#133.1 - Safeguarding Consumer Information
Approved: May 23, 2003
Purpose: This policy implements the Gramm-Leach-Bliley Act (GLBA) (PL 106-102) and the associated Rule on Standards for Safeguarding Consumer Information (16 CFR 314).
Scope: This policy applies to the handling of any record in the possession of the University that contains personally identifiable financial information of either a customer of the University or a customer of another financial institution that has provided the information to the University.
Objectives: The objectives of this policy are to (1) insure the security and confidentiality of customer information, (2) protect against any anticipated threats or hazards to the security or integrity of such information, and (3) protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.
- “Customer information” means any record containing nonpublic personal information about a customer of the University, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of the University or its affiliates.
- “Nonpublic personal information” means (a) personally identifiable financial information and (b) any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available.
- “Personally identifiable information” means any information (a) a consumer provides to the University in order to obtain a financial product or service from the University, (b) about a consumer resulting from any transaction involving a financial product or service between the University and a consumer, or (c) the University otherwise obtains about a consumer in connection with providing a financial product or service to that consumer.
Information Security Program:
- The information security program (ISP) consists of the applicable Internal Governing Policies (IGP) covering privacy rights, information technology, financial transactions, and Family Educational Rights and Privacy Act (FERPA) and associated procedures.
- The Vice-President for Student Affairs (VPSA) and the Vice-President for Business Affairs (VPBA) or their respective designees shall coordinate the ISP.
- The VPSA and VPBA shall insure that a periodic risk assessment is performed to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alternation, destruction, or other compromise of such information and assess the sufficiency of any safeguards in place to control these risks.
- The risk assessment shall include consideration of risks in each relevant area of University operations, including (a) employee training and management; (b) information systems including network and software design, as well as information processing, storage, transmission, and disposal; and (c) detecting, preventing and responding to attacks, intrusions, or other systems failures.
- The VPSA and VPBA shall design and implement information safeguards to control any risks identified through the risk assessment and regularly test or otherwise monitor the effectiveness of the safeguards’ key controls, systems, and procedures.
- The VPSA and VPBA shall evaluate and adjust the ISP as a result of: (a) testing and monitoring the ISP; (b) any material changes to the University operations or business arrangements; or (c) any other circumstances that are know or reasonably should have been known to have a material impact on the University’s ISP.
- The VPSA and VPBA oversee service providers by (a) taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the University’s customer information and (b) require service providers by contract to implement and maintain such safeguards.
State Law: For the purposes of the IGP and the implementation of the GLBA, any statute, regulation, order, or interpretation that provides any person greater protection, as ultimately determined by the Federal Trade Commission (FTC), shall take precedence.