Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

GLB-act

advertisement 
Office of Legal Affairs
MEMORANDUM – PRIVILEGED AND CONFIDENTIAL
TO:
Gramm-Leach-Bliley Policy Committee
FROM:
Suzanne Carter
RE:
UWM’s Obligations Under the Gramm-Leach-Bliley Act
DATE:
October 3, 2003
In 1999, Congress responded to the increasing digitization of financial information by
passing the Gramm-Leach-Bliley Act (GLBA), 15 U.S.C. § 6801 et seq. Congress
probably did not consider GLBA’s effect on colleges and universities, but the Federal
Trade Commission provided guidance to institutions of higher education in 2002, when
it issued GLBA’s implementing regulations (16 C.F.R. Part 314). The regulations
subjected practically every entity that collects financial data to GLBA and thereby in
effect guaranteed that financial aid services alone would obligate most colleges and
universities to comply with GLBA and its regulations.
GLBA consists of two sections that concern privacy and information safeguards,
respectively. The privacy section requires those institutions required to comply with
GLBA to notify people of their right to keep their financial information confidential and
their right to decide whether that information may be made publicly available. Many
universities and colleges seem to rely on the idea that if they are in compliance with
FERPA, they comply with this portion of GLBA. While it is true that such a FERPA
carve-out exists, it is important to remember that FERPA only applies to students only.
Therefore, if in the future UWM were to collect financial data on its employees or other
non-students through, for example, a home-loan program, a check-cashing service, a
tax-preparation service, or an ID debit-card system, it likely would have to comply with
the privacy requirements. Fortunately, the privacy rule is not overly onerous.
Because of its data collection activities in conjunction with providing financial aid,
UWM is required to comply with GLBA’s second section, pertaining to safeguards. This
section requires institutions to ensure the security and confidentiality of any individual’s
non-public personal financial information, such as bank and credit card account
2310 E. Hartford Avenue
Chapman Hall Room 380 · P. O. Box 413 ·
Milwaukee, WI 53201-0413
414 229-4278
FAX: 414 229-3919
E-mail: cartersl@uwm.edu
numbers, credit histories, and social security numbers used in conjunction with
financial transactions.
The safeguards rule states that, in order to make certain that such data is kept
confidential, institutions must develop, implement and maintain a comprehensive
information security program that is written in accessible language and contains
appropriate administrative, technological and physical safeguards. The regulations give
institutions quite a bit of freedom in developing such a program. They require that
covered entities engage in a risk-assessment process for each relevant area of UWM’s
operations. Such a process must include the following steps:

Designate one or more employees to coordinate the information security
program;

Institute an employee training program in information security. Such a program
should cover anyone who has access to personal financial information;

Assess internal and external risks that may threaten information systems,
including those risks involved in the processing, storage, transmission, and
disposal of information;

Devise a method for detecting, preventing and responding to attacks and other
system failures;

Oversee service providers by contractually obligating them to maintain
safeguards that adhere to GLBA; and

Adjust the security program as it is evaluated through use.
While the regulations include few practical suggestions in regard to these steps, they
emphasize that an information security program is never really complete in that it must
continuously respond to new technologies and be evaluated through its responses to
system failures. UWM must be diligent in fulfilling the obligations per the final step
listed above by frequently assessing its information security plan, and the plan itself
must be flexible enough to accommodate periodic improvements.
The date by which the information security plan was required to be drafted was May 23,
2003. Most colleges and universities seem to have missed the compliance date (I was
only able to locate Green Bay’s information security plan among UW campuses), and at
this point, the harshest sanction for non-compliant colleges and universities appears to
be a FTC audit of security practices. Nevertheless, it would be advantageous for UWM
to draft its information security plan as soon as possible, not only in order to comply
with GLBA but also to minimize the liabilities potentially posed by financial information
that is inadvertently exposed.
Related documents
Beyond FERPA: Maintaining the Privacy and Confidentiality of
Beyond FERPA: Maintaining the Privacy and Confidentiality of
Gramm-Leach-Bliley Act - UGA Intern Auditing Division
Gramm-Leach-Bliley Act - UGA Intern Auditing Division
HERE - Office of the President, University of Maryland
HERE - Office of the President, University of Maryland
VA - Casualty Actuarial Society
VA - Casualty Actuarial Society
Chapter 1
Chapter 1
Service-Learning
Service-Learning
Review Questions
Review Questions
Washington Supreme Court Holds Federal Privacy Rights Can Prevail Over
Washington Supreme Court Holds Federal Privacy Rights Can Prevail Over
Word
Word
women`s studies scholarship - University of Wisconsin–Milwaukee
women`s studies scholarship - University of Wisconsin–Milwaukee
Gramm Leach Bliley Act 15 USC §§ 6801-6809
Gramm Leach Bliley Act 15 USC §§ 6801-6809
Failure to comply
Failure to comply
Download
advertisement