Policy 07:19:00 Protection of Consumer Information Under the Gramm Leach Bliley Act

Revision Responsibility: Coordinator of IT Services

Responsible Executive Office: Chief Financial Officer

Purpose:

The purpose of this policy is to describe Platt College's policies and procedures for complying with the specific requirements set forth in the federal Gramm-Leach-Bliley Act (GLB Act). This policy describes how the College protects information specifically covered under the GLB Act.

Summary of Requirements of GLB Act:

The GLB Act requires “Financial Institutions,” defined below, including colleges, to protect non-public personal information that is collected from an individual who obtains or has obtained a financial product or service from the institution for personal, family or household purposes.

Financial products or services offered by Platt and covered by the GLB Act include student loans

Examples of information that would require protection include tax returns, Social Security numbers or other non-public or personal information that is collected for purposes of providing these services.

The safeguarding regulations of the GLB Act (“Safeguards Rule”) require that covered institutions, such as USC, develop, implement and maintain a comprehensive information security plan that includes administrative, technical and physical safeguards to protect the information covered by the GLB Act. The plan must describe how USC protects customer information.

Definitions:

Covered Data and Information

  • Student financial information required to be protected under the Gramm‐Leach‐ Bliley Act (GLB). In addition to this coverage which is required by federal law, Platt College chooses as a matter of policy to also define covered data and information to include any credit card information received in the course of business by the college, whether or not such credit card information is covered by GLB. Covered data and information includes both paper and electronic records.

Student Financial Information

  • Information Platt College has obtained from a student in the process of offering a financial product or service, or such information provided to the college by another financial institution. Offering a financial product or service includes offering student loans to students, receiving income tax information from a student/student's parent when offering a financial aid package, and other miscellaneous financial services. Examples of student financial information include addresses, phone numbers, bank and credit card account numbers, income and credit histories and social security numbers, in both paper and electronic format.

Financial Institution

An institution significantly engaged in financial activities, which include:

  • lending, exchanging, transferring, investing for others, or safeguarding money or securities. These activities cover services offered by lenders, check cashers, wire transfer services, and sellers of money orders.
  • providing financial, investment or economic advisory services. These activities cover services offered by credit counselors, financial planners, tax preparers, accountants, and investment advisors.
  • brokering loans.
  • servicing loans.
  • debt collecting.
  • providing real estate settlement services.
  • career counseling (of individuals seeking employment in the financial services industry).

Financial Product or Service

A financial product or service covered under the GLB Act includes the following:

  • offering student, faculty or staff loans;
  • making, acquiring, brokering, or servicing loans or other extensions of credit;
  • real estate and personal property appraising;
  • arranging commercial real estate equity financing;
  • collection agency services; and
  • credit bureau services.

Consumer

Someone who obtains or has obtained a financial produce or service from a financial institution that is to be used primarily for personal, family or household purposes, or that person’s legal representative. Examples include:

  • making a wire transfer; or
  • applying for a loan, whether or not the individual actually obtains the loan.

Customer

Customers are consumers who have a continuing relationship with a financial institution. Examples include:

  • opening a credit card account with a financial institutions; or
  • using the services of a mortgage broker to secure financing.

Non-Public Personal Information

Any personal identifiable financial information that a financial institution collects about an individual in connection with providing a financial product or service, unless that information is otherwise publicly available. Examples include:

  • any information an individual gives to get a financial product or service (for example, name, address, income, Social Security number, or other information on an application);
  • any information received about an individual from a transaction involving an institution’s financial product(s) or service(s) (for example, the fact that an individual is a consumer or customer, account numbers, payment history, loan or deposit balances, and credit or debit card purchases); or
  • any information received about an individual in connection with providing a financial product or service (for example, information from court records or from a consumer report).

Policy:

Platt College complies with the Safeguards Rule in accordance with the GLB Act, which includes:

  • Designating the Coordinator of IT as the College employee to coordinate oversight over safeguards;
  • Identifying “reasonably foreseeable” internal and external risks to the security and confidentiality of student information that could lead to unauthorized disclosure, use, alteration, destruction or other compromise of such information and “assess the sufficiency” of the College’s safeguards in place to control these risks.
    Such risk assessment must include, at a minimum, risks in areas of operation such as:
    • Employee training,
    • Information systems, and
    • detecting, preventing, and responding to attacks against the College’s systems;
  • Implementing safeguards to manage the identified risks and regularly test or monitor such safeguards;
  • Overseeing the College’s service providers by:
    • Selecting and retaining service providers that are capable of maintaining appropriate safeguards for student and employee information at issue, and
    • Requiring service providers to implement and maintain such safeguards; and
  • Evaluating and adjust the College’s security program in light of such risk assessment, any material change to College business operations or any other circumstances that may have a material impact on the College’s information security program.

Employee Designation

The Coordinator of IT is responsible for day-to-day management and oversight of the  Safeguards Rule of the GLB Act. The following offices will specifically assist in protecting data covered by the GLB Act:

  • President
  • Chief Financial Officer
  • Director of Financial Aid
  • Admissions and Marketing Coordinator
  • Registrar

Each of these offices continues to implement security procedures to comply with the GLB Act.

Training

Since 2015, College employees who have access to customer information undergo a background check prior to hire.

All individuals who access student education records must complete a training program regarding the Family Educational Rights and Privacy Act (FERPA) before they are provided access to systems that maintain this information.

The requirements of the Safeguards Rule are incorporated into annual FERPA training that all College employees complete annually.

Procedures:

Incident Reporting

Incidents of actual or suspected security breaches must be reported immediately to the Coordinator of IT Services, Mark Finken at 303.369.5151 ext 241.

All incidents of security breaches should be reported to [email protected] with the (a) date of breach, (b) impact of breach, (c) method of breach, (d) information security program point of contact, and (e) remediation status including next steps. The Education Security Operations Center (ED SOC) may be reached at 202-245-6550 (24/7).

Implementing Safeguards

Platt College has several formal policies and procedures that address information security of the data covered by the GLB Act as well as consequences for failing to maintain the confidentiality of certain information, including:

Platt College incorporates the following safeguards, as appropriate:

  • Locking rooms and file cabinets where paper records are kept,
  • Ensure that storage areas are protected against destruction or potential damage from physical hazards,
  • Using strong passwords,
  • Storing electronic information on a secure server,
  • Maintain secure backup media and keep archived data secure,
  • Changing passwords periodically,
  • Referring calls or other requests for student information to designated individuals who have had appropriate training for addressing such requests,
  • Disposing of student information in a secure manner, such as shredding or erasing data when disposing of computers and recycling,
  • Including confidentiality provisions in envelopes

Monitoring and Auditing

Compliance with the GLB Safeguards Rule shall be monitored regularly.  The Coordinator of IT Services will conduct periodic internal audits to ensure compliance with federal and state laws and regulations as well as College policy.

Resources

Federal Trade Commission:
http://www.ftc.gov/privacy/privacyinitiatives/safeguards.html

U.S. Senate Committee on Banking, Housing and Urban Affairs: Information Regarding the Gramm-Leach-Bliley Act of 1999
http://www.senate.gov/~banking/conf/

Created in new format: June 1, 2018

Return to Operations and Facilities Policies and Procedures