Effective June 12 2018 Adapted from materials published by the Federal Trade Commission FTC and University of Minnesota Training Objectives To provide information to the UCA campus community and customers regarding ID: 757364
Download Presentation The PPT/PDF document "U CA Gramm-Leach Bliley Act (GLBA) Safeg..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
UCA Gramm-Leach Bliley Act (GLBA) Safeguards Rule Compliance TrainingEffective June 12, 2018
Adapted from materials published by the Federal Trade Commission (FTC) and University of MinnesotaSlide2
Training ObjectivesTo provide information to the UCA campus community and customers regarding:
What is the Safeguards Rule and why it applies to UCA
How the Safeguards Rule differs from FERPA
What information is covered by the Safeguards Rule
What is required of UCA to comply
Examples of safeguards
How UCA is complyingSlide3
What is GLBA?
GLBA was passed in 1999 and is intended “to protect consumers & customers who obtain ‘financial products or services to be used primarily for personal or other household purposes.’”
(
Choroszy, “Beyond FERPA”)
Through FERPA compliance, UCA is exempt from privacy
regulations in
GLBA.
(16 CFR 313.1(b))
However, compliance with FERPA is not an exemption from the Safeguards Rule; UCA and other colleges and universities are required to comply.
(Schneider, “ED Proposes Auditing Safeguards Rule Compliance”)Slide4
How is GLBA different from FERPA?FERPA relates to students’
educational records
, including their right to access and inspect them, what types of records and to whom information can be disclosed, etc.
(
http://uca.edu/registrar/ferpa/
)
GLBA Safeguards Rule pertains to
nonpublic personal information
, which is typically limited to an individual’s financial information
obtained in connection with a financial product or service.
(FTC, “Financial Institutions and Customer Information”)
The University’s efforts should be aimed at ensuring the protection of all student, faculty, staff, and customer private data regardless of the applicable regulation (e.g., FERPA, HIPAA, GLBA).Slide5
What are the objectives of the Safeguards Rule?Insure the security and confidentiality of customer information
Protect against any anticipated threats or hazards to the security or integrity of such information
Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer
.
Source: 16 CFR 314.3(b)Slide6
Why is UCA required to comply? GLBA applies to financial institutions’ protection of customer information; colleges and universities are considered financial institutions under the Safeguards Rule primarily because they offer student loans, though other activities may also be covered
(Schneider, “ED Proposes Auditing Safeguards Rule Compliance”)
In the Program Participation Agreement (PPA) UCA has with the U.S. Department of Education, UCA agrees to comply with Standards for Safeguarding Customer Information issued by the FTC (
specific GLBA provision added in 2015
)
(U.S. Dept of Education, DCL GEN-16-12, July 1, 2016)Slide7
What type(s) of information is covered?Personally identifiable financial information
obtained in connection with a financial product or service offered or serviced by or on behalf of the University, including:
Account balances
Account numbers
Debit/credit
card
numbers
Income
and payment
history
Credit
score or
rating
Social
security
number
Internet
Service Provider (ISP)
address
Name
, address, and other information provided on a loan
application
Important
: This list is not comprehensive. Please direct any questions on whether information is covered by the
Safeguards Rule to
your department
manager.
Source: 16 CFR 313.3(o)(2)(i)Slide8
Customer InformationPersonally identifiable financial information (see previous slide)
obtained in the following situations is covered by the Safeguards Rule:
Information provided by a customer to obtain a financial product or service (e.g., loan, long-term payment plan with interest);
Information about a customer resulting from a transaction involving a financial product or service between the customer and the University; and,
Information otherwise obtained about a customer in connection with providing a financial product or service to that customer
Important
: Departments that accept loan or other applications for credit and then forward to another office, such as the Office of Student Financial Aid, are required to protect such information.
Source: 16 CFR 313.3(o
)(1)Slide9
Examples of activities not covered
Customer use of a University ATM to withdraw funds, check account balances, etc.
Offering and/or servicing deferred payments or short-term payment plans without interest
Solely accepting payment by cash, check, or debit/credit card that the University did not issue
Renting a University facility
Payments for merchandise (e.g., books, clothing, etc.)
Important
: In general, financial products or services are those that would typically be offered by a financial institution, such as loans, investment/retirement accounts (e.g., IRA), insurance products, etc.
