University of Minnesota Gramm-Leach-Bliley Act (GLBA) Implementation of the Safeguards Rule Information Security Program University of Minnesota (Adapted from the Federal Trade Commission website and Purdue University materials.)
Preamble The GLBA is in addition to other privacy laws. The University must appropriately safeguard all private financial and other information, regardless of whether it is obligated to do so under the GLBA. In other words, the University’s focus should be to protect all private data rather than to identify which particular law applies (GLBA, HIPAA, FERPA) in any given situation.
The University of Minnesota seeks to: Ensure the security and confidentiality of customer records and information – in paper, electronic or other form. Protect against any anticipated threats or hazards to the security or integrity of such records. Protect against unauthorized access to or use of any records or information which could result in substantial harm or inconvenience to any customer.
Training Objectives: Understand the applicability of GLBA and the Federal Trade Commission’s Safeguards Rule. Understand what “customer information” is protected and why. Understand the different types of safeguards. Understand the roles and responsibilities of all parties. Provide resources for additional questions.
What is GLBA? The Gramm-Leach-Bliley Act (GLBA) is a Federal law which requires “financial institutions” to ensure the security and confidentiality of the nonpublic personal information of customers. To the extent colleges and universities offer “financial products or services” - primarily student loan activities – they are considered covered financial institutions. The Federal Trade Commission (FTC) implemented GLBA by issuing two rules: the Privacy Rule and the Safeguards Rule. Colleges and universities are deemed in compliance with the Privacy Rule if they already comply with the Family Educational Rights to Privacy Act (FERPA). The University of Minnesota must take active steps to comply with the Safeguards Rule.
What is the FTC Safeguards Rule? Only applies to information about a consumer who is a “customer” of a financial institution (defined in next slide). The Safeguards Rule requires “financial institutions” to develop an Information Security Program (ISP) that includes five required components: Designate a Program Coordinator (currently the Controller’s Office). Conduct a risk assessment to identify reasonably foreseeable internal and external risks. Ensure that safeguards are employed to control the identified risks; regularly test and monitor the effectiveness of these safeguards. Oversee selection and retention of service providers who handle or maintain customer information, including contractual requirement to safeguard the data. Evaluate and adjust the program in light of relevant circumstances and changes in the business.
What is “Customer Information”? Any record containing nonpublic personal information about a customer, obtained in connection with offering a “financial product or service” that is handled or maintained by or on behalf of the University. Examples include: Social security numbers. Bank account numbers. Credit card account numbers. Account balances; payment histories; credit ratings; income histories. Drivers license information. Tax return information. Personal data connected to financial data (name, address, birthday).
Customer Information (cont’d.) GLBA applies to customer information obtained in a variety of situations, including: Information provided by the customer to obtain a financial product or service. Information about a customer resulting from any transaction involving a financial product or service between the University and a customer. Information otherwise obtained about a customer in connection with providing a financial product or service to the customer. Nonpublic personal information received by a University department that does not directly provide a financial product or service. Example: financial aid information handled or maintained by a college/unit that does not directly make student loans.
Examples of Activities Not Covered Under the University’s GLBA Security Plan: The following are examples of activities not subject to the GLBA. Payments for merchandise. Services that are not “financial services or products”: health insurance; facilities rentals; administration of student health benefit plan; transfer retirement plan withholdings; administration of employee retirement/benefit plans.
Information Security Program Coordinated by Controller’s Office. Requires applicable departments/units to: Name a contact person. Conduct risk assessment (guidance template provided). Design, monitor and test safeguards. Oversee service providers. Evaluate and adjust safeguards in response to monitoring and testing activities and material changes that may affect the adequacy of current safeguards. A Guidance Template and FTC compliance guide are available on the Controllers Office website.
Risk Assessment Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alternation, destruction or other compromise of such information, and assess the safeguards currently in place to control these risks. The risk assessment should consider each relevant area of operations, at a minimum: employee training and management, information systems, including network and software design, information processing, storage, transmission and disposal, and detecting, preventing and responding to attacks, intrusions or other systems failures. A Guidance Template and FTC compliance guide are available on the Controllers Office website.
Safeguards Design and implement safeguards to control risks identified in the Risk Assessment. Three types of safeguards that must be considered: Administrative Physical Technical Regularly test or monitor the effectiveness of the safeguards’ key controls, systems and procedures. Departments are responsible for ensuring adequate safeguards are in place within their area. A Guidance Template and FTC compliance guide are available on the Controllers Office website.
Examples of Administrative Safeguards* Administrative safeguards are generally within the direct control of a department and may include: Checking references on potential employees. Training employees on basic steps they must take to protect customer information. Ensuring that employees are knowledgeable about applicable policies and expectations. Limiting access to customer information to employees who have a business need to see it. Reducing exposure to the Safeguards Rule by requesting customer information only when it is required to conduct departmental activities. Imposing disciplinary measures where appropriate. * Examples are for illustrative purposes only. Each department must identify safeguards relevant to their situation.
Examples of Physical Safeguards* Physical safeguards are also generally within a department’s control and may include: Locking rooms and file cabinets where customer information is kept. Using password activated screensavers. Using strong passwords. Changing passwords periodically and not sharing or writing them down. Encrypting sensitive customer information transmitted electronically. Referring calls or requests for customer information to staff trained to respond to such requests. Being alert to fraudulent attempts to obtain customer information and reporting these to management for referral to appropriate law enforcement agencies. * Examples are for illustrative purposes only. Each department must identify safeguards relevant to their situation.
