Protecting NonPublic, Personal Information Under the GrammLeachBliley Act

1
Protecting Non-Public, Personal Information Under
the Gramm-Leach-Bliley Act

• Greg Brady
• Assistant University Counsel
• gbrady_at_niu.edu Phone 753-2621
• Last Updated 5/5/04 Please contact Greg about
  updates to this presentation before relying on
  the content contained within.

2
Identity Theft and Consumer Fraud

• From a January 23, 2004 MSNBC Article
• Americans reported losses of 437 million last
  year to identity theft and Internet fraud
• The FTC has received more than half a million
  complaints in the last four years
• Consumers lost an average of 1,868 per consumer
  fraud incident
• The FTC estimates that 1 in 8 U.S. adults were
  affected by identity theft last year
• For more information on Identity Theft, please
  see
• http//www.consumer.gov/idtheft/

3
Gramm-Leach-Bliley Act (GLB)

• The Act requires financial institutions to
  safeguard customers nonpublic, personal
  information.
• Customers of NIU include students, employees,
  applicants, and other third parties as well.
• The NIU Interim Security Plan Coordinator is Ken
  Davidson, Associate Vice President and General
  Counsel.

• University Legal Services
• 302 Lowden Hall
• Northern Illinois University
• DeKalb, IL 60115
• Phone 753-1774
• Fax 753-8686
• www.niu.edu/legalservices/
• Technical Support questions should be directed
  to your respective IT professional.

4
Related Laws

• The Family Educational Rights and Privacy Act of
  1974 (FERPA), which deals with the protection of
  student education records.
• See the training session presented by Sheri
  Kallembach of Registration and Records.
• Health Insurance Portability and Accountability
  Act of 1996 (HIPAA), which deals with the
  protection of protected health information that
  is transmitted electronically.
• Illinois Freedom of Information Act (FOIA)
• If you receive a FOIA request, or any other legal
  document, do not sign for it yourself. Instead,
  please direct that individual to the Office of
  University Legal Services.

5
GLB MottoIf you collect or have access to it,
then protect it!!!If you are unsure, error on
the side of caution and do not hand over the
information.Strive for best practices.
6
Incident Response

• Individuals who are aware of any attempted or
  actual unauthorized access to customer
  information are required to report such incident
  to the ITS Customer Support Center at
  815-753-8100. Callers should state that they
  would like to report a GLB incident and ask that
  IT Security be notified.
• Use abuse_at_niu.edu for e-mail reporting.
• For ITS Policies, see http//www.its.niu.edu/its/P
  olicies/policies_index.shtml

7
What type of information must I protect?

• Names
• Addresses
• Phone numbers
• Bank and credit card account numbers
• Income and credit histories
• Social Security Numbers
• Phone numbers
• Other financial and tax information
• regardless of whether it is in paper or
  electronic form

8
Financial Activities (12 USC 1843(k))

• This broad definition includes
• Leasing real or personal property or advising in
  such leasing
• Financial advisory activities, including
  management consulting and counseling activities
• Tax planning, preparation and advising
• Universities conduct these activities
• Extension of credit (student loans)
• Debt collecting (of student loans)

9
Whose information must I protect?

• Students (because of student loans, primarily)
• NIU Employees
• Applicants
• Other third parties
• GLB does not cover business entities (e.g., FEIN
  numbers), BUT this training can still be used to
  protect that information

10
Safeguarding electronic customer information

• Use encryption technology to send and receive
  information electronically SSL (https//...)
• Only send that information that is absolutely
  necessary e.g., a Social Security Number can be
  represented as --5678.
• Be careful of Replying or Forwarding Emails with
  info.
• Never give out your username and password to
  anyone, even your student workers!
• Never leave your user name or password near your
  computer, like on post-its.
• Do not leave your computers unlocked when not at
  your desk e.g., CTRLALTDEL, then Lock
  Workstation.
• Turn computer screens away from visitors.
• Only log in as Administrator when necessary.

