provision of services to a financial institution.
Elements of Indiana University’s Information Security Plan
- The University VPCFO has designed a cross functional team to be responsible for coordinating the information security program.
- Identifying and assessing risks to customer information is done through the data stewards, data managers, and the University Information Security Office (UISO). The University Data Management Council (UDMC) is chartered by the Office of the Vice President for Information Technology and works in conjunction with the University Risk and Assurance Council (URAC). The UDMC is comprised of six permanent members and two rotating membership positions. https://datamanagement.iu.edu/index.php
- The university safeguards program can be found at https://protect.iu.edu/online-safety/index.html. This includes information on (1) safeguards, (2) governance, (3) principles, and (4) tools and resources. IU policies around the safeguarding information include:
- DM-01:Management of Institutional Data
- DM-02: Disclosing Institutional Information to Third Parties
- ISPP-26: Information and Information System Incident Reporting, Management, and Breach Notification
- IT-07: Privacy of Electronic Information and Information Technology Resources
- IT-12: Security of Information Technology Resources
- IT-28: Cyber Risk Migration Responsibilities
- The university only selects service providers that undergo a complete review to ensure compliance with maintaining appropriate safeguards of customer information.
- Rigorous third party reviews
- DM-02: Disclosing Information to Third Parties
- The university reviews and updates the security program through the Information Security and Privacy Risk Council (ISPRC), the University Information Security Office (UISO), the University Information Policy Office (UIPO), and the University Data Management Council (UDMC). Information can be found at https://protect.iu.edu/online-safety/index.html and https://datamanagement.iu.edu/index.php
Indiana University also has the following safeguards in place:
- Limit information system access to authorized users (Access Control Requirements); DM-01, #2 & 3. Minimal access principal guides data manager approvals. Account and Access Procedures. Access requests made, granted, with details maintained in ARMS, IT-07
- Ensure that system users are properly trained (Awareness and Training Requirements); USSS and UITS create and deliver user training and guidance - https://protect.iu.edu/online-safety/personal-preparedness/index.html Acceptable Use Agreement, Data Protection and Privacy Tutorial available, not yet required
- Create information system audit records (Audit and Accountability Requirements); https://protect.iu.edu/online-safety/resources-professionals/audits-requirements.html , HR change triggers are set for SIS access
- Establish baseline configurations and inventories of systems (Configuration Management Requirements); Enterprise Information Governance System, access to systems collections via ONE
- Identify and authenticate users appropriately (Identification and Authentication Requirements); CAS, 2-factor advised, will be required soon. Rigorous process to provision access to new users via ARMS.
- Establish incident-handling capability (Incident Response Requirements); https://protect.iu.edu/online-safety/report-incident/ , UIPO’s IT incident Response Team, ISPP-26
- Perform appropriate maintenance on information systems (Maintenance Requirements); IT-12
- Protect media, both paper and digital, containing sensitive information (Media Protection Requirements); Data protection tutorial, Data Privacy Day annual awareness events, IT-12.1. CIB secure site, 2-factor authentication, laptop and mobile devise encryption required.
- Screen individuals prior to authorizing access (Personnel Security Requirements); background checks, 2-layers of access provisioning
- Limit physical access to systems (Physical Protection Requirements); https://protect.iu.edu/police-safety/building-facility/index.html Physical protections include rules for locked closets, cabinets, rooms for paper files with sensitive data. https://protect.iu.edu/online-safety/protect-data/printers-copiers.html
- Conduct risk assessments (Risk Assessment Requirements); IU Internal Audit risk group, IU compliance group, Information Security and Privacy Risk Council https://protect.iu.edu/emergency-planning/procedures/index.html
- Assess security controls periodically and implement action plans (Security Assessment Requirements); https://protect.iu.edu/online-safety/program/safeguards/assessing-risk.html
- Monitor, control, and protect organizational communications (System and Communications Protection Requirements); email and BOX policies, digital signatures, monthly phishing messages and ongoing education
- Identify, report, and correct information flaws in a timely manner (System and Information Integrity Requirement). DM-01 #6, address verification tool, functional audits in FA, SR, UIRR