Overview
This article is provided as part of the University of Oregon's security awareness program. This page provides supplementary information to individuals who have or are taking GLBA training and provides an always an up-to-date resource.
For more information on the GLBA Compliance program please email infosectraining@uoregon.edu.
What is GLBA?
- The Gramm-Leach-Bliley Act (GLBA) or Financial Services Modernization Act of 1999, is a comprehensive, federal law affecting financial institutions. The law requires financial institutions to develop, implement, and maintain administrative, technical, and physical safeguards to protect the security, integrity, and confidentiality of customer information.
- The Federal Trade Commission (FTC) enforces compliance with GLBA.
- The FTC may bring an administrative enforcement action against any financial institution for non-compliance with the GLBA.
- The University of Oregon (UO) provides financial services to student customers. As such, UO falls within the definition of financial institution under GLBA and must comply with the law's requirements.
- GLBA in composed of several parts of regulation, including:
Who must complete training?
Individuals who process or have access to GLBA covered data must take this training. Generally speaking, any employee, faculty, or staff that process customer information, including financial aid and student billing data, must take this training. Please talk to your supervisor or top-level administrator if you have questions about whether or not your position handles GLBA data.
If you are a supervisor or top-level administrator and have questions about whether or not GLBA applies to your department, please email infosectraining@uoregon.edu.
What training is required for GLBA?
Under the Interagency Guidelines Establishing Information Security Standards (Security Guidelines), issued by the FTC, financial institutions are required to:
- Train staff to prepare and implement its information security program.
- Consider providing specialized training to ensure that personnel sufficiently protect customer information in accordance with its information security program.
Recommended training includes:
- How to recognize and respond to schemes to commit fraud or identity theft, such as guarding against pretext calling;
- How to secure data and computers, especially for staff members responsible for building or maintaining computer systems and local and wide-area networks; and
- How to properly dispose of customer information.
What is included in GLBA training?
GLBA training includes:
- An introductory email
- The email contains a short welcome note and directions how to access the training platform.
- Interactive or video training module(s) on key cybersecurity topics such as preventing business email compromise, phishing, creating strong passwords, and securing sensitive data.
- A resource page (this page) with an overview of how GLBA compliance is achieved at UO
According to the FTC, colleges or universities that are in compliance with the Federal Educational Rights and Privacy Act (FERPA) (20 U.S.C. 1232g) and are also financial institutions shall be deemed to be in compliance with GLBA’s Privacy Rule (16 CFR 313.1).
At the UO, the Office of the Registrar handles FERPA compliance; more information may be found by visiting their Student Records Privacy Policy page.
Unlike the Privacy Rule, the FTC has not made a similar exception for higher education institutions. Therefore, UO must comply with the Safeguards Rule.
- The objectives of the Safeguards Rule are to:
- Ensure the security and confidentiality of customer information;
- Protect against any anticipated threats or hazards to the security or integrity of such information; and
- Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.
The Safeguards Rule requires all financial institutions to develop an information security program designed to protect customer information. The information security program must include:
- A designated staff person to oversee the program.
- UO has identified a GLBA program manager
- Identification and assessment of risks to covered data.
- The GLBA Program Manager works with the Information Security Office (ISO) and Safety and Risk Services (SRS) to identify risks to UO data.
- Design and implementation of safeguards.
- UO has implemented an Information Security Program.
- Data is classified according to Information Asset Classification & Management Policy
- Data regulated by GLBA has been classified as high risk, or red data at UO
- The university uses UO ID (also referred to as 95#) as a unique identifier in many business transactions. The UO ID is classified as moderate risk, or amber data according to the Data Security Classification Table
- The Minimum Information Security Controls Standard details the controls required to be implemented in all university IT systems.
- Ensuring that third-party contracts include language designed to protect covered data.
- Periodic evaluation and if necessary, adjustment of the information security program as needs and business change.
- ISO and the GLBA program manager meet quarterly to review and update the GLBA Compliance Program
Additional Resources
Glossary
- Covered Data means customer financial information, specifically nonpublic personal information (NPI). (Return to position.)
- Customer means any individual (student, parent, faculty, staff, or other third party with whom the university interacts) who receives a financial service from the university for personal, family or household reasons that results in a continuing relationship with the university. (Return to position.)
- Financial Institution means any institution business of which is engaging in financial activities. (Return to position.)
- Non-Public Information (NPI) means any personally identifiable financial information a customer provides to obtain a financial service or product. NPI is personally identifiable financial information that is provided to the UO by a customer or is obtained when the UO offers or delivers a financial product or service to an individual. The definition includes any list, description, or other grouping of customers that was derived using NPI. Examples of NPI include Social Security Number (SSN), credit card and bank account numbers, income and credit history, and information derived from an application for financial aid.
- Information Security Program means the administrative, technical, or physical safeguards used by a financial institution to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customer financial information. More information in the UO Information Security Program Policies, Procedures, and Standards article. (Return to position.)