GLB Safeguards Rule: Overview, Training and Enforcement Considerations

1
GLB Safeguards Rule Overview, Training and
Enforcement Considerations

• NACUA 43rd Annual Conference
• Peter C. Cassat
• Margaret ODonnell

2
Scope of GLBA Safeguards Rule

• The FTCs Safeguards Rule, promulgated under the
  GLBA, went into effect on May 23, 2003 and is
  aimed at ensuring the safeguarding and
  confidentiality of customer information held in
  the possession of covered financial institutions.
  
• Unlike the FTCs earlier GLBA Privacy Rule, the
  Safeguards Rule contains no exemption for
  institutions that are subject to FERPA. As a
  result, educational institutions that engage in
  financial institution activities, such as
  processing student loans, are required to comply
  with the Safeguards Rule.

3
General Requirements

• The Safeguards Rule requires each covered
  institution to develop, implement, and maintain a
  comprehensive information security program that
  is written in one or more readily accessible
  parts, and that includes administrative,
  technical and physical safeguards designed to
  ensure the security and confidentiality of
  customer records.
• The Safeguards Rule expressly recognizes that
  each institutions information security program
  may vary, based on its size and complexity, the
  nature and scope of its activities, and the
  sensitivity of the customer information at issue.

4
Comprehensive Written Information Security Program

• In order to develop, implement and maintain the
  required written information security program,
  the Safeguards Rule requires each institution to
  carry out certain steps
• designate one or more employees to coordinate the
  program

5
Information Security Program Steps, cont. . . .

• Identify reasonably foreseeable internal and
  external risks to the security and
  confidentiality of customer information that
  could lead to unauthorized disclosure, use,
  alteration, destruction or other compromise of
  such information and assess the sufficiency of
  the institutions safeguards in place to control
  these risks.

6
Information Security Program Steps, cont . . .

• Such risk assessment must include, at a minimum,
  risks in areas of operation such as
• employee training and management,
• information systems, and
• detecting, preventing, and responding to attacks
  against the institutions systems

7
Security Program Steps, cont.

• implement safeguards to manage the identified
  risks and regularly test or monitor such
  safeguards
• oversee the institutions service providers by
• selecting and retaining service providers that
  are capable of maintaining appropriate safeguards
  for the customer information at issue, and
• requiring service providers by contract to
  implement and maintain such safeguards

8
Ongoing Security Steps

• The Safeguards Rule requires institutions to
  evaluate and adjust the their security programs
  in light of the required risk assessment, any
  material change to institutional business
  operations or any other circumstances that may
  have a material impact on the institutions
  information security program.

9
Practical Considerations

• The most difficult challenge under the
  Safeguards Rule is identifying the scope of
  information covered.
• It may be possible to take the position that the
  Safeguards Rule applies only to information
  collected or maintained in connection with the
  institutions financial institution activities
  i.e., student financial aid related activities.
• It may be difficult, however, for institutions to
  segregate information that is collected in
  connection with financial institution related
  activities (such as Social Security numbers) from
  other information maintained with respect to its
  student population.

10
Drafting Issues

• The FTC rules expressly recognize that an
  institutions information security program may be
  maintained in one or more documents. Thus, it
  should be possible to incorporate existing
  policies and procedures relating to the
  safeguarding of information and to the proper use
  of institutional network resources, such as,
  existing acceptable use, information technology
  security and student record access policies and
  procedures.

11
Risk Management Issues

• The Safeguards Rule recognizes that an
  institution need not make its security program
  publicly available. However, open records laws
  may provide access.
• Drafts and deliberative documents relating to the
  creation and implementation of the program should
  be labeled as attorney client privileged drafts.
  

