1

Gramm-Leach-Bliley Act (GLBA) Implementation of the Safeguards Rule

Information Security Program

University of Minnesota(Adapted from the Federal Trade Commission website

and Purdue University materials.)

2

Preamble

The GLBA is in addition to other privacy laws.

The University must appropriately safeguard all private financial and other information, regardless of whether it is obligated to do so under the GLBA.

In other words, the University’s focus should be to protect all private data rather than to identify which particular law applies (GLBA, HIPAA, FERPA) in any given situation.

3

The University of Minnesota seeks to:

Ensure the security and confidentiality of customer records and information – in paper, electronic or other form.

Protect against any anticipated threats or hazards to the security or integrity of such records.

Protect against unauthorized access to or use of any records or information which could result in substantial harm or inconvenience to any customer.

4

Training Objectives:

Understand the applicability of GLBA and the Federal Trade Commission’s Safeguards Rule.

Understand what “customer information” is protected and why.

Understand the different types of safeguards.

Understand the roles and responsibilities of all parties.

Provide resources for additional questions.

5

What is GLBA?

The Gramm-Leach-Bliley Act (GLBA) is a Federal law which requires “financial institutions” to ensure the security and confidentiality of the nonpublic personal information of customers.

To the extent colleges and universities offer “financial products or services” - primarily student loan activities – they are considered covered financial institutions.

The Federal Trade Commission (FTC) implemented GLBA by issuing two rules: the Privacy Rule and the Safeguards Rule.

Colleges and universities are deemed in compliance with the Privacy Rule if they already comply with the Family Educational Rights to Privacy Act (FERPA).

The University of Minnesota must take active steps to comply with the Safeguards Rule.

6

What is the FTC Safeguards Rule? Only applies to information about a consumer who is a

“customer” of a financial institution (defined in next slide).

The Safeguards Rule requires “financial institutions” to develop an Information Security Program (ISP) that includes five required components:

1. Designate a Program Coordinator (currently the Controller’s Office).2. Conduct a risk assessment to identify reasonably foreseeable internal and

external risks.3. Ensure that safeguards are employed to control the identified risks; regularly

test and monitor the effectiveness of these safeguards.4. Oversee selection and retention of service providers who handle or maintain

customer information, including contractual requirement to safeguard the data.5. Evaluate and adjust the program in light of relevant circumstances and

changes in the business.

7

What is “Customer Information”?

Any record containing nonpublic personal information about a customer, obtained in connection with offering a “financial product or service” that is handled or maintained by or on behalf of the University.

Examples include:• Social security numbers.• Bank account numbers.• Credit card account numbers.• Account balances; payment histories; credit ratings; income

histories.• Drivers license information.• Tax return information.• Personal data connected to financial data (name, address,

birthday).

8

Customer Information (cont’d.)

GLBA applies to customer information obtained in a variety of situations, including:

• Information provided by the customer to obtain a financial product or service.

• Information about a customer resulting from any transaction involving a financial product or service between the University and a customer.

• Information otherwise obtained about a customer in connection with providing a financial product or service to the customer.

• Nonpublic personal information received by a University department that does not directly provide a financial product or service.

» Example: financial aid information handled or maintained by a college/unit that does not directly make student loans.

9

Examples of Activities Not Covered Under the University’s GLBA Security Plan:

The following are examples of activities not subject to the GLBA.

• Payments for merchandise.

• Services that are not “financial services or products”:

» health insurance; » facilities rentals;» administration of student health benefit plan; » transfer retirement plan withholdings; » administration of employee retirement/benefit plans.

Information Security Program Coordinated by Controller’s Office.

Requires applicable departments/units to:• Name a contact person.• Conduct risk assessment (guidance template provided).• Design, monitor and test safeguards.• Oversee service providers.• Evaluate and adjust safeguards in response to

monitoring and testing activities and material changes that may affect the adequacy of current safeguards.

A Guidance Template and FTC compliance guide are available on the Controllers Office website.

10

Risk Assessment

Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alternation, destruction or other compromise of such information, and assess the safeguards currently in place to control these risks. The risk assessment should consider each relevant area of operations, at a minimum:

• employee training and management,• information systems, including network and software design, information

processing, storage, transmission and disposal, and• detecting, preventing and responding to attacks, intrusions or other systems

failures.

11

A Guidance Template and FTC compliance guide are available on the Controllers Office website.

12

Safeguards

Design and implement safeguards to control risks identified in the Risk Assessment. Three types of safeguards that must be considered:• Administrative• Physical• Technical

Regularly test or monitor the effectiveness of the safeguards’ key controls, systems and procedures.

Departments are responsible for ensuring adequate safeguards are in place within their area.

A Guidance Template and FTC compliance guide are available on the Controllers Office website.

13

Examples of Administrative Safeguards*

Administrative safeguards are generally within the direct control of a department and may include:• Checking references on potential employees.• Training employees on basic steps they must take to protect customer

information.• Ensuring that employees are knowledgeable about applicable policies

and expectations.• Limiting access to customer information to employees who have a

business need to see it.• Reducing exposure to the Safeguards Rule by requesting customer

information only when it is required to conduct departmental activities.• Imposing disciplinary measures where appropriate.

* Examples are for illustrative purposes only. Each department must identify safeguards relevant to their situation.

14

Examples of Physical Safeguards*

Physical safeguards are also generally within a department’s control and may include:• Locking rooms and file cabinets where customer information is kept.• Using password activated screensavers.• Using strong passwords.• Changing passwords periodically and not sharing or writing them

down.• Encrypting sensitive customer information transmitted electronically.• Referring calls or requests for customer information to staff trained to

respond to such requests.• Being alert to fraudulent attempts to obtain customer information and

reporting these to management for referral to appropriate law enforcement agencies.

