Presentation on theme: "Protecting Non-Public, Personal Information Under the Gramm-Leach-Bliley Act Greg Brady Assistant University Counsel Phone."— Presentation transcript:
Protecting Non-Public, Personal Information Under the Gramm-Leach-Bliley Act Greg Brady Assistant University Counsel firstname.lastname@example.org@niu.edu; Phone 753-2621 email@example.com Last Updated 5/5/04 – Please contact Greg about updates to this presentation before relying on the content contained within.
Identity Theft and Consumer Fraud From a January 23, 2004 MSNBC Article: Americans reported losses of $437 million last year to identity theft and Internet fraud The FTC has received more than half a million complaints in the last four years Consumers lost an average of $1,868 per consumer fraud incident The FTC estimates that 1 in 8 U.S. adults were affected by identity theft last year For more information on Identity Theft, please see http://www.consumer.gov/idtheft/
Gramm-Leach-Bliley Act (GLB) The Act requires “financial institutions” to safeguard customers’ nonpublic, personal information. Customers of NIU include students, employees, applicants, and other third parties as well. The NIU Interim Security Plan Coordinator is Ken Davidson, Associate Vice President and General Counsel. University Legal Services 302 Lowden Hall Northern Illinois University DeKalb, IL 60115 Phone: 753-1774 Fax: 753-8686 www.niu.edu/legalservices/ Technical Support questions should be directed to your respective IT professional.
Related Laws The Family Educational Rights and Privacy Act of 1974 (FERPA), which deals with the protection of student education records. –See the training session presented by Sheri Kallembach of Registration and Records. Health Insurance Portability and Accountability Act of 1996 (HIPAA), which deals with the protection of protected health information that is transmitted electronically. Illinois Freedom of Information Act (FOIA) –If you receive a FOIA request, or any other legal document, do not sign for it yourself. Instead, please direct that individual to the Office of University Legal Services.
GLB Motto: If you collect or have access to it, then protect it!!! If you are unsure, error on the side of caution and do not hand over the information. Strive for best practices.
Incident Response Individuals who are aware of any attempted or actual unauthorized access to “customer information” are required to report such incident to the ITS Customer Support Center at 815-753-8100. Callers should state that they would like to report a GLB incident and ask that IT Security be notified. Use firstname.lastname@example.org for e-mail reporting. email@example.com For ITS Policies, see http://www.its.niu.edu/its/Policies/policies_inde x.shtml http://www.its.niu.edu/its/Policies/policies_inde x.shtml http://www.its.niu.edu/its/Policies/policies_inde x.shtml
What type of information must I protect? NamesAddresses Phone numbers Bank and credit card account numbers Income and credit histories Social Security Numbers Phone numbers Other financial and tax information –regardless of whether it is in paper or electronic form
Financial Activities (12 USC 1843(k)) This broad definition includes: –Leasing real or personal property or advising in such leasing –Financial advisory activities, including management consulting and counseling activities –Tax planning, preparation and advising Universities conduct these activities: –Extension of credit (student loans) –Debt collecting (of student loans)
Whose information must I protect? Students (because of student loans, primarily) NIU Employees Applicants Other third parties GLB does not cover business entities (e.g., FEIN numbers), BUT this training can still be used to protect that information
Safeguarding electronic customer information Use encryption technology to send and receive information electronically; SSL (https://...) Only send that information that is absolutely necessary; e.g., a Social Security Number can be represented as ***-**-5678. Be careful of Replying or Forwarding Emails with info. Never give out your username and password to anyone, even your student workers! Never leave your user name or password near your computer, like on post-its. Do not leave your computers unlocked when not at your desk; e.g., CTRL+ALT+DEL, then “Lock Workstation.” Turn computer screens away from visitors. Only log in as Administrator when necessary.
