2005 MASFAA CONFERENCECHARLESTON, WEST VIRGINIA

Ginny D’Angelo

Vice President of Student Loans

Commerce Bank

Diane Lambart Fleming

Associate Director – Client Services

Central Michigan University

GRAMM-LEACH-BLILEYGLB ACT

Financial Modernization Act of 1999

Gramm-Leach-Bliley Act

GLB is a federal law, which includes provisions in requiring financial institutions to take steps ensuring the security and confidentiality of a consumers/customers personal information.

In 2003, the Federal Trade Commission (FTC) confirmed that higher education institutions are considered financial institutions under this law.

Gramm-Leach-Bliley Act

Colleges and universities must be in compliance with provisions of the GLB Act that relate to the Safeguards Rule.

Colleges and universities that already comply with FERPA will be deemed to be in compliance with FTC privacy rules under the GLB Act.

Gramm-Leach-Bliley Act

The law requires that institutions must protect information collected about individuals:

NamesAddresses and phone numbersBank and credit card accountsSocial Security numbers Income and credit histories

Gramm-Leach-Bliley Act

According to the Safeguards Rule, financial institutions must develop a written information security plan that describes their program to protect customer information. Privacy notices explaining an institution’s information-sharing practices must also be provided to each customer.

Gramm-Leach-Bliley ActExperts suggest that three areas of operation

present special challenges and risks to information security:

Employee training and management Information systems (network and

software),storage,transmissions and retrievals

Security management, including prevention, detection and response to attacks, intrusions or other system failures

Gramm-Leach-Bliley Act

Quick Tips for Safeguarding information: Identify what is considered sensitive

informationProtect all sensitive information from

unauthorized access or usePut safeguarding into practiceReport suspicious activity

How does this apply to you?

Privacy of Information – FERPA

Safety of Information

Which Units are Most Affected by GLB?

Registrar

Financial Aid Office

Bursar

Development Office

IT

Academic Departments

Privacy of Information

FERPA – Family Educational Rights & Privacy ActIf you are FERPA-compliant, you are meeting GLB criteria to protect information privacyFERPA protects privacy of all student educational records and financial information

FERPA Policies

Written policy – University BulletinStaff training; i.e., memos from Registrar’s Office to faculty & staff regarding FERPA policyInformation is shared on a “need to know” basis, i.e.,:

AuditsLaw enforcement officials (must have proper documentation and credentials)Contracted services (loan, collection agencies)

Development Office

GLB extends FERPA

If your institution makes loans to parents and other individuals, you must also protect their privacy

These loans can include:

PLUS

Alternative Parent Loans

Safeguard Rule

Institutions must develop a written information security plan to protect customer information

Institutions must send privacy notices explaining the information-sharing practices to each customer

Safeguards Rule Expanded

Must include plans to safeguard information against:Natural DisasterHuman ErrorFraudData corruptionTheft (hardware, software, reports)Unauthorized access

Safeguards Rule (cont)

Natural Disaster (Hurricanes???) Is your data backed up in a remote

location?Do you lock your computer when you leave

your work station during fire alarms – or any other time, for that matter!?

Safeguards Rule (cont)

Deliberate FraudMust maintain a separation of duties Conflict of interest policies must be

observed

Human ErrorDo you have audit trails and reports that

can be used to reconstruct data

Safeguards Rule (cont)

Data CorruptionProtect and secure access to data, i.e.,

limit query vs. update capability on a “need-to-do” basis, limit student worker access as needed

Anti-virus software must be maintained and applied

Institution must erect firewalls and develop protection against hackers

Safeguards Rule (cont)

Must secure against theft of hardware, software and reportsSecure during non-business hours: offices

locked, keys securedApproved shredder: eliminates guess work

in how to feed in documents

More Safeguards

Must protect against unauthorized accessFrequent password changes should be

systematically requiredReports sent on a “need-to-know” basisComputer privacy shieldsStudent ID card readers – prevents

inappropriate overhearing of SIDs or SSNs

More Safeguards

Communicating to students via e-mail: Use student’s institutional e-mail address Respond to non-institutional e-mail that an answer has been

sent to the student’s institutional e-mail address Respond to parent inquiries through student’s institutional e-

mail and ask student to forward to parent

• Mass e-mail communication to students should take student’s to a secure web site that protects their individual information

Whose Responsible Anyway?

Identify and involve all offices involved with loans or collection of dataFAOBursar IT/Computer SystemsDevelopmentAcademic departments (scholarship

applications)

Who’s the Compliance Officer?

Someone must be designated the institutional Compliance Officer

This function is usually assumed by the Business and Finance Division

FAO responsibility rests in informing potential units of GLB responsibility

FAO GLB Policies

Shred all student-specific documents

Policy for identifying students and parents before sharing data

Refer non-student/parent requests (3rd party) to appropriate staff

Report computer problems immediately

Additional FAO Policies

Don’t share passwords. Problem: What do you do when an employee is absent and you need to access information on his/her computer?Lock computers when leaving work areaComputer screens shielded from other studentsNo visitor left behind – or unattended!

CONTACT INFORMATION

Ginny D’Angelo(800) 666-3910

Fax: (314) 514-6228Ginny.dangelo@commercebank.com

Diane Lambart Fleming(989) 774-7429

Fax: (989) 774-3634flemi1dl@cmich.edu