Source: 16 CFR 313.3(i)(2)(ii) and the University of MinnesotaSlide10
What is required of UCA?The Safeguards Rule requires financial institutions to develop and maintain an Information Security Program (ISP), which must include:
A designated ISP Coordinator (currently the Vice President for Finance & Administration or designee);
A risk assessment to identify internal and external threats to customer information;
Implementation and monitoring of safeguards to control threats to customer information identified in the risk assessment;
An evaluation and adjustment of the ISP due to changing circumstances or business operations; and,
Actions to oversee third-party service providers to ensure they are capable of adequately safeguarding customer information
Source: 16 CFR 314Slide11
Risk Assessment RequirementsThe University’s identification & assessment of risks to customer information should address, at a minimum, the following:
Employee training & management;
Information systems, including network & software design, as well as information processing, storage, transmission, & disposal; and
Detecting, preventing, & responding to attacks, intrusions, or other systems failures
Source: 16 CFR 314.4(b)Slide12
Examples of safeguardsReference checks/background checks on new employees who will be accessing customer information
;
Having new employees sign an agreement to follow the institution’s confidentiality and security standards for customer information;
Limiting access to customer information to employees who have a business need/reason to access it;
Requiring “strong” passwords (minimum number of characters
;
combination of letters, numbers, and symbols; etc.);
Appropriate use policies for technology devices, including mobile devices;
Immediately deactivating login credentials for terminated employees to prevent unauthorized network access;
Source: FTC, “Financial Institutions and Customer Information”Slide13
Examples of safeguards (cont.)Ensuring only authorized employees have access to physical records containing customer information;
Ensuring the transmission of customer information is done via a secure connection and/or encrypted;
Properly disposing of customer information by shredding or another suitable method;
Erasing or wiping data from technology devices containing customer information prior to disposal;
Keeping network activity logs and monitor for unauthorized network access; and,
Utilizing an intrusion detection system (IDS) to alert the institution of attempted network attacks
Source: FTC, “Financial Institutions and Customer Information
”Slide14
How UCA is complying
The University has:
Developed an Information Security Program (ISP) outlining the requirements of the Safeguards Rule and the roles and responsibilities of the ISP Coordinator and campus departments;
Created a two-page reference guide on the types of information and activities that may be
covered;
Created a questionnaire
to
determine what campus areas handle
covered
information and how it is protected;
Created a certification form for departments/administrative units to attest to
compliance;
and,
Provided links to applicable University policies and external resources for additional information on
the
Safeguards Rule.Slide15
ResourcesInformation Security Program (ISP) – contains the requirements of the Safeguards Rule and how the University is complying
Safeguards Rule Examples
– a short reference guide of activities and information that may be covered under the Safeguards Rule
Safeguards Rule Compliance Training
– this PowerPoint®
providing
an overview of the Safeguards Rule and how UCA is complying
Safeguards Rule Compliance Questionnaire
– required to be completed annually by departments handling customer
information
covered under the Safeguards Rule.
It helps determine
whether appropriate safeguards are in
place.
Safeguards Rule Certification Form
– required to be completed annually by departments handling customer
information
covered under the Safeguards Rule.
It demonstrates the necessary requirements for compliance have been satisfied.Slide16
ContactsFor questions on procedures and information specific to your area, please ask your supervisor.
For questions on the University’s Information Security Program (
ISP) or
compliance materials, please
visit
the
Division of Finance & Administration
web page.
For assistance with
network and computer security, policies,
and
procedures; please visit
the
Division of
Information Technology
(
IT
)
web page.Slide17
SourcesChoroszy, Melisa. “Beyond FERPA: Maintaining the Privacy and Confidentiality of Student Data.” Accessed April 18, 2017.
Electronic Code
of Federal Regulations (CFR): 16 CFR 313,
314
FTC, Financial Institutions and Customer Information: Complying with the Safeguards Rule. Published April 2006. Accessed April 17, 2017.
Schneider, Megan. “ED Proposes Auditing Safeguards Rule Compliance.” NACUBO. April 13, 2017.
UCA Registrar, FERPA.
https://uca.edu/registrar/ferpa/
. Accessed April 18, 2017.
University of Minnesota Controller’s Office: Gramm-Leach Bliley-Act: Safeguards Rule.
https://finsys.umn.edu/glba
. Published June 1, 2012. Accessed April 18, 2017.
U.S. Department of Education, Dear Colleague Letter GEN-16-12. Subject: Protecting Student Information. Publication Date July 1, 2016
.