11
Safeguarding hard copy customer information
(i.e., paper documents)

• Do not leave customer information laying about.
• Limit access to paper documents to those NIU
  employees with a legitimate business reason to
  know the information contained within.
• Paper records with customer information must be
  place in locked storage units that are protected
  against destruction and damage e.g., fires and
  floods.
• Avoid placing filing cabinets and other storage
  spaces in easily accessible places e.g. common
  hallways. Instead, place them behind the desks
  or away in an office.
• When disposing documents, pursuant to the
  Illinois State Records Act, shred those with
  customer information, rather than just placing
  them in the trash.

12
Pre-text Calling and Phishing

• Pre-text calling or social engineering is a
  method people may use to support their claim that
  they are calling from an official source e.g.
  the low mortgage rate example.
• Phishing - the act of sending an e-mail to a
  user falsely claiming to be an established
  legitimate enterprise in an attempt to scam the
  user into surrendering private information that
  will be used for identity theft (e.g., Ebay).
• Always confirm/verify who you are dealing with
  before turning over any information.
• Verify the status of all NIU vendors with
  University Legal Services.
• Never confirm information for callers or
  requestors.
• Refer requestors to the NIU online directory at
  www.niu.edu/directory.shtml.

13
Office Procedures

• Check with your respective IT professional about
  the Big 3
• Anti-virus software
• Firewall protection
• Periodic software updates
• Continuously train and remind employees, even
  student workers, on how to safeguard customer
  information.
• Report all unauthorized access to customer
  information to ITS and University Legal Services
  immediately.

• Check references and conduct background checks on
  new hires.
• Use confidentiality agreements.
• Limit access to customer information to employees
  with a legitimate business reason to know.
• Back-up customer information.
• Store customer information on machines that are
  not connected to the Internet or the network.

14
Office Procedures (Cont)

• Use VPN (Virtual Private Network) software when
  remotely connecting to the NIU network,
  especially by wireless technology.
• www.its.niu.edu/its/csupport/vpn/default.html
• Never open attachments from strangers.
• Confirm with sender
• Scan attachments with anti-virus
• Email Spoofing
• Virus Hoaxes (e.g., jdbgmgr.exe hoax)
• Choose hard-to-guess passwords
• It may be futile to remove your e-mail from
  spam/junk mail lists.

• Work at home inform your IT professional.
• For home computers, remember the Big 3
• Anti-virus software
• Firewalls
• Periodic software updates (see windowsupdate.micro
  soft.com/default.html)
• Consider Spyware Detection Software
• Adaware http//www.lavasoftusa.com/
• Spybot - http//www.safer-networking.org/
• Beware of Instant Messaging (IM) Software
• Typically unencrypted and no antivirus protection

15
Email Notifications

• The US Computer Emergency Readiness Team -
  http//www.us-cert.gov/index.html
• Microsoft Windows Security E-Mail Updates -
  http//www.microsoft.com/security/
• BUTI recommend actually updating your software
  from the following sites
• http//v4.windowsupdate.microsoft.com/en/default.a
  sp
• http//office.microsoft.com/officeupdate/
• Remember other software like Realplayer or MAC OS

16
Office Procedures (Cont)

• Disposal of records with customer information.
• Follow the Illinois State Records Act
• For general questions, call June Bocklund at
  753-1896 or Deborah Kern at 753-6130 from the
  Accounting Office
• Disposal of hardware
• IL law requires that all hard drives be wiped
  clean before being discarded by the University
• For proper procedures, please see
  www.its.niu.edu/its/downloads/wipedisk.shtml
• Maintain an inventory of your computers and
  filing systems, and use periodic auditing
  procedures.
• Two-factor authentication for access to records
• Something employees have (like an ID card)
• Something employees know (like a password)

17
GLB MottoIf you collect or have access to it,
then protect it!!!If unsure, do not hand over
the information.Incident ResponseContact ITS
Customer Support at 753-8100, and ask them to
notify IT Security of GLB incident
18
Requests for Information

• Requests by Law Enforcement Officials or
  Authorities
• Please call the NIU Department of Public Safety
  at 753-1212.
• Requests pursuant to other legal documents (i.e.,
  subpoenas, summons, FOIA requests)
• Please call University Legal Services at 753-1774.