Safeguarding Customer Information
Gramm-Leach-Bliley Act Compliance
Ellen Harris-Small
Terry Wooding
1
Why was GLBA enacted?
Section 501 of the Gramm-Leach-Bliley Act requires
Financial Institutions to establish standards
relating to administrative, technical and physical
information safeguards to protect customer
records and information.
2
Safeguard Objectives:
• Ensure security and confidentially of
customer records and information.
• Protect against any anticipated threats or
hazards to the security of the records.
• Protect against unauthorized access or use
of records or information which could result
in harm or inconvenience to customer.
3
Information Security Plan
• Written to insure security and confidentiality of
non-public customer financial information (NPI).
• Protect against any anticipated threats and hazards.
4
• Protect against unauthorized access or use.
Non-public customer information
(NPI)
•
•
•
•
•
•
•
•
•
Credit card numbers
Social Security numbers
Drivers license numbers
Student loan data
Income information
Credit histories
Customer files with NPI
NPI Consumer information
Bank Account data
5
Financial Institutions
Including Colleges and
Universities must ensure that
their security programs
provide adequate protection
to customer information
in whatever format –
electronic or hardcopy.
6
FTC Ruling
consumer’s
information is
not a privacy
issue but is one
of security.
Compliance with FERPA does not exempt colleges and universities
from GLBA safeguarding regulations.
7
FERPA vs.. GLBA
• The Family Education
Rights and Privacy Act
addresses the privacy of
student information.
• Gramm- Leach-Bliley Act
addresses the security of
customer records and
information.
8
Rutgers University
• Has established a committee to insure compliance.
• Committee meets regularly to review and insure
compliance with the act.
• Performs risk assessment and regular testing.
• Oversees service providers and contracts.
• Trains staff to maintain security and confidentially.
9
Why Protect your Identity?
Identity Theft
10
Statistics on Identity Theft in
New Jersey
4802 Complaints / year
•
•
•
•
•
•
•
•
1. Credit Card Fraud 2,350 -- 49%
2. Phone or Utilities Fraud 867--18%
3. Bank Fraud 669 --14%
4. Government Documents/Benefits Fraud 396 --8%
5. Loan Fraud 356 --7%
6. Employment-Related Fraud 260 -- 5%
7. Attempted Identity Theft 477 --10%
8. Other 710 -- 15%
11
What is Identity Theft?
• Under ID Theft Act, identity theft is defined very
broadly as:
knowingly using, without authority, a
means of identification of another person
to commit any unlawful activity.
(unlawful activity: a violation of Federal law, or a felony
under State or local law).
12
Identity
Theft
When someone steals your identity, they are usually
using your credit to obtain goods and services for
themselves that “you” will have to pay for.
13
How Does an Identity Thief Get
Your Information?
• Stealing files from places where you work, go to
school, shop, get medical services, bank, etc.
• Stealing your wallet or purse.
• Stealing information from your home or car.
• Stealing from your mailbox or from mail in transit.
• Sending a bogus email or calling with a false
promise or fraudulent purpose.
- For example: pretending to be from a bank,
creating a false website, pretending to be
a real company, fake auditing letters.
14
From: PNC Bank
Sent: May 17, 2004 6:31 PM
To: abuse@rutgers.edu
Subject: To All PNC bank users
Dear PNC user,
During our regular update and verification of the user data, you
must confirm your credit card details.
Please confirm you information by clicking link below.
http://Cards.bank.com pncfeatures/cardmember access.shtml
 2004 PNC Bank
15
How Does an Identity Thief
Use Your Information?
• Obtains Credit Cards in your name or
makes charges on your existing accounts (42%).
• Obtains Wireless or telephone equipment or services
in your name (20%).
• Forges checks, makes unauthorized EFTs, or open
bank accounts in your name (13%).
• Works in your name (9%).
• Obtains personal, student, car and mortgage loans,
or cashes convenience checks in your name (7%).
• Other uses: obtains drivers license in your name.
16
Victims of Identity Theft
• If your identity is stolen, do the
following immediately:
– Contact the fraud department of
the three major credit bureaus
(Equifax, Experian, Trans Union).
– Contact your creditors and check
your accounts.
– File a police report.
- File a complaint with the FTC.
17
Recovery
• Take back control of
your identity:
– Close any fraudulent
accounts.
– Put passwords on
your accounts.
– Change old
passwords and create
new PIN codes.
18
Prevention
Protect yourself
Protect others
Guard against fraud:
• Sign cards as soon as they arrive.
• Keep records of account numbers
and phone numbers.
• Keep an eye on your card during
transactions. Also be aware of who
is around you, is anyone else
listening?