* Examples are for illustrative purposes only. Each department must identify safeguards relevant to their situation.

15

Physical Safeguards (cont’d.)

• Ensuring that storage areas are protected against destruction or potential damage from physical hazards, like fire or floods.

• Storing records in a secure area and limiting access to authorized employees.

• Disposing of customer information appropriately:» Designate a trained staff member to supervise the disposal

of records containing customer personal information.» Shred or recycle customer information recorded on paper

and store it in a secure area until the recycling service picks it up.

» Erase all data when disposing of computers, diskettes, magnetic tapes, hard drives or any other electronic media that contains customer information.

» Promptly dispose of outdated customer information within record retention policies.

16

Examples of Technical Safeguards

Technical safeguards are generally the responsibility of central OIT personnel or departmental computing staff. Departments, however, should be knowledgeable about how their electronic customer information is safeguarded. If additional controls are warranted, departments should work with OIT to improve safeguards.

Departments are responsible for alerting OIT to the existence of customer information on networks.

17

Technical Safeguards (cont.)* Technical safeguards include:

Storing electronic customer information on a secure server that is accessible only with a password - or has other security protections - and is kept in a physically-secure area.

Avoiding storage of customer information on machines with an Internet connection.

Maintaining secure backup media and securing archived data. Using anti-virus software that updates automatically. Obtaining and installing patches that resolve software

vulnerabilities. Following written contingency plans to address breaches of

safeguards. Maintaining up-to-date firewalls particularly if the institution uses

broadband Internet access or allows staff to connect to the network from home.

Providing central management of security tools and keeping employees informed of security risks and breaches.

* Examples are for illustrative purposes only. Each department must identify safeguards relevant to their situation.

18

Specific Technical Safeguards re: Guidelines for Providing Secure Data Transmission

If you collect credit card information or other sensitive financial data, use a Secure Sockets Layer (SSL) or other secure connection so that the information is encrypted in transit.

If you collect information directly from consumers, make secure transmission automatic. Caution consumers against transmitting sensitive data, like account numbers, via electronic mail.

If you must transmit sensitive data by electronic mail, encryption, although difficult to do, is necessary.

19

Specific Technical Safeguards re: Managing System Failures

Effective security management includes the prevention, detection and response to attacks, intrusions and other system failures, including steps mentioned earlier and:

» Backing up data regularly and storing back-up information offsite.

» Imaging documents.» Shredding paper copies after imaging.» Other reasonable measures to protect the

integrity and safety of information systems.

Oversee Service Providers Managers must only hire and retain service providers who are capable

of safeguarding customer data they handle or maintain on behalf of the University.

Managers who have concerns about an existing service provider should contact OGC.

The University Purchasing department requires service providers who handle or maintain customer data and have contracts > $50,000 to complete a GLBA form verifying compliance with the Safeguards Rule.

OGC can assist departments with contract language to require Safeguard Rules compliance by service providers with contract under.

20

Evaluate and Adjust Your Safeguards

Evaluate and adjust safeguards and practices in light of results of: • System testing and monitoring.• Material changes to operations or business

arrangements.• Any other circumstance that you know or have reason

to know may have a material impact on your safeguards.

21

22

Roles and Responsibilities:

Information Security Program Coordinator• Maintain the primary Information Security Program document for

the University.• Evaluate and adjust the Information Security Program based on

annual compliance certification information from colleges and major administrative units, and as conditions change.

• Provide training and support documents to assist colleges and administrative units to comply with the Safeguards Rule.

• Submit an annual report to the Controller on the status of the Information Security Program, noting any changes to the Program. The Coordinator will include a current list of colleges and major administrative units and identify concerns or gaps in compliance noted on annual compliance certification forms.

23

Roles and Responsibilities (cont’d.):

RRC Managers:• Designate a key contact to work with the ISP Coordinator on all

GLBA Safeguards Rule matters.• Ensure that the key contact carries out periodic risk assessments

and monitors the identified risks in your area.• Establish and adhere to policies, standards and guidelines for the

safeguarding of private data, and ensure the employees with access to covered data do the same.

• Ensure that new employees are made aware of the University’s Information Security Program and its safeguarding requirements.

Employees with Access to Covered Data:• Adhere to policies, standards and guidelines for the safeguarding

of private data.

24

Roles and Responsibilities (cont’d.):

Chief Information Officer:• Designate individuals who have responsibility and authority for

information technology resources.• Establish and disseminate rules regarding access to and acceptable

use of information technology resources.• Establish reasonable security measures to protect data and

systems.• Monitor and manage system resource usage.• Investigate problems and alleged violations of information

technology policies.• Refer violations to appropriate University offices (Office of General

Counsel; University Police Department).

25

ResourcesUniversity Resources:

Controllers Office website

Public Access to University Information

Internal Access to University Information

Acceptable Use of Information Technology Resources  

Financial Data and Systems Security

Managing Student Records

Securing Private Data, Computers, and Other Electronic Devices

Managing University Records and Information

Federal Trade Commission Resources:

Complying with the Safeguards Rule

26

Key Contacts

Your department manager for specific procedural questions in your area.

The Controller’s Office for questions on applicability of the GLBA Safeguards Rule to your situation:

Contact finsys@umn.edu or 612-624-1617

OIT for help with computer security issues:Contact abuse@umn.edu or 1-HELP (1-

4357)