Wesleyan University Gramm-Leach-Bliley Act (GLBA)

Question and Answer

  • What is the law?
    • The law is Financial Services Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLB). It regulates the disclosure of non-public personal information by financial institutions. Institutions of higher education (IHEs) are covered by the law's definition of "financial institutions" as they participate in financial activities, such as offering Federal Perkins Loans.
  • What does the law require of IHEs?
    • IHES must have a written information security program.  The purposes are threefold:
      1. To insure the security and confidentiality of customer information;
      2. To protect against any anticipated threats or hazards to the security or integrity of such information; and
      3. To protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.
  • Who is a customer?
    • A customer is defined as a consumer who has a customer relationship with you.  A consumer means an individual who obtains or has obtained a financial product or service from you that is used primarily for personal, family, or household purposes, or that individual's legal representative.[4] This would include a student who obtained a loan from the school or parents who sent in income tax information in connection with their child's application for a financial aid package.

      However, as it does not make sense to have safeguards in place for only those students who have obtained loans from the university given practical issues as well as other laws such as FERPA, most IHEs will be considering a comprehensive security program. In the same vein, if you are protecting customer credit card information under the law, it makes sense to apply the security controls to all credit card information held by the IHE.

      The law covers both paper copies of information and electronic copies. The safeguarding provision applies not only to all such information about persons with whom the university has a customer relationship, but also pertains to customers of other financial institutions that have provided such information.

  • What is customer information?
    • In a general sense, customer information typically gathered in connection with obtaining a financial product or service to includes names, addresses, phone numbers, bank and credit card account numbers, income and credit histories and Social Security numbers.[5]
  • What is a financial product or service?
    • The term financial product or service is defined as "any product or service that a financial holding company could offer by engaging in a financial activity under section 4(k) of the Bank Holding Company Act of 1956."

      Regulation Y, which is permissive and therefore not a very apt vehicle for defining what GLB requires, includes the activities that we all agree are subject to GLB, like making student or faculty loans, as well as some oddities that may also be applicable to colleges and universities, like career counseling services to individuals who seek employment at financial institutions, and management consulting activities on any subject to a financial institution and on financial, economic, accounting, or audit matters to any company (which might apply to business school practicum programs).*

      The FTC has agreed to work with the higher education community in defining how GLB applies to colleges and universities.

  • What is the time frame?
    • The May 2002 regulations under this law dictate that by May 23, 2003 the IHE must have implemented an information security program.  There are a number of components to the program, which will be addressed below.  As long as the written plan is in place by May 23, 2003 (or a fairly comprehensive draft), it would seem the university would be exposed to minimal liability if the training is not completed by May 23, 2003, so long as implementation has begun.
  • What are the general components of the program?
    • IHEs must develop, implement and maintain a comprehensive written information security program that contains administrative, technical and physical safeguards that are appropriate to the school's size and complexity, the nature and scope of the IHE's activities, and the sensitivity of any customer information at issue. The written program does not have to be all in one document, e.g. it can be a combination of policies, (perhaps some already in existence) that together equal a comprehensive policy. Review your existing policies and see where the gaps are.
  • Didn't universities get an exemption from this law?
    • Institutions of higher education, while not exempt from the definition of "financial institutions," are generally excluded from the requirement to comply with the GLB privacy policy regulations as long as the institution complies with the Family Educational Rights and Privacy Act. IHEs are not exempt from the safeguards requirements of the law. The final rules on the safeguarding program came out in May 2002.

      * This answer on financial product or service provided courtesy of Jeff Swope, Palmer and Dodge, LLP

Additional Questions

Schools are deemed in compliance with the privacy rule (but not the safeguarding rule) if they are in compliance with FERPA. If a school is engaged in an activity that exceeds the bounds of FERPA, the easier fix is likely to bring that activity into compliance with FERPA, rather than attempting to parse how the GLB privacy rule would apply to a non-FERPA compliant activity.
  • Is information gathered from alumni covered under the GLBA?
    • For alumni information, if alumni are not receiving a financial aid or service as defined in the regulation, then there is not a concern with meeting the safeguarding rule. As a matter of policy, schools may choose to include alumni information they have on file as information that will also be safeguarded.

      Conventional credit cards to students are covered by the safeguarding rule, but affinity credit cards are not, that is, if the university is only putting its name on the card, and not actually extending the credit, the data collected is not covered by the GLB safeguarding rule.

  • What type of employee training is required under the GLBA?
    • Training for employees should not focus so much on what GLB is and what it requires, but rather standard safeguarding practices, such as common safety rules for passwords, etc., and training on the security program the institution is choosing to implement.