• Check your credit report and
credit card monthly statements. 19
Annual credit
bureau report
• New Jersey residents are entitled to one free
annual credit report.
• If you are denied credit, you are allowed to
request one free copy of your credit report.
• Check your report for accurate
information, open accounts, balance
information, loan information, etc.
20
Credit Bureau Links
• Equifax – www.equifax.com
– To order a report, 1-800-685-1111
– To report fraud, 1-800-525-6285
• Experian – www.experian.com
–
–
To order a report, 1-888-397-3742
To report fraud, 1-888-397-3742
Trans Union – www.tuc.com
– To order a report, 1-800-916-8800
– To report fraud, 1-800-680-7289
21
Have you been a Victim?
22
You may be a victim if:
•
•
•
•
You are denied credit.
You stop getting mail.
You start getting collection calls/mail.
You start getting new bills for accounts
you do not have or services you did not
authorize.
• Your bank account balances drops.
23
Damages
•
•
•
•
Time
Money
Credit rating
Reputation
24
Good Practices
• Photocopy the contents of your wallet/purse.
• Photocopy your passport (keep a copy at home
and one with you when you travel).
• Empty your wallet/purse of non-essential
identifiers.
• Do not use any information provided by the
people who may be trying to scam you look it
up yourself.
• Shred documents before you depose of them.
25
GLBA requires us to
PROTECT CONSUMERS from
substantial harm or inconvenience.
26
What can we do to guard NPI?
• Keep confidential
information private.
• Use care when asking or
giving SSN.
• Use secure disposal
methods.
• Protect the privacy of data
transmissions.
• Improve procedures.
27
Actions to prevent Others
from becoming Victims
• Determine what information you need.
• Provide a secure workplace.
• Always ask for a student’s ID or debtors
account number.
• Keep prying eyes away from customer’s
information.
• Don’t expose NPI information to the
outside world.
28
Actions to prevent Others
from becoming Victims
• Take care when you provide employee’s or
customers’ personal information to others.
• Know & explain how you handle personal
information.
• Ask for written permission prior to sharing
personal information.
• Report problems or concerns to managers or
supervisors.
29
Remember to always maintain
confidentiality, security and
integrity :
Avoid
–
–
–
–
–
unauthorized disclosure
removing information from your office
sharing information
tossing information in the trash
down loading or e-mailing information.
30
General Privacy
• Do not provide correcting
information for account
verification questions.
• Be suspicious.
• Be paranoid.
• Don’t be afraid to say no
when asked for information
that is not required to
conduct the current
business transaction.
31
What are university assets?
32
Rutgers University Assets
Are customer
information and
records assets?
33
Safeguarding Information
• Information takes many forms.
• Information is stored in various ways.
• Data assets have unique risks.
34
Safeguarding Information
Your Role:
•
•
•
•
•
•
Ensure Physical Security.
Select and Protect hard to guess passwords.
Avoid email traps and disclosures.
Back up files.
Log off your computer when not in use.
Do not open emails with attachments from unknown
sources.
• Obliterate data before giving up your computer.
• Recognize social engineering tactics.
35
Safeguarding Information
Your role as a user….
What else can you do?
36
Check your work area!
•
•
•
•
Do you leave NPI reports on your desk?
Is NPI stored in unlocked file cabinets?
Keep computer disks secure.
Do not save NPI on your computer C drive.
37
Safeguarding Information
Your role….
The University has many policies and
procedures to help you, learn them.
38
University Regulations &
Guidelines related to Safeguarding
Standards for University Operations Handbook
• Confidentiality
• Accounting for Financial Resources
• Acceptable Use of Network &Computing Resources:
–
–
–
–
–
Agreement for Accessing Information
Acceptable Use Policy
Guidelines for Interpretation of Acceptable Use
Acceptable Use Supplement
Basics
39
Potential Damages to Rutgers
•
•
•
•
•
•
Reputation
Violation of federal and state laws
Fines
Reparation costs
Recovery costs
Increased prevention costs
Georgia Tech accidental release of credit card to the internet cost them
over $1,000,000.
40
Management’s Expectations
“Rutgers places a high level of trust in you, its
faculty and staff, and requires that University
assets under your control be protected and
properly safeguarded from loss and misuse.”
Joanne G. Jackson
Senior V.P.
October 24, 2001
41
Expectations
• All RU employees are responsible for securing and
caring for University property, resources and other
assets.
• RU relies on the attention and cooperation of every
member of the community to prevent, detect and report
the misuse of university assets.
42
Prevention
• Protect yourself
• Protect others
43
Safeguarding customer
information and university assets
is everyone’s job!
44