Gramm-Leach-Bliley Act, (GLBA) effective May 23, 2003, addresses the safeguarding and confidentiality of customer information held in the possession of financial institutions such as banks and investment companies. GLBA contains no exemption for colleges or universities. As a result, educational entities that engage in financial activities, such as processing student loans, are required to comply. GLBA and other emerging legislation could result in standards of care for information security across all areas of data management practices both electronic and physical (employee, student, customer, alumni, donor, etc.). Therefore, West Virginia University at Parkersburg has adopted an Information Security Program for certain highly critical and private financial and related information. This Information Security Program applies to customer financial information the University receives in the course of business as required by GLBA as well as other confidential financial information included within its scope.
The purpose of this program is to:
- • Ensure the security and confidentiality of customer information in compliance with applicable GLBA rules as published by the Federal Trade Commission.
- • Safeguard against anticipated threats to the security or integrity of protected electronic data.
- • Guard against unauthorized access to or use of protected data that could result in harm or inconvenience to any customer.
Coordination and Responsibility of Program
The coordinator of the Information Security Program is the Chief Information Officer of West Virginia University at Parkersburg. The coordinator is responsible for the development, implementation, and oversight of West Virginia University at Parkersburg’s compliance with the policies and procedures required by the GLBA Safeguards Rule. Although ultimate responsibility for compliance lies with the Coordinator, representatives from each of the operational areas are responsible for implementation and maintenance of the specified requirements of the security program in their specific operation.
Information Security Governance Committee
The Information Security Governance Committee exists to ensure that this Information Security Program is kept current and to evaluate potential policy or procedural changes driven by GLBA. Committee membership may change from time-to-time but will minimally include the Chief Information Officer, Executive Vice President of Finance & Administration, and representatives from Financial Aid, Business Office, Records, and Faculty. Other individuals may be added as deemed necessary.
Questions regarding GLBA impacts on business processes and policies and questions regarding technical issues, risk assessments, and information technology security policy should be directed to the Coordinator of the Information Security Program.
Risk Assessment and Safeguards
There is an inherent risk in handling and storing any information that must be protected. Identifying areas of risk and maintaining appropriate safeguards can reduce risk. Safeguards are designed to reduce the risk inherent in handling protected information and include safeguards for information systems and the storage of paper.
The Safeguards Rule requires West Virginia University at Parkersburg and its affected units to develop a written information security plan that describes its program(s) to protect customer information. The plan must be appropriate to WVUP’s size and complexity, the nature and scope of our activities and the sensitivity of the customer information it handles. As part of its plan, WVUP and its affected units must:
• designate one or more employees to coordinate its information security program (the Chief Information Officer)
• identify and assess the risks to customer information in each relevant area of the University’s operation, and evaluate the effectiveness of the current safeguards for controlling the identified risks
• design and implement a safeguards program, and regularly monitor and test that program
• select third party vendors that can maintain appropriate safeguards, making sure that contracts with these vendors require them to maintain safeguards, and allow the University to oversee their handling of customer information
• regularly evaluate and adjust the program in light of relevant circumstances, including changes in the University’s business or operations, or the results of security testing and monitoring.
Employee Training and Education
Employees handle and have access to protected information in order to perform their job duties. This includes permanent and temporary employees as well as student employees, whose job duties require them to access protected information or who work in a location where there is access to protected information. Departments are responsible for maintaining a high level of awareness and sensitivity to safeguarding protected information and should periodically remind employees of its importance. Seemingly minor changes to office layout and practices could significantly compromise protected information if a culture of awareness is not present.
The department representative is responsible for ensuring that staff are trained in the relevant GLBA concepts and requirements. Training materials relative to GLBA and data handling are available on the web. Upon approval by the Coordinator for GLBA, these training templates and other materials may be tailored by each department to reflect their individual training needs. Training may be delivered in a variety of ways that meet the department’s objectives. Departments are responsible for maintaining records of staff that have received training and must be able to produce written copies upon request.
Oversight of Service Providers and Contracts
GLBA requires the University to take reasonable steps to select and retain service providers who maintain appropriate safeguards for covered data and information. Contracts should be reviewed to ensure the following language is included:
[Service Provider] agrees to implement and maintain a written comprehensive information security program containing administrative, technical and physical safeguards for the security and protection of customer information and further containing each of the elements set forth in § 314.4 of the Gramm Leach Bliley Standards for Safeguarding Customer Information (16 C.F.R. § 314). [Service Provider] further agrees to safeguard all customer information provided to it under this Agreement in accordance with its information security program and the Standards for Safeguarding Customer Information.
The GLBA contract due diligence is considered in various aspects of contract negotiation, including security control reviews.
Evaluation and Revision of the Information Security Program
GLBA mandates that this Information Security Program be subject to periodic review and adjustment. The most frequent of these reviews will occur within Information Technology Security and Policy where constantly changing technology and constantly evolving risks indicate the wisdom of regular reviews. Processes in other relevant offices of the University such as data access procedures and the training programs should undergo regular review.
This Information Security Program is reevaluated regularly in order to ensure ongoing compliance with existing and future laws and regulations.
• Covered Component
– any area of West Virginia University at Parkersburg, which is required to be compliant with either GLBA regulations.
• CUI (Controlled Unclassified Information)
– information that law, regulation, or government-wide policy requires to have safeguarding or disseminating controls, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended.
• Customer Information
– any record containing nonpublic personal information as defined in 16 C.F.R. § 313.3(n), about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of [the financial institution] or [its] affiliates.
• Financial Product or Service
– (i) any product or service that a financial holding company could offer by engaging in a financial activity; and
– (ii) Financial Service includes your evaluation or brokerage of information that you collect in connection with a request or an application from a consumer for a financial product or service.
• Non-Public Personal Information
– (i) Personally identifiable financial information and
– (ii) Any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available. 16 C.F.R. § 313.3(n) (1).
• Personally Identifiable Financial Information
– any information:
(i) A consumer provides to you to obtain a financial product or service from you;
(ii) About a consumer resulting from any transaction involving a financial product or service between you and a consumer; or
(iii) You otherwise obtain about a consumer in connection with providing a financial product or service to the consumer.
• Protected Information
– either personally identifiable financial information or protected health information, which is covered by either the GLBA.
• Examples of Activities the FTC is Likely to Consider as a Financial Product or Service include:
– Student (or other) loans, including receiving application information, and the making or servicing of such loans
– Financial or investment advisory services
– Credit counseling services
– Tax planning or tax preparation
– Collection of delinquent loans and accounts
– Sale of money orders, savings bonds or traveler’s checks
– Check cashing services
– Travel agency services provided in connection with financial services
– Real estate settlement services
– Money wiring services
– Issuing credit cards or long term payment plans involving interest charges
– Personal property and real estate appraisals
– Career counseling services for those seeking employment in finance, accounting or auditing
– Services provided by a principal, broker or agent with respect to life, health, liability or disability insurance products
– Obtaining information from a consumer report
– Providing or issuing annuities
Related Policies and Procedures
• Account Compromises Policy and Procedures
• Account Management Policy and Procedures
• Anti-Virus and Anti-Spam Policy
• BYOD Policy
• Data Breach Response Policy and Procedures
• Data Protection – Authorization Controls Policy
• Electronic Mail Policy
• Internet Usage Policy
• Multi-Factor Authentication Policy
• Password Policy
• Privileged Accounts Policy