The Gramm-Leach-Bliley Act (GLBA), administered by the Federal Trade Commission (FTC), requires financial institutions such as Longwood University to establish policies and procedures for the privacy and safeguarding of customer financial information. The FTC has ruled that higher education institutions complying with the Family Educational Rights and Privacy Act (FERPA) satisfy the privacy requirement of the GLBA, but not the safeguard requirement. In accordance with the safeguard component, this policy describes the University's plan to:
- Ensure the security and confidentiality of records;
- Protect against the unauthorized threats and hazards to the security of such records; and
- Protect against the unauthorized access or use of such records or information in ways that could result in substantial harm or inconvenience to customers.
This policy provides documented evidence of our effort to comply with the FTC's safeguard requirements. It also serves to provide our customers with the confidence that the University is taking adequate steps to protect their information and to minimize loss in the event of a security breach.
- Customer (Consumer): An individual who has applied for and/or obtained a financial service or product from Longwood University intended for personal or household use. Students and students' parents may be customers.
Non-Public Financial Information: Any paper or electronic record containing non-public personal financial information about a customer that the University manages. Such information includes any personally identifiable information provided by students or others in order to obtain a financial product or service from the University such as loan applications, bank and credit card numbers, account histories, Social Security numbers and related consumer information.
It shall be the policy of Longwood University to manage customers' nonpublic financial information as confidential records. Longwood University provides appropriate procedures to protect such customer financial information against reasonable threats and hazards and unauthorized access or use of such records that could result in substantial harm or inconvenience to customers. This policy shall be known as the Longwood University Customer Information Security Policy.
- Responsible Party: The Vice President of Administration and Finance is designated as the Program Officer responsible for overseeing the Customer Information Security Policy. The Program Officer may designate other representatives of the University to oversee and coordinate particular elements of the program. Any questions regarding the implementation of the plan or the interpretation of this document should be directed to the Program Officer.
No Third-Party Rights: While this policy/program is intended to promote the security of information, it does not create any consumer, customer, or other third-party rights or remedies, or establish or increase any standards of care that would otherwise not be applicable.
IV. COMPLIANCE CONTROLS
- Risk Analysis: University departments must complete a business impact analysis/risk assessment at least once every three years. This process helps individual units within the University identify any potential risks to their information and determine what possible safeguards are needed. For a highly exposed office that deals with data described in the Gramm-Leach-Bliley Act, it may be appropriate to carry out the risk analysis process every year, or at least review the document annually to include any changes. (www.longwood.edu/infosec)
- Securing Information: Departments will assess the safeguards they have in place to protect not only customer information, but also all confidential University data. Department heads will appoint a trusted and knowledgeable employee to oversee their individual safeguarding programs. Specific safeguarding practices that departments must assess and implement, if applicable, include:
- Maintaining physical security by locking rooms and file cabinets where customer and sensitive information is stored. Ensuring windows are locked and using safes when practicable for especially sensitive data such as credit card information, checks, and currency;
- Maintaining adequate key control and limiting access to sensitive areas to those individuals with appropriate clearance who require access to those areas as result of their job;
- Securing the personal work area to discourage casual viewing of customer data by unauthorized individuals;
- Using and frequently changing passwords to access automated systems that process sensitive information;
- Using firewalls and encrypting information when feasible;
- Referring calls and mail requesting customer information to those individuals who have been trained in safeguarding information;
- Shredding and erasing customer information when no longer needed in accordance with unit policy;
- Encouraging employees to report suspicious activity to supervisors and law enforcement authorities;
- Ensuring that agreements with third-party contractors contain safeguarding provisions and monitoring those agreements to oversee compliance.
- Training: Departments shall ensure that all new and existing faculty and staff members, including student workers who are involved in activities covered under the Act, receive the safeguarding training provided by Human Resources and Information Technology. A written statement will be signed by each faculty and staff member, and student workers attesting to the following: he or she received training; is aware of University and departmental information policies and guidelines; and is aware of the importance the University places on safeguarding information. These documents will be maintained as proof of the University's compliance with the training requirement under GLBA.
Training will, at a minimum, encompass the nine "Securing Information" items listed above in Section B. An annual refresher will be mandatory.
- Monitoring and Detection: Responsible departmental personnel must continually assess the vulnerabilities of their electronic as well as paper-based systems. The Information Security Office, as well as Internal Audit Services, is available to assist in assessing the efficacy of the existing safeguards and in proposing improvements.
- Managing System Failures: The University acknowledges that no system is flawless. Nevertheless, immediate steps shall be taken to correct any security breach. Each department will attempt to identify its risk areas and document an acceptable plan of action should a breach occur. Departments must immediately report significant failures of their safeguarding system to the department manager and technical support staff. These individuals, in turn, can contact Administrative Information Systems personnel, University Support Services, or the Information Security Office if the problem involves security issues that go beyond the other groups. Affected customers may also need to be notified after the department consults with the appropriate areas within the University. Examples of significant failures would include a successful hacking effort, a burglary, or impersonations leading to the defrauding of customers.
- Notification to Customers: The Program Officer shall also notify the University Registrar of Longwood's adherence to this program so that a compliance notification may be furnished to all students at the same time the University Registrar makes official notice of compliance with the Family Educational Rights and Privacy Act (FERPA).
- References: The following policies and guidelines supplement and help to create a comprehensive information security plan. Referral and adherence to these documents is imperative to overall protection of customer information. The following documents are incorporated by reference into the plan.
- IITS Policies
Approved by the Board of Visitors, September 11, 2004.