12
Approaches to GLB Compliance

• NACUA 43rd Annual Conference
• Tom Schumacher
• University of Minnesota
• June 25, 2003

13
Options for Organizational Mgmt.-Program
Leadership

• Designate an employee or employees to
  coordinate (314.4(a))
• 1. Centralized Model, single person
• 2. Decentralized, several coordinators
• 3. Hybrid, central coordinator, designated
  responsible parties in key units
• Designation must be set out in written security
  plan (314.3(a))
• Try to integrate with existing responsibilities

14
Centralized Model

• Options for Responsible Office
• Chief Information Officer?
• Controller?
• CFO?
• Registrar?
• Privacy Officer (if have one)?
• Custodian of Student Record?
• Auditor?
• IT Security Officer?
• Others
• Delegate administrative duties as appropriate

15
Decentralized Model

• Designate responsible coordinator in areas with
  covered data
• Student Finance Director(s)
• One at each campus
• IT Office(s)
• Collections
• Human Resources
• Accounting
• Collegiate contacts
• Athletics
• Others
• Consider some oversight method

16
Hybrid Model

• Single Central Coordinator
• Formally designated contacts in units with
  covered data responsible for carrying out risk
  assessments and monitoring where required
• Communication with leadership from areas with
  covered data

17
Coordinator Program Responsibilities

• Risk Assessment - 313.4(b)
• Identify/inventory access to covered data
• Assess Risk
• Internal Controls
• Design and implement safeguards to control the
  risks you identify ( 313.4(c))
• Match these to level of assessed risk

18
Internal Controls

• Program Oversight
• Risk Assessment
• Roles and Responsibilities
• Policies and Procedures
• Education, Training Awareness
• Monitoring, Testing, Oversight
• Corrective action/Communication
• Iterative and continuing process

19
Example Risk Assessment-for each significant area
to evaluate

• Electronic
• Access
• Storage
• Transmission
• Destruction
• Print materials
• Access
• Storage
• Transmission
• Destruction
• Service Providers
• System Integrity

Employee permitted to access to database without
proper authorization
Misuse of information by employee with Authorized
access
Etc.
20
Example Risk/Internal Controls matrix
approach(Area student financial collections)
21
Example Hybrid Model

• Coordinator makes sure Risk Assessment and
  Internal controls for each covered area are in
  place
• For significant areas, conducted by designated
  contacts
• For isolated, conducted by Coordinator
• Designated contacts annually provide report to
  Coordinator
• Annual confirmation that risks are current
• Coordinator annually reports on risk environment
  and controls to Compliance and leadership
• Identifies problem areas

22
Identifying and Evaluating Exposures and Risks

• NACUA 43rd Annual Conference
• Christopher Holmes
• Baylor University
• June 25, 2003

23
Scope of Risk Assessment

• You shall...identify reasonably foreseeable
  internal and external risks to the security,
  confidentiality, and integrity of customer
  information that could result in the unauthorized
  disclosure, misuse, alteration, destruction or
  other compromise of such information, and assess
  the sufficiency of any safeguards in place to
  control these risks. 16 CFR 314.4 (b).

24
Areas to Include

1. Employee training and management
2. Information systems, including network and
   software design, as well as information
   processing, storage, transmission and disposal
   and
3. Detecting, preventing and responding to attacks,
   intrusions, or other systems failures.

25
Steps to Risk Assessment

• Meet with all business owners facing the risks
  and discuss their experiences
• Prepare a list that encompasses the risks (both
  internal and external) they observe
• Determine whether current steps are sufficient in
  controlling the risks
• Discuss additional reasonable steps that could be
  taken to increase security

26
List of Potential Risks

• Compromise of system security (e.g., hacker)
• Interception of data during transmission
• Physical loss of data due to disaster
• Corruption of data or systems

• Unauthorized access by employees
• Unauthorized requests for data (e.g., pretext
  calling)
• Unauthorized transfer of data by third parties

27
FTC Suggestions Employee Management and Training

• Check references prior to hiring employees who
  will have access to cdi
• Employees sign confidentiality agreement
• Train employees to take basic steps (passwords,
  pretext calling, etc.)
• Regular reminders of policy and legal requirement
  to keep cdi confidential
• Limit access to those employees with a business
  reason for seeing it

