GUIDELINE B-090

SUBJECT: Safeguarding of Customers’ Nonpublic Financial Information (Gramm-Leach-Bliley Act)

Federal law requires that financial institutions, the definition of which includes the Tennessee Board of Regents and its institutions, comply with the Gramm-Leach-Bliley Act and, in so doing, safeguard the confidentiality of nonpublic financial information of its constituents. This guideline is issued to aid Tennessee Board of Regents institutions in drafting Information Security Programs to comply with the Federal Trade Commission’s “Standards for Safeguarding Customer Information” Rule promulgated under the authority of the Gramm-Leach-Bliley Act. 

I. DEFINITIONS

As used in this guideline the following terms shall mean:

  1. Customer is defined as a consumer who has a customer relationship with a financial institution.  A consumer means an individual (or that individual’s legal representative) who obtains or has obtained a financial product or service from a financial institution that is used primarily for personal, family, or household purposes. 

B.     Nonpublic financial information is any record that an institution obtains from a customer in the process of offering a financial product or service, or such information provided to the institution by another financial institution. The term nonpublic financial information means any information: (1) (a) that a student or other third party provides in order to obtain a financial service from the institution; (b) about a student or other third party resulting from any transaction with the institution involving a financial service; or (c) otherwise obtained about a student or other third party in connection with providing a financial service to that person, and (2) any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available.

C.    Offering a financial product or service includes, but is not limited to, offering / processing student loans; granting emergency or long term loans to students or employees; receiving income tax information from a student’s parent when offering a financial aid package; offering career counseling services to individuals who seek employment at financial institutions; and management consulting activities on any subject to a financial institution and on financial, economic, accounting, or audit matters to any company. 

D.    Financial Institution refers to any institution the business of which is significantly engaged in financial activities, which may include but are not limited to, extending credit and servicing loans; lending, exchanging, transferring, investing for others, or safeguarding money or securities; insuring, guaranteeing, or indemnifying against loss harm, damage, illness, disability, or death. The FTC has classified institutions of higher education as financial institutions for purposes of compliance with the Gramm-Leach-Bliley Act’s safeguarding rule as such institutions process student loans.

 

 

E.      Service Providers refers to all third parties who, in the ordinary course of institutional business, are provided access to customers’ covered data and information.  Service Providers may include, but are not limited to, business retained to store, transport, and / or dispose of covered data; collection agencies; and technology systems support providers.

II. PURPOSE

This guideline explains the procedure by which Tennessee Board of Regents institutions must develop a comprehensive written Information Security Program (the “Program”) as mandated by the