WHAT IS GRAMM-LEACH-BLILEY?
The Gramm-Leach-Bliley Act (GLB or Act) requires “financial institutions” (which includes colleges and universities) to protect the privacy of their customers, including customers’ nonpublic, personal information. Because universities are governed by GLB,* Randall University has a responsibility to secure the personal records of its students and employees. To ensure this protection, GLB mandates all institutions establish appropriate administrative, technical and physical safeguards. In an effort to set safeguarding standards, the Act directs that all financial institutions implement an Information Security Program, and designate a program coordinator. Randall University has designated Quentin Loop, Director of Information Technology. The Director of Information Technology will be supported by the Director of the Financial Aid Office who both will act as co-coordinators.
*GLB also requires financial institutions to provide notice to customers about their privacy policies and practices, but institutions of higher education are generally exempt from this requirement because they already do so under the Federal Educational Rights and Privacy Act (FERPA). Colleges and universities complying with FERPA are considered in compliance with GLB.
The Information Security Program must include five main elements: designation of an employee(s) as coordinator of the information security program, identification of internal and external risks to the security and confidentiality of customer information and evaluation of current safeguards, employee training, oversight of service providers, and evaluation of the information security program.
WHAT IS RANDALL UNIVERSITY DOING IN ORDER TO SAFEGUARD PRIVATE INFORMATION?
Randall University is currently implementing its own Information Security Program, as required by GLB. For greater protection, Randall University’s Plan will safeguard all credit card information even though it may not be strictly required under GLB. Here are the ways Randall University is incorporating the safeguarding elements GLB requires:
1) Information Security Policy Coordinator
Quentin Loop, Director of Information Technology, will serve as the GLB Coordinator. Due to the wide variety of issues necessary in an effective GLB program, it is important that Randall University have these three representatives. Quentin Loop is responsible for the technical aspects of network and computer security. Cliff Bristow represents the Financial Aid office and Patti Ashby represents the Registrars office. The GLB Lead Coordinator will take the lead in answering any questions concerning Randall University’s GLB program and working closely with the University Administrative Staff to implement Randall University’s Plan. The Coordinators will also interact with relevant University Departments to facilitate safeguarding measures. All general questions regarding Randall University’s Plan should be directed to Quentin Loop, firstname.lastname@example.org .
2) Risk Identification and Evaluation of Current Safeguards
First, the Coordinators must identify all potential and actual risks to the security and confidentiality of customer information. Under the Coordinator’s guidance, every School or Department head will conduct an annual data security review. The Randall University Administrative Staff will identify any employees who work with covered data and information. The GLB coordinators and the Randall University Administrative Staff (GLBC & RUA) will review procedures, incidents, and responses quarterly, and will publish all relevant materials where the risk of security breach is not likely.
GLBC is developing a registry of all computers connected to the University network and a registry of University community members with access to the covered data and information. GLBC is also creating a plan to ensure the encryption of all electronic covered information in transit.
The (GLBC & RUA) are developing training and education programs for all employees with access to covered data, including social security numbers and financial information. Directors and supervisors will play a particularly important part in securing compliance with the information security policy.
4) Oversight of Service Providers
Randall University Business Office, in cooperation with the Randall University Administrative Staff, will develop and send form letters to all covered contractors requesting assurances of GLB compliance. OGC will take steps to ensure that all relevant future contracts will include a privacy clause and that all existing contracts are in compliance with GLB.
5) Program Evaluation
Randall University’s Information Security Plan will be subject to periodic review and adjustment, as required by GLB. Bi-Annual reviews will be conducted within GLBC, while other relevant University offices will undergo regular review. The Information Security Plan itself will be reevaluated annually.