28
FTC SuggestionsInformation Systems

• Store records in a secure area
• Provide for secure data transmission (use of SSL,
  password protect email accounts, etc.)
• Dispose of customer information in secure manner
• Inventory computers on network systems

29
FTC Suggestions Managing Systems Failures

• Develop a written contingency plan to address
  breaches
• Maintain software and hardware (security patches,
  anti-virus software, etc.)
• Backups of all cdi
• Configure systems to ensure that access to cdi is
  granted only to appropriate users
• Notify customers promptly if cdi is disclosed

30
Review and Assessment of Plan

• GLB requires continued evaluation and
  adjustment of the safeguards program in light of
  relevant circumstances. Periodically review
  changes in the universitys operations or
  business arrangements or the results of testing
  and monitoring of enacted safeguards.

31
Service Provider RulesUnder the
Gramm-Leach-Bliley Act

2003 NACUA National Conference June 25, 2003
Gregory C. Brown Associate General Counsel
Office of the General Counsel University
of Minnesota
32
Overview of Presentation
Review FTC Safeguard Rule on the oversight,
selection and retention of service providers and
mandatory contract provisions. Discuss ways, by
contract, to protect Universities once security
has been breached or customer information has
been loss, misused or altered.
33
Who is a Service Provider?
Any person or entity that receives, maintains,
processes, or otherwise is permitted access to
customer information through its provision of
services directly to a financial institution . .
. . FTC Safeguard Rule, 314.2(d), 67 Fed. Reg.
36,484, 36,494 (May 23, 2002) .
34
Duty to Oversee Service Providers
Institutions must take reasonable steps to
select and retain service providers that are
capable of maintaining appropriate safeguards for
the customer information . . . . FTC Safeguard
Rule, 314.4(d)(1), 67 Fed. Reg. 36,484, 36,494
(May 23, 2002) .
35
Duty to Oversee Service Providers
Each institution is expected to take reasonable
steps to assure itself that its current and
potential service providers maintain sufficient
procedures to detect and respond to security
breaches . . . . FTC Safeguard Rule, C, 67
Fed. Reg. 36,484, 36,490 (May 23, 2002) (emphasis
added).
36
Duty to Oversee Service Providers
Each institution is expected to maintain
reasonable procedures to discover and respond to
widely-known security failures by its current and
potential service providers. FTC Safeguard Rule,
C, 67 Fed. Reg. 36,484, 36,490 (May 23, 2002)
(emphasis added).
37
Duty to Oversee Service Providers
The FTC did not mandate any specific reviews or
steps an institution must take to
comply. Institutions need not undertake
unlimited evaluation(s) of their service
providers capabilities. FTC Safeguard Rule,
C, 67 Fed. Reg. 36,484, 36,490 (May 23, 2002).
Review will depend on the circumstances and the
relationship between the institution and the
service provider. Id.
38
Mandatory Contract Provisions
Each contract entered into after June 24, 2002,
must require the service provider to implement
and maintain such safeguards. FTC Safeguard
Rule, 314.4(d)(2) and 314.5(b), 67 Fed. Reg.
36,484, 36,494 (May 23, 2002) . A contract in
place before that date need not include the
mandatory provision until May 24, 2004. FTC
Safeguard Rule, 314.5(b), 67 Fed. Reg. 36,484,
36,494 (May 23, 2002) .
39
Mandatory Contract Provisions
So as to give institutions flexibility, the FTC
did not mandate particular contract language.
40
Mandatory Contract Provisions
Sample clause Throughout the term of this
Agreement, Service Provider shall implement and
maintain appropriate safeguards, as that term
is used in 314.4(d) of the FTC Safeguard Rule,
16 C.F.R. 314 (the FTC Rule), for all
customer information, as that term is defined
in 314.2(b) of the FTC Rule, owned by the
University and delivered to Service Provider
pursuant to this Agreement.
41
Mandatory Contract Provisions
Sample Clause contd Service Provider shall
promptly notify the University, in writing, of
each instance of (i) unauthorized access to or
use of that customer information that could
result in substantial harm or inconvenience to a
customer of the University or (ii) unauthorized
disclosure, misuse, alteration, destruction or
other compromise of that customer information.
Within 30 days of the termination or expiration
of this Agreement, Service Provider shall destroy
and shall cause each of its agents to destroy all
records, electronic or otherwise, in its or its
agents possession that contain such customer
information and shall deliver to the University a
written certification of the destruction.
42
Mandatory Contract Provisions
FTC Safeguard Rule is silent as to the penalty
for institution entering into or maintaining a
contract with a service provider that does not
comply.
43
Additional Contract Terms
Right to on-site audit of Service Providers
security program. Right to terminate if Service
Provider has allowed a material breach of its
security program, if Service Provider has lost or
materially altered customer information, or if
the University reasonably determines that Service
Providers program is inadequate.
44
Additional Contract Terms
Service Provider to indemnify and defend the
University for security breaches, violations of
GLB caused by Service Providers negligence, and
loss or material alteration of customer
information. Service Provider to reimburse the
University for its direct damages (e.g., costs to
reconstruct lost or altered information)
resulting from the security breach, loss, or
alteration of customer information.
45
Conclusion
GLB is another step on the ever-lengthening road
to the land of perfect privacy. FTC Safeguard
Rule should be seen a part of an institutions
comprehensive privacy policy. Institutions need
to address the protection of (meaning here access
to) information already in the hands of both
current and past service providers.
46
What is Required for Training under GLB
Safeguards Rule

• Training should be very simple.
• You don't even need to mention GLB.

47
What Points to Include in Training

• Both physical and computer records must be
  protected
• Do not give anyone else your password or ask
  anyone for theirs
• Encrypt sensitive customer information when
  transmitted over networks. Conversely, do not ask
  customers to send data such as credit card or
  SSN over non-encrypted networks.
• Refer calls or requests for customer information
  to employees who have had safeguard training
• Beware "social engineering" (pretext calling)
• Identify where at the university to report
  fraudulent attempts to obtain customer
  information or questionable data access (might be
  Internal Auditor for financial records,
  Registrar for Student Records, other to
  Information Security Coordinator)

48
Who to Train

• Depends on Specifics of your Information Security
  Plan
• Narrow v. Broad Approach
• Broad Anyone who has access to student records,
  either paper or online
• If your plan also covers credit card information,
  anyone who has access to credit card information
  (CUA taking this approach)
• Narrow only those offices with access to
  student financial data, or offices who engage in
  covered financial transactions, e.g. extending a
  loan for credit, gift annuity agreements, etc.
  (Georgetown taking this approach)

49
How to Train

• By video (see online video at http//counsel.cua.e
  du/glb/publications/)
• By brochures (online by end of summer at above
  site)
• In person in small groups for those who have
  managerial responsibilities in covered areas

50
Enforcement and 3rd Party Lawsuits

• No private right of action under GLB
• Plaintiff could bring case based on negligence
• Not much (if any) case law on negligent release
  of information such as SSN or credit card

51
Avoiding Lawsuits

• Likely to be a growing field with advent of laws
  like HIPAA, GLB and state laws protecting privacy
• See Henderson, Steve, and Yarbrough, Matthew,
  Frontiers of Law The Internet and Cyberspace
  Suing the Insecure? A Duty of Care in
  Cyberspace, 32 N.M.L. Rev. 11 (2002) for summary
  of theory of law in this area
• Follow standard of reasonableness. Stay current
  or ahead of curve on privacy protection, e.g. be
  there with the patch as soon as it is available.