GrammLeachBliley Act GLBA: Implementation of the Safeguards Rule

1
Gramm-Leach-Bliley Act (GLBA) Implementation of
the Safeguards Rule

• University of Minnesota
• (Adapted from the FTC website and Purdue
  University materials)

2
Preamble

• The GLB Act is in addition to other privacy
  laws.
• The University must appropriately safeguard all
  private financial and other information,
  regardless of whether it is obligated to do so
  under the GLBA.
• In other words, the Universitys focus should be
  to protect all private data rather than to
  identify which particular law applies (GLBA
  HIPAA FERPA) in any given situation.

3
Objectives

• Understand the applicability of GLBA and the
  Federal Trade Commissions Safeguards Rule
  (slides 4 5)
• Understand what information is protected
  (covered data), and why (slides 6 10)
• Understand the different types of safeguards
  (slides 11 19)
• Understand the roles and responsibilities of all
  parties (slides 20 22)
• Provide resources for additional questions
  (slides 23 27)

4
What is GLBA?

• The Gramm-Leach-Bliley Act (GLBA) is a Federal
  law which requires financial institutions to
  ensure the security and confidentiality of
  customer personal information
• To the extent colleges and universities offer
  financial products or services - primarily
  student loan activities they are considered
  covered financial institutions
• The Federal Trade Commission (FTC) implemented
  GLBA by issuing two rules the Privacy Rule and
  the Safeguards Rule
• Colleges and universities are deemed in
  compliance with the Privacy Rule if they already
  comply with the Family Educational Rights to
  Privacy Act (FERPA)
• The University of Minnesota must take active
  steps to comply with the Safeguards Rule

5
What is the FTC Safeguards Rule?

• The Safeguards Rule requires financial
  institutions to develop an information security
  program that includes these five required
  components
• Designate a Security Program Coordinator
  responsible for coordinating the program
  (currently the Controllers Office).
• Conduct a risk assessment to identify reasonably
  foreseeable security and privacy risks.
• Ensure that safeguards are employed to control
  the identified risks regularly test and monitor
  the effectiveness of these safeguards.
• Oversee service providers, including selection of
  appropriate service providers and use of contract
  language to protect customer information handled
  by service providers.
• Evaluate and adjust the program in light of
  relevant circumstances and changes in the
  business.

6
What is Customer Information?

• Customer Information any record containing
  nonpublic personal information about a customer,
  obtained in connection with offering a financial
  product or service. This includes paper,
  electronic or other form, that is handled or
  maintained by or on behalf of the financial
  institution or its affiliates. Examples include
• Social security numbers
• Bank account numbers
• Credit card account numbers
• Date and/or location of birth
• Account balances payment histories credit
  ratings income histories
• Drivers license information
• ACH (Automated Clearing House) numbers
• Tax return information

7
Customer Information (contd.)

• GLBA applies to customer information obtained in
  a variety of situations, including
• Information provided to obtain a financial
  product or service.
• Information about a customer resulting from any
  transaction involving a financial product or
  service between the University and a customer.
• Information otherwise obtained about a customer
  in connection with providing a financial product
  or service to the customer.
• Nonpublic personal information received by a
  University department that does not directly
  provide a financial product or service, if the
  information otherwise needs to be protected by
  another University department that does provide a
  financial product or service. Example financial
  aid information received by a college/unit that
  does not directly make student loans.

8
Examples of Financial Products and Services
Covered Under the Universitys Security Plan

• Student loans, including receiving application
  information, and the making and servicing of such
  loans
• Employee emergency or other loans
• Financial and investment advisory services
• Collection of delinquent loans
• Check cashing services
• Investing for others safeguarding money or
  securities for others

9
Examples of Other Financial Products and Services
Covered Under the Universitys Security Plan

• As business processes change and/or new academic
  programs and employee benefits are offered, we
  need to keep in mind other kinds of financial
  products and services that may be subject to the
  GLBA, such as
• Credit counseling services
• Sale of money orders, savings bonds, or
  travelers checks
• Travel agency services provided in connection
  with financial services
• Real estate settlement services
• Money wiring services
• Long term payment plans involving interest
  charges
• Personal property and real estate appraisals
• Services provided by a principal, broker or agent
  with respect to life, health, liability, or
  disability insurance products
• Providing or issuing annuities

10
Examples of Activities Not Covered Under the
Universitys GLBA Security Plan

• The following are examples of activities not
  subject to the GLBA
• Payments for merchandise
• Payments for services other than financial
  services or products (health insurance
  facilities rentals administration of student
  health benefit plan transfer retirement plan
  withholdings administration of employee
  retirement/benefit plans deferred payment plans)
• Note Credit card information must be protected
  for a variety of reasons, including the
  prevention of identity theft. So, although credit
  card sales for merchandise, and services that are
  not financial in nature, are not covered by the
  GLBA per se, steps must be taken to protect the
  privacy of credit card information.

