The Gramm Leach Bliley Act (GLBA) is a law signed in 1999, which applies to financial institutions and includes privacy and information security provisions designed to protect consumer financial data.
The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. GLBA also restricts the occasions in which a financial institution can disclose a consumer’s nonpublic personal information to third parties. It also gives consumers the tools that they need to fight back against improper disclosure of information.
GLBA regulations include both a Privacy Rule (16 CFR 313) and a Safeguards Rule (16 CFR 314), both of which are enforced by the Federal Trade Commission (FTC) for higher education institutions.
GLBA applies to higher education institutions, specifically to collection, storage, and use of student financial records containing personally identifiable information.
The GLBA defines, “customers,” as a any person who is provided financial services by the University. “Customer information” is defined as any record containing nonpublic personal information about a customer, as defined in 16 CFR 313.3(n), whether in paper, electronic, or other form, that is handled or maintained by or on behalf of the University or affiliates.
Non Public Information (NPI)
GLBA defines Non Public Information (NPI) as any financial information given by a consumer to a financial institution for the purpose of obtaining a financial product.
Financial product or service
The term includes student loans, employee loans, activities related to extending credit, financial and investment advisory activities, management consulting and counseling activities, community development activities, and other miscellaneous financial services as defined in 12 CFR § 225.28.
Security Administrator & Compliance Administrator
While each department and University employee is responsible to handle all customer information in compliance with GLBA guidelines, The George Washington University has defined two specific roles related to the guidelines:
- Compliance Administrator - Associate Vice President & Data Privacy Officer
- Security Administrator - Associate Vice President, Cybersecurity, Infrastructure and Research Services
The GLBA Privacy Rule (16 CFR 313) enforces several requirements related to the handling of nonpublic personal information.
For example, financial institutions must issue an initial privacy notice to consumers as soon as they become customers of that financial institution.
Colleges and universities are deemed to be in compliance with the GLBA Privacy Rule if they are in compliance with the Family Educational Rights and Privacy Act (FERPA).
The George Washington University is subject to and complies with the requirements of The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99, as amended).
For information on University’s compliance with FERPA, visit the pages linked below:
The GLB Safeguards Rule (16 CFR 314) was promulgated in 2002 and states that financial institutions must "develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to [the Institution’s] size and complexity, the nature and scope of [the Institution’s] activities, and the sensitivity of any customer information at issue."
Thus, the GLB Safeguards Rule requires higher education institutions that collect, store, and share consumers personal financial information (i.e. bank accounts, credit cards and related information) to implement reasonable information security measures to protect against unauthorized access, use and fraud.
Under the GLB Safeguards Rule, higher education institutions are required to:
- Ensure the security and confidentiality of customer information.
- Protect against any anticipated threats or hazards to the security or integrity of such information.
- Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.
These requirements additional to those of the Family Educational Rights and Privacy Act (FERPA).
The George Washington University has adopted information security measures relative to GLB Safeguards Rule requirements including:
- Designating an employee to coordinate an information security program.
- Identifying risks to the security of customer information (including a risk assessment of computer information systems).
- Contractually requiring service providers to implement and maintain safeguards.
- Design and implement a safeguards program, and regularly monitor and test it;
- Evaluate and adjust the safeguards program in light of relevant circumstances, including changes in the University’s business or operations, or the results of security testing and monitoring.
GW’s measures to comply with GLB Safeguards Rule include:
- The Associate Vice President of Information Security within GW Information Technology, or their designee, has been identified as the Security Administrator to evaluate and assess the security and protection of University systems and databases.
- The Associate Vice President & Data Privacy Officer within the GW Privacy Office, or the designee, has been identified as the Compliance Administrator and Data Trustee to evaluate and assess the risks of any changes made with regard to services offered, implementation of new procedures, policies or services and to make the necessary changes and/or adjustments to insure continued compliance.
- Safeguarding Customer Information
The George Washington University takes steps to protect customer information through their Information Security program. This program includes the administrative, technical, and/or physical safeguards put in place to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customer information. The program also applies to any third-party provider which student loan data may be assigned or who may collect it on behalf of the University.
- Proper Disposal of Records, Information, and Hardware
George Washington University provides shredding services for all paper containing customer information prior to disposal.
The University also has a policy to properly dispose of electronic equipment in a manner that removes any information from that equipment consistent with the university’s commitment to information security, while protecting the general environment from the potentially hazardous materials contained in certain electronic equipment components. Computers must be completely reformatted or otherwise erased for any new use, as determined by the department, or disposal.
- Prevention and Remediation Program
In order to prevent data loss, assigned personnel will routinely test security systems for weaknesses and conduct physical security reviews of associated records.
Any violations of this program must be reported immediately. Various avenues for reporting are available and listed on the Office of Ethics, Compliance and Risk website (Reporting).