GLBA OverviewWhat is GLBA?- The Gramm Leach Bliley Act (GLBA) is a comprehensive, federal law affecting institutions. The law requires financial institutions to develop, implement and maintain administrative, technical and physical safeguards to protect the security, integrity andconfidentiality of customer information.
- The Federal Trade Commission (FTC) enforces compliance with GLBA.
- The FTC may bring an administrative
enforcement action against any financial institution for non-compliance with the GLBA.
- The University of Alaska Fairbanks (UAF) significantly engages in student loan makingand provides financial services to student customers. As such, UAF falls within thedefinition of “financial institution” under the GLBA and must comply with the law’s requirements.
- “Financial Institution” means any institution the business of which is engaging infinancial activities.
- The GLBA is
composed of several parts, including:
- the Privacy Rule (16 CFR 313) and
- the Safeguards rule (16 CFR 314).
- The FTC has officially stated that any college or university that complies with the Federal Educational Rights and Privacy Act (FERPA) and that is also a financial institution subject to the requirements of GLBA shall be deemed to be in compliance with GLBA’s privacy rules if it is in compliance with FERPA (16 CFR 313.1). UAF complies with FERPA guidance.
- The FTC has not made a similar exception for an institution of higher education with respect to the Safeguards Rule.
- The Safeguards Rule requires all financial institutions to develop an information security program designed to protect “customer information.”
- UAF must comply with the Safeguards Rule.
- There are three types of safeguards that must be considered when a UAF department implements safeguards to protect the security, confidentiality, and integrity of
customerinformation:
- Administrative Safeguards
- Technical Safeguards
- Physical Safeguards
Safeguards RuleAdministrative SafeguardsAdministrative Safeguards include developing and publishing policies, standards, procedures and guidelines, and are generally within the direct control of a department, such as: - Reference checks for potential employees.
- Confidentiality agreements that include standards for handling
customer information.
- Training employees on basic steps they must take to protect customer information.
- Assure employees are knowledgeable about applicable policies and expectations.
- Limit access to customer information to employees who have a business need to see it.
- Impose disciplinary measures where appropriate.
Physical SafeguardsPhysical Safeguards are also generally within a department’s control and include: - Locking rooms and
file cabinets where customer information is kept.
- Using password activated screensavers.
- Using strong passwords.
- Changing passwords periodically and not writing them down.
- Referring calls or requests for customer information to staff trained to respond to such requests.
- Being alert to fraudulent attempts to obtain customer information and reporting these to management for referral to appropriate law enforcement agencies.
- Ensure the storage areas
are protected against destructions or potential damage from physical hazards, like fire or floods.
- Store records in a secure area and limit access to authorized employees.
- Dispose of customer information appropriately:
- Designate a trained staff member to supervise disposal of records containing customer personal information.
- Shred or recycle customer information recorded on paper and store it in a secure area until the confidential recycling service picks it up.
- Erase all data when disposing of computers, diskettes, magnetic tapes, hard drives or any other electronic media that contains customer information.
- Promptly dispose of outdates customer information according to record retention policies.
Technical SafeguardsTechnical Safeguards include: - Storing electronic customer information on a secure server that is accessible only with a password or has other security protections and is kept in a
physically secure area.
- Avoiding storage of customer information on machines with an Internet connection.
- Maintaining secure backup media and securing archived data.
- Using anti-virus software that updates automatically.
- Obtaining and installing patches that resolve software vulnerabilities.
- Following written contingency plans to address breaches of safeguards.
- Maintaining up-to-date firewalls particularly if the institution uses broadband Internet
access or allows staff to connect to the network from home.
- Providing central management of security tools and keep employees informed of security risks and breaches.
GLBA DefinitionsCustomer information is any record containing non-public personal information about acustomer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of the financial institution or its affiliates. GLBA applies to customer
information obtained in a variety of situations, including: - Information provided to obtain a financial product or service;
- Information about a customer resulting from any transaction involving a financial product or service between the institution and customer;
- Information otherwise obtained about a customer in connection with providing a financial product or service to the customer.
Non-Public Personal Information means personally identifiable financial
information that is: - Provided by a consumer to a financial institution;
- Resulting from any transaction with the consumer or any service performed for the consumer; or
- Otherwise obtained by the financial institution.
The term also includes any list, description, or other grouping of consumers and publicly available information pertaining to them that is derived using any personally identifiablefinancial information that is not publicly available. Examples
of Non-Public Person Information (NPI) include: - Social Security Number (SSN)
- Financial account numbers
- Credit card numbers
- Date of birth
- Name, address, and phone numbers when collected with financial data
- Details of any financial transactions
Read additional guidance regarding GLBA.
What is the main purpose of the Gramm
The GLBA's purpose was to remove legal barriers preventing financial institutions from providing banking, investment and insurance services together.
What are the three main security goals of the Gramm
Protect the security and confidentiality of Covered Data; • Protect against anticipated threats or hazards to the security or integrity of Covered Data; and • Protect against unauthorized access to or use of Covered Data that could result in substantial harm or inconvenience to any Customer.
What disclosures are required by the Gramm
The regulation requires a financial institution to disclose its policies and practices for protecting the confidentiality, security, and integrity of nonpublic personal information about consumers (whether or not they are customers).
What are the two significant parts of the Gramm
The GLBA requires companies that qualify as “financial institutions” to take several affirmative steps in order to prevent the unauthorized collection, use, and disclosure of NPI. It imposes these obligations under two “Rules”: (i) the Privacy Rule, and (ii) the Safeguards Rule.
| 