11
The University of Minnesota seeks to

• Ensure the security and confidentiality of
  customer records and information in paper,
  electronic or other form.
• Protect against any anticipated threats or
  hazards to the security or integrity of such
  records.
• Protect against unauthorized access to or use of
  any records or information which could result in
  substantial harm or inconvenience to any customer.

12
Information Security Safeguards

• There are three types of safeguards that must be
  considered
• Administrative
• Physical
• Technical
• Departments must assume responsibility for
  ensuring that adequate safeguards are in place
  within its area of responsibility.

13
Administrative Safeguards

• Administrative safeguards are generally within
  the direct control of a department and include
• Checking references on potential employees
• Training employees on basic steps they must take
  to protect customer information
• Ensuring that employees are knowledgeable about
  applicable policies and expectations
• Limiting access to customer information to
  employees who have a business need to see it
• Reducing exposure to the GLBA by requesting
  customer information only when it is required to
  conduct departmental activities
• Imposing disciplinary measures where appropriate

14
Physical Safeguards

• Physical safeguards are also generally within a
  departments control and include
• Locking rooms and file cabinets where customer
  information is kept
• Using password activated screensavers
• Using strong passwords
• Changing passwords periodically and not sharing
  or writing them down
• Encrypting sensitive customer information
  transmitted electronically
• Referring calls or requests for customer
  information to staff trained to respond to such
  requests
• Being alert to fraudulent attempts to obtain
  customer information and reporting these to
  management for referral to appropriate law
  enforcement agencies

15
Physical Safeguards (contd.)

• Additional physical safeguards
• Ensuring that storage areas are protected against
  destruction or potential damage from physical
  hazards, like fire or floods
• Storing records in a secure area and limiting
  access to authorized employees
• Disposing of customer information appropriately
• Designate a trained staff member to supervise the
  disposal of records containing customer personal
  information
• Shred or recycle customer information recorded on
  paper and store it in a secure area until the
  recycling service picks it up
• Erase all data when disposing of computers,
  diskettes, magnetic tapes, hard drives or any
  other electronic media that contains customer
  information
• Promptly dispose of outdated customer information
  within record retention policies

16
Technical Safeguards

• Technical safeguards are generally the
  responsibility of central OIT personnel or
  departmental computing staff. Departments,
  however, should be knowledgeable about how their
  electronic customer information is safeguarded.
  If additional controls are warranted, departments
  should work with OIT to improve safeguards.
• Departments are also responsible for alerting OIT
  to the existence of customer information on
  networks.

17
Examples of Technical Safeguards

• Technical safeguards include
• Storing electronic customer information on a
  secure server that is accessible only with a
  password - or has other security protections -
  and is kept in a physically-secure area
• Avoiding storage of customer information on
  machines with an Internet connection
• Maintaining secure backup media and securing
  archived data
• Using anti-virus software that updates
  automatically
• Obtaining and installing patches that resolve
  software vulnerabilities
• Following written contingency plans to address
  breaches of safeguards
• Maintaining up-to-date firewalls particularly if
  the institution uses broadband Internet access or
  allows staff to connect to the network from home
• Providing central management of security tools
  and keeping employees informed of security risks
  and breaches

18
Guidelines for Providing Secure Data Transmission

• If you collect credit card information or other
  sensitive financial data, use a Secure Sockets
  Layer (SSL) or other secure connection so that
  the information is encrypted in transit.
• If you collect information directly from
  consumers, make secure transmission automatic.
  Caution consumers against transmitting sensitive
  data, like account numbers, via electronic mail.
• If you must transmit sensitive data by electronic
  mail, encryption, although difficult to do, is
  necessary.