Safeguarding hard copy customer information (i.e., paper documents) Do not leave customer information laying about. Limit access to paper documents to those NIU employees with a legitimate business reason to know the information contained within. Paper records with customer information must be place in locked storage units that are protected against destruction and damage; e.g., fires and floods. Avoid placing filing cabinets and other storage spaces in easily accessible places; e.g. common hallways. Instead, place them behind the desks or away in an office. When disposing documents, pursuant to the Illinois State Records Act, shred those with customer information, rather than just placing them in the trash.
Pre-text Calling and Phishing “Pre-text calling” or “social engineering” is a method people may use to support their claim that they are calling from an official source; e.g. the “low mortgage rate” example. “Phishing” - the act of sending an e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft (e.g., Ebay). e-mail Always confirm/verify who you are dealing with before turning over any information. Verify the status of all NIU vendors with University Legal Services. Never confirm information for callers or requestors. Refer requestors to the NIU online directory at www.niu.edu/directory.shtml. www.niu.edu/directory.shtml
Office Procedures Check references and conduct background checks on new hires. Use confidentiality agreements. Limit access to customer information to employees with a legitimate business reason to know. Back-up customer information. Store customer information on machines that are not connected to the Internet or the network. Check with your respective IT professional about the Big 3: –Anti-virus software –Firewall protection –Periodic software updates Continuously train and remind employees, even student workers, on how to safeguard customer information. Report all unauthorized access to customer information to ITS and University Legal Services immediately.
Office Procedures (Cont) Work at home – inform your IT professional. For home computers, remember the Big 3: –Anti-virus software –Firewalls –Periodic software updates (see windowsupdate.microsoft.co m/default.html) Consider Spyware Detection Software –Adaware http://www.lavasoftusa.com/ http://www.lavasoftusa.com/ –Spybot - http://www.safer- networking.org/ http://www.safer- networking.org/http://www.safer- networking.org/ Beware of Instant Messaging (IM) Software: –Typically unencrypted and no antivirus protection Use VPN (Virtual Private Network) software when remotely connecting to the NIU network, especially by wireless technology. –www.its.niu.edu/its/csuppor t/vpn/default.htmlwww.its.niu.edu/its/csuppor t/vpn/default.html Never open attachments from “strangers.” –Confirm with sender –Scan attachments with anti- virus –Email “Spoofing” –Virus Hoaxes (e.g., jdbgmgr.exe hoax) Choose “hard-to-guess” passwords It may be futile to remove your e-mail from spam/junk mail lists.
Email Notifications The US Computer Emergency Readiness Team - http://www.us-cert.gov/index.html http://www.us-cert.gov/index.html Microsoft Windows Security E-Mail Updates - http://www.microsoft.com/security/ http://www.microsoft.com/security/ –BUT…I recommend actually updating your software from the following sites: http://v4.windowsupdate.microsoft.com/en/default.asp http://office.microsoft.com/officeupdate/ Remember other software like Realplayer or MAC OS
Office Procedures (Cont) Disposal of records with customer information. –Follow the Illinois State Records Act –For general questions, call June Bocklund at 753-1896 or Deborah Kern at 753-6130 from the Accounting Office Disposal of hardware –IL law requires that all hard drives be wiped clean before being discarded by the University –For proper procedures, please see www.its.niu.edu/its/downloads/wipedisk.shtml www.its.niu.edu/its/downloads/wipedisk.shtml Maintain an inventory of your computers and filing systems, and use periodic auditing procedures. Two-factor authentication for access to records –Something employees have (like an ID card) –Something employees know (like a password)
GLB Motto: If you collect or have access to it, then protect it!!! If unsure, do not hand over the information. Incident Response Contact ITS Customer Support at 753-8100, and ask them to notify IT Security of GLB incident
Requests for Information Requests by Law Enforcement Officials or Authorities… –Please call the NIU Department of Public Safety at 753-1212. Requests pursuant to other legal documents (i.e., subpoenas, summons, FOIA requests)… –Please call University Legal Services at 753- 1774.