GLBA Training Program Resources

This article is provided as part of the University of Oregon's compliance program and provides supplementary information about the Gramm-Leach-Bliley Act (GLBA) to individuals who may process GLBA regulated data.

For more information on the GLBA Compliance program please contact the Information Security Risk and Compliance team by sending an email to isrc@uoregon.edu.

• The Gramm-Leach-Bliley Act (GLBA) or Financial Services Modernization Act of 1999, is a comprehensive, federal law affecting financial institutions. The law requires financial institutions to develop, implement, and maintain administrative, technical, and physical safeguards to protect the security, integrity, and confidentiality of customer information.
• The Federal Trade Commission (FTC) enforces compliance with GLBA.
  • The FTC may bring an administrative enforcement action against any financial institution for non-compliance with the GLBA.
• The University of Oregon (UO) provides financial services to student customers. As such, UO falls within the definition of financial institution under GLBA and must comply with the law's requirements.
• GLBA in composed of several parts of regulation, including:
  • the Privacy Rule (16 CFR 313) the Safeguards Rule (16 CFR 314)

According to the FTC, colleges or universities that are in compliance with the Federal Educational Rights and Privacy Act (FERPA) (20 U.S.C. 1232g) and are also financial institutions shall be deemed to be in compliance with GLBA’s Privacy Rule (16 CFR 313.1).

At the UO, the Office of the Registrar handles FERPA compliance; more information may be found by visiting their Student Records Privacy Policy page.

Unlike the Privacy Rule, the FTC has not made a similar exception for higher education institutions. Therefore, UO must comply with the Safeguards Rule.

• The objectives of the Safeguards Rule are to:
  • Ensure the security and confidentiality of customer information;
  • Protect against any anticipated threats or hazards to the security or integrity of such information; and
  • Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.

The Safeguards Rule requires all financial institutions to develop an information security program designed to protect customer information. The information security program must include:

1. A designated staff person to oversee the program.
   • UO has identified a GLBA program manager
2. Identification and assessment of risks to covered data.
   • The GLBA Program Manager works with the Information Security Office (ISO) and Safety and Risk Services (SRS) to identify risks to UO data.
3. Design and implementation of safeguards.
   1. UO has implemented an Information Security Program.
   2. Data is classified according to Information Asset Classification & Management Policy
      • Data regulated by GLBA has been classified as high risk, or red data at UO
      • The university uses UO ID (also referred to as 95#) as a unique identifier in many business transactions. The UO ID is classified as moderate risk, or amber data according to the Data Security Classification Table
   3. The Minimum Information Security Controls Standard details the controls required to be implemented in all university IT systems.
      • Encryption is required for all devices processing GLBA covered data.
      • All UO devices that process, transmit, or store covered data have been enrolled in the Vulnerability Management Program.
4. Periodic evaluation and if necessary, adjustment of the information security program as needs and business change.
   • ISO and the GLBA program manager meet quarterly to review and update the GLBA Compliance Program
5. Training is provided to faculty, staff, and administrators identified as handling covered data.
   • Educational simulated phishing tests are included as a part of this training.
6. Ensuring that third-party contracts include language designed to protect covered data.
   • University acquisitions occur through Purchasing and Contracting Services (PCS)
     • PCS ensures appropriate language and contractual clauses are included in contracts with third-party providers.
7. Revise and update Information Security Program
   • ISO and the GLBA Program Manager regularly review and modify the program to ensure that is stays current.
8. Incident Response Plans and Procedures.
   • The university has a documented IT Incident Response Plan to address possible responses to incidents affecting GLBA regulated data.
     • The plan includes:
       • Detection tools that readily identify cyber-attacks or system anomalies
       • Documented procedures to investigate and respond to cyber threats
       • Tabletop exercises to prepare for commonly identified threats
       • Incident response after action reports that contain key information about the incident and next steps.
       • Reporting requirements
       • Documented procedures on when and how to notify to impacted users
9. Annual Report
   • The Program Manager reports the program status at least annually to program sponsors, financial aid leadership, and the ISO.

GLBA Compliance Program

In essence, compliance means to follow the laws, external regulations, and policies that the university is subject to.  To meet the demands, listed above,  that GLBA places on financial institutions, The University of Oregon has enacted a compliance program, using the Information Security Policy, to reduce risk to the university community information protected by GLBA. The Office of General Council, in partnership with the Qualified Individual determine which job roles fall within scope of GLBA compliance.  The program is focused on protecting “Covered Data”, which means:

• Personally Identifiable Information (PII), and;
• Customer Financial Information

While this program is ongoing and practices the principles of continuous improvement, the program is reviewed periodically, at least annually.  The program is adjusted based on findings from recent risk assessments, and any material changes to business operations, arrangements, or other circumstances which may reasonably have an impact on compliance.

As Part of the GLBA Compliance Program, who must complete training?

Individuals who process or have access to GLBA covered data must take this training. Generally speaking, any employee, faculty, or staff that process customer information, including financial aid and student billing data, must take this training. Please talk to your supervisor or top-level administrator if you have questions about whether or not your position handles GLBA data.

If you are a supervisor or top-level administrator and have questions about whether or not GLBA applies to your department, please email isrc@uoregon.edu.

What is included in GLBA training?

GLBA training includes:

• An introductory email
  • The email contains a short welcome note and directions how to access the training platform.
• Interactive or video training module(s) on key cybersecurity topics such as preventing business email compromise, phishing, creating strong passwords, and securing sensitive data.
• A resource page (this page) with an overview of how GLBA compliance is achieved at UO

Under the Interagency Guidelines Establishing Information Security Standards (Security Guidelines), issued by the FTC, financial institutions are required to:

• Train staff to prepare and implement its information security program.
• Consider providing specialized training to ensure that personnel sufficiently protect customer information in accordance with its information security program.

Recommended training includes:

• How to recognize and respond to schemes to commit fraud or identity theft, such as guarding against pretext calling;
• How to secure data and computers, especially for staff members responsible for building or maintaining computer systems and local and wide-area networks; and
• How to properly dispose of customer information.

Additional Resources

• UO Acceptable Use of Computing Resources Policy
• Acceptable Use of Computing Resources Policy: Addendum
• The UO Records Retention Schedule
• Record Disposal from the Records Management Office
• Report a suspected data breach or exposure to the Information Security Consulting Request form or send an email to infosec@uoregon.edu. More information can be found at Information Security website.
• Gramm-Leach-Bliley Act (from FTC.gov)
• EDUCAUSE Guidance
• NACUBO

Glossary

• Covered Data means customer financial information, specifically non-public personal information (NPI). (Return to position.)
• Customer means any individual (student, parent, faculty, staff, or other third party with whom the university interacts) who receives a financial service from the university for personal, family or household reasons that results in a continuing relationship with the university. (Return to position.)
• Financial Institution means any institution business of which is engaging in financial activities. (Return to position.)
• Non-Public Information (NPI) means any personally identifiable financial information a customer provides to obtain a financial service or product. NPI is personally identifiable financial information that is provided to the UO by a customer or is obtained when the UO offers or delivers a financial product or service to an individual. The definition includes any list, description, or other grouping of customers that was derived using NPI. Examples of NPI include Social Security Number (SSN), credit card and bank account numbers, income and credit history, and information derived from an application for financial aid.
• Information Security Program means the administrative, technical, or physical safeguards used by a financial institution to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customer financial information. More information in the UO Information Security Program Policies, Procedures, and Standards article. (Return to position.)