Gramm-Leach-Bliley Information Sheet
WHAT IS GRAMM-LEACH-BLILEY?
The Gramm-Leach-Bliley Act (GLB or Act) requires “financial institutions” (which includes colleges and universities) to protect the privacy of their customers, including customers’ nonpublic, personal information. Because universities are governed by GLB,* Wesleyan University has a responsibility to secure the personal records of its students and employees. To ensure this protection, GLB mandates all institutions establish appropriate administrative, technical and physical safeguards. In an effort to set safeguarding standards, the Act directs that all financial institutions implement an Information Security Program, and designate a program coordinator. Wesleyan has designated Steve Machuga, Director of Administrative Systems Lead Coordinator. The Director of Administrative Services will be supported by Director of Technical Support Services and the
, Associate Director of the Financial Aid Office who both will act as co-coordinators.
*GLB also requires financial institutions to provide notice to customers about their privacy policies and practices, but institutions of higher education are generally exempt from this requirement because they already do so under the Federal Educational Rights and Privacy Act (FERPA). Colleges and universities complying with FERPA are considered in compliance with GLB.
The Information Security Program must include five main elements: designation of an employee(s) as coordinator of the information security program, identification of internal and external risks to the security and confidentiality of customer information and evaluation of current safeguards, employee training, oversight of service providers, and evaluation of the information security program.
WHAT ABOUT OTHER RELATED LAWS?
The Family Educational Rights and Privacy Act (FERPA) stipulates that before receipt of federal educational funding, institutions must provide student access to, and maintain the privacy of, education records. However, institutions may designate directory information that may be released without permission of the student, which may include a student’s name or address. For the University’s policy regarding FERPA, see the Student Handbook, under Student Records. FERPA pertains to GLB in that the goal of both Acts is to ensure the privacy of student information. An institution’s compliance with FERPA is regarded as compliance with a separate, privacy aspect of GLB.
To ensure that all university employees are in compliance with the law, this guide sets out the basics for ensuring the protection of student and employee records. Because of the expanse of personal information generated into and through the University, security is essential. Also, students, applicants, faculty and staff are entitled to assurances that the personal information they submit to the University will be safeguarded.
HOW WILL THIS LAW AFFECT MY JOB?
Nonpublic, personal information may be sought via phone or even email from outside vendors or other persons. Before releasing any information, it is important to report requests for personal information to university employees who have undergone the information security training. This includes requests from persons who, in an effort to gain your trust, offer a few pieces of personal information regarding a student already in their possession. This method of seeking nonpublic, personal information is called pretext calling and is a popular scam. You may release a student’s personal information only if the student has specifically authorized you to do so by way of written waiver, or if the release meets one of the enumerated exceptions in the Wesleyan University Student Records policy (Please see the Student Records policy in the Student Handbook). Never give out a student’s Social Security number over the phone and never confirm information a caller provides.
WHAT TYPE OF INFORMATION MUST I PROTECT?
Upon receipt of student names, addresses, phone numbers, bank and credit card account numbers, income and credit histories and Social Security numbers, be aware that all such information is protected under GLB. Directory information may be released pursuant to the Wesleyan student record policy. Generally, any student or parent financial information must be safeguarded. The protection applies whether the information is in paper or electronic form.
WHAT ELSE CAN I DO TO SAFEGUARD CUSTOMER INFORMATION?
Always make sure sensitive customer information is transmitted over encrypted networks. Do not request that customers send credit card numbers or Social Security numbers over non-encrypted networks. To prevent access by unauthorized persons, do not give anyone else your password.
WHICH UNIVERSITY EMPLOYEES MUST PARTICIPATE IN TRAINING?
All Wesleyan employees with access to credit card numbers and other nonpublic information included in student records (such as Social Security numbers) must undergo training. This training will vary by department and will be coordinated by the Office of General Counsel.
IF I RECEIVE CALLS OR REQUESTS FOR CUSTOMER INFORMATION, TO WHOM SHOULD I REFER THEM?
Refer callers requesting private, customer information only to those university employees who have undergone the information security training. If you suspect fraud, or an attempt to fraudulently obtain any financial customer information, please report to the University Registrar for student record issues, to Associate Director of Financial Aid for Financial Aid or Admission issues or to the Director of Administrative Systems for technology related issues. For all other issues, report to the Office of University Counsel. After consulting with the above mentioned people, the student about whom the information is being sought must be informed of any suspect requests.
WHAT IS WESLEYAN DOING IN ORDER TO SAFEGUARD PRIVATE INFORMATION?