Physical Safeguards (cont’d.) Ensuring that storage areas are protected against destruction or potential damage from physical hazards, like fire or floods. Storing records in a secure area and limiting access to authorized employees. Disposing of customer information appropriately: Designate a trained staff member to supervise the disposal of records containing customer personal information. Shred or recycle customer information recorded on paper and store it in a secure area until the recycling service picks it up. Erase all data when disposing of computers, diskettes, magnetic tapes, hard drives or any other electronic media that contains customer information. Promptly dispose of outdated customer information within record retention policies.
Examples of Technical Safeguards Technical safeguards are generally the responsibility of central OIT personnel or departmental computing staff. Departments, however, should be knowledgeable about how their electronic customer information is safeguarded. If additional controls are warranted, departments should work with OIT to improve safeguards. Departments are responsible for alerting OIT to the existence of customer information on networks.
Technical Safeguards (cont.)* Technical safeguards include: Storing electronic customer information on a secure server that is accessible only with a password - or has other security protections - and is kept in a physically-secure area. Avoiding storage of customer information on machines with an Internet connection. Maintaining secure backup media and securing archived data. Using anti-virus software that updates automatically. Obtaining and installing patches that resolve software vulnerabilities. Following written contingency plans to address breaches of safeguards. Maintaining up-to-date firewalls particularly if the institution uses broadband Internet access or allows staff to connect to the network from home. Providing central management of security tools and keeping employees informed of security risks and breaches. * Examples are for illustrative purposes only. Each department must identify safeguards relevant to their situation.
Specific Technical Safeguards re: Guidelines for Providing Secure Data Transmission If you collect credit card information or other sensitive financial data, use a Secure Sockets Layer (SSL) or other secure connection so that the information is encrypted in transit. If you collect information directly from consumers, make secure transmission automatic. Caution consumers against transmitting sensitive data, like account numbers, via electronic mail. If you must transmit sensitive data by electronic mail, encryption, although difficult to do, is necessary.
Specific Technical Safeguards re: Managing System Failures Effective security management includes the prevention, detection and response to attacks, intrusions and other system failures, including steps mentioned earlier and: Backing up data regularly and storing back-up information offsite. Imaging documents. Shredding paper copies after imaging. Other reasonable measures to protect the integrity and safety of information systems.
Oversee Service Providers Managers must only hire and retain service providers who are capable of safeguarding customer data they handle or maintain on behalf of the University. Managers who have concerns about an existing service provider should contact OGC. The University Purchasing department requires service providers who handle or maintain customer data and have contracts > $50,000 to complete a GLBA form verifying compliance with the Safeguards Rule. OGC can assist departments with contract language to require Safeguard Rules compliance by service providers with contract under.
Evaluate and Adjust Your Safeguards Evaluate and adjust safeguards and practices in light of results of: System testing and monitoring. Material changes to operations or business arrangements. Any other circumstance that you know or have reason to know may have a material impact on your safeguards.
Roles and Responsibilities: Information Security Program Coordinator Maintain the primary Information Security Program document for the University. Evaluate and adjust the Information Security Program based on annual compliance certification information from colleges and major administrative units, and as conditions change. Provide training and support documents to assist colleges and administrative units to comply with the Safeguards Rule. Submit an annual report to the Controller on the status of the Information Security Program, noting any changes to the Program. The Coordinator will include a current list of colleges and major administrative units and identify concerns or gaps in compliance noted on annual compliance certification forms.
Roles and Responsibilities (cont’d.): RRC Managers: Designate a key contact to work with the ISP Coordinator on all GLBA Safeguards Rule matters. Ensure that the key contact carries out periodic risk assessments and monitors the identified risks in your area. Establish and adhere to policies, standards and guidelines for the safeguarding of private data, and ensure the employees with access to covered data do the same. Ensure that new employees are made aware of the University’s Information Security Program and its safeguarding requirements. Employees with Access to Covered Data: Adhere to policies, standards and guidelines for the safeguarding of private data.
Roles and Responsibilities (cont’d.): Chief Information Officer: Designate individuals who have responsibility and authority for information technology resources. Establish and disseminate rules regarding access to and acceptable use of information technology resources. Establish reasonable security measures to protect data and systems. Monitor and manage system resource usage. Investigate problems and alleged violations of information technology policies. Refer violations to appropriate University offices (Office of General Counsel; University Police Department).
Resources University Resources: Federal Trade Commission Resources: Controllers Office website Public Access to University Information Internal Access to University Information Acceptable Use of Information Technology Resources Financial Data and Systems Security Managing Student Records Securing Private Data, Computers, and Other Electronic Devices Managing University Records and Information Federal Trade Commission Resources: Complying with the Safeguards Rule
Key Contacts Your department manager for specific procedural questions in your area. The Controller’s Office for questions on applicability of the GLBA Safeguards Rule to your situation: Contact finsys@umn.edu or 612-624-1617 OIT for help with computer security issues: Contact abuse@umn.edu or 1-HELP (1-4357)