19
Managing System Failures

• Effective security management includes the
  prevention, detection and response to attacks,
  intrusions and other system failures, including
  steps mentioned earlier and
• Backing up data regularly and storing back-up
  information offsite
• Imaging documents
• Shredding paper copies after imaging
• Other reasonable measures to protect the
  integrity and safety of information systems

20
Roles and Responsibilities

• Security Program Coordinator
• Ensure that risk assessments are conducted at
  appropriate time intervals, assisted by
  departments that handle covered data.
• Ensure that testing and monitoring of risks is
  carried out for each unit with covered data.
• Ensure that training is delivered to departments
  with access to covered data, and verify the
  adequacy of existing security policies.
• Oversee service providers.
• Evaluate and adjust the Information Security
  Program based on the results of testing and
  monitoring, and as conditions change.
• Submit an annual report to the Office of
  Institutional Compliance on the status of the
  safeguarding and monitoring of covered data.

21
Roles and Responsibilities (contd.)

• Deans, Directors and Department Heads
• Designate a key contact to work with the Security
  Program Coordinator on all GLBA matters.
• Ensure that the key contact carries out periodic
  risk assessments and monitors the identified
  risks.
• Adhere to policies, standards and guidelines for
  the safeguarding of private data, and ensure the
  employees with access to covered data do the
  same.
• Ensure that new employees are made aware of the
  GLBA and its safeguarding requirements.
• Employees with Access to Covered Data
• Adhere to policies, standards and guidelines for
  the safeguarding of private data.

22
Roles and Responsibilities (contd.)

• Chief Information Officer
• Designate individuals who have responsibility and
  authority for information technology resources.
• Establish and disseminate rules regarding access
  to and acceptable use of information technology
  resources.
• Establish reasonable security measures to protect
  data and systems.
• Monitor and manage system resource usage.
• Investigate problems and alleged violations of
  information technology policies.
• Refer violations to appropriate University
  offices (Office of General Counsel University
  Police Department).

23
Additional Resources

• University Policies
• F2.5.1 Public Access to University Information
• http//www.fpd.finop.umn.edu/groups/ppd/documents
  /policy/Public_access.cfm
• F2.5.2 Internal Access to University Information
• http//www.fpd.finop.umn.edu/groups/ppd/documents
  /policy/access.cfm
• F2.8.1 Acceptable Use of Information Technology
  Resources
• http//www.fpd.finop.umn.edu/groups/ppd/documents
  /policy/Acceptable_Use.cfm
• F2.8.2 User Authentication for Access to
  University Computer Resources
• http//www.fpd.finop.umn.edu/groups/ppd/documents
  /policy/X500pol.cfm
• F2.8.3 Collecting Information From Visitors To
  University Web Sites (Online Privacy)
• http//www.fpd.finop.umn.edu/groups/ppd/documents
  /policy/Online_Privacy.cfm
• F3.9.1 Managing University Records Retention
• http//www.fpd.finop.umn.edu/groups/ppd/documents
  /policy/record_retention.cfm

24
Additional Resources (contd.)

• University Standards
• Anti-Virus Standard
• http//www1.umn.edu/oit/security/Anti-virusstan
  dard.shtml
• Secure Data Deletion Standard
• http//www1.umn.edu/oit/security/datadeletion.
  shtml
• OIT Wireless Access Point Technical Standards
• http//www1.umn.edu/wireless/standards.html

25
Additional Resources (contd.)

• University Guidelines
• Critical Security Updates and Patches
• http//www1.umn.edu/oit/security/updates-patches
  .shtml
• Securing Network Infrastructure
• http//www1.umn.edu/oit/security/securenetwork.s
  html
• Securing Microsoft Domain Controllers
• http//www1.umn.edu/oit/security/domain.shtml
• Protecting Private Data
• http//www1.umn.edu/oit/security/privatedata.sht
  ml
• Server Installation Security
• http//www1.umn.edu/oit/security/ServerInstall.p
  df

26
Additional Resources (contd.)

• Resources at the following site may alert you to
  new risks to information security and help
  individuals whose information may have been
  compromised with their next steps
• http//www.ftc.gov/
• Additional guidance is available
  at www.ftc.gov/privacy/glbact

27
Key Contacts

• Your department manager for specific procedural
  questions in your area.
• The Controllers Office for questions on
  applicability of the GLBA to your situation
• Darlene Anton, 612-624-8394, d-anto_at_umn.edu
• OIT for help with computer security issues
•  Ken Hanna, 612-625-1505, k-hann1_at_umn.edu