Wesleyan is currently implementing its own Information Security Program, as required by GLB. For greater protection, Wesleyan’s Plan will safeguard all credit card information even though it may not be strictly required under GLB. The Wesleyan Interim Plan is located on the General Counsel’s website at http://counsel.cua.edu/glb. Here are the ways Wesleyan is incorporating the safeguarding elements GLB requires:
1) Information Security Policy Coordinator
Steve Machuga, Director of Administrative Systems, Ganesan Ravishanker, Director of Technical Support Services and Karen Hook, Associate Director of the Financial Aid Office will serve as GLB Coordinators. Due to the wide variety of issues necessary in an effective GLB program, it is important that Wesleyan have these three representatives. Steve Machuga represents all Administrative Systems across campus. Ganesan Ravishanker is responsible for the technical aspects of network and computer security. Karen Hook represents the Financial Aid office. The GLB Lead Coordinator will take the lead in answering any questions concerning Wesleyan’s GLB program and working closely with the University Counsel’s office to implement Wesleyan’s Plan. The Coordinators will also interact with relevant University Departments to facilitate safeguarding measures. All general questions regarding Wesleyan’s Plan should be directed to Steve Machuga, email@example.com .
2) Risk Identification and Evaluation of Current Safeguards
First, the Coordinators must identify all potential and actual risks to the security and confidentiality of customer information. Under the Coordinator’s guidance, every School or Department head will conduct an annual data security review. Vice Presidents will identify any employees who work with covered data and information. The GLB coordinators and the Office of University Counsel (GLBC & OUC) will review procedures, incidents, and responses quarterly, and will publish all relevant materials where the risk of security breach is not likely.
GLBC is developing a registry of all computers connected to the University network and a registry of University community members with access to the covered data and information. GLBC is also creating a plan to ensure the encryption of all electronic covered information in transit.
The (GLBC & OUC) are developing training and education programs for all employees with access to covered data, including social security numbers and financial information. Directors and supervisors will play a particularly important part in securing compliance with the information security policy.
4) Oversight of Service Providers
Business Services, in cooperation with the Office of University Counsel, will develop and send form letters to all covered contractors requesting assurances of GLB compliance. OGC will take steps to ensure that all relevant future contracts will include a privacy clause and that all existing contracts are in compliance with GLB.
Contracts entered into prior to June 24, 2002 are grandfathered until May 2004.
5) Program Evaluation
Wesleyan’s Information Security Plan will be subject to periodic review and adjustment, as required by GLB. Bi-Annual reviews will be conducted within GLBC, while other relevant University offices will undergo regular review. The Information Security Plan itself will be reevaluated annually.
WHAT IF CALLS/REQUESTS COME FROM SEEMINGLY VALID SOURCES?
Please report all suspicious calls to the appropriate persons on campus. Remember the so—called “pretext calling” is a method people may use to support their claim that they are calling from an official source. Be wary of callers seeking nonpublic information, regardless of the source. There are ways to verify requests for releases. You can call the person back after verifying his/her title/phone number over the Internet or confirming the validity of the request by talking to the student about whom the information is sought.
HOW CAN I TELL WHETHER INFORMATION SUBMITTED OVER THE INTERNET IS SECURED?
Web sites can be secured in a number of ways. One sign of a secured site is the letter “s” in your web address bar at the top of the screen following “http” so it reads: https. Another mark of a secured site is a yellow lock symbol in the lower right-hand corner of your screen. Take precautions when submitting or accepting credit card or other private information over web sites without these or similar symbols or indicators.
Office of General Counsel July 2003
WHAT IS ALL THE FUSS ABOUT SOCIAL SECURITY NUMBERS ANYWAY?
The unauthorized release of Social Security numbers can lead to identity theft. By fraudulently obtaining a person’s SSN, someone can assume that person’s identity and gain access to or establish new bank or credit accounts. Although not technically covered under GLB, Wesleyan no longer uses Social Security numbers as student identifiers. However, student Social Security numbers remain in the student information system because some University employees continue to rely on them. Wesleyan has made significant changes in the way Social Security Numbers are used within Wesleyan. While the SSN is still a valid piece of information for conducting business within some University systems, the SSN is no longer routinely bridged to systems not requiring the SSN, internal constituent search routines within Wesleyan’s main student and HR system have been altered to allow only a partial SSN to show. The University will continue to assess who has access to Social Security numbers (including subcontractors and consortiums), in what systems they can be found, and when someone is inappropriately trying to obtain a student’s SSN.
HOW DOES INFORMATION SECURITY AFFECT CAMPUS GROUPS OR DEPARTMENTS?
Departments or campus groups with access to or who collect financial information or Social Security numbers must be mindful when using or transmitting that information. Do not leave nonpublic information displayed on your computer screen when your computer is unattended. For example, access to certain University web sites such as Cardinal Students is limited; therefore users must prevent unauthorized access to student Social Security numbers. Also, because information sent via email is not encrypted, do not solicit financial information or a SSN in this manner for any reason. Physical records must also be secured, so do not leave forms or printouts containing nonpublic information where unauthorized persons may obtain them. File cabinets must be locked or behind locked doors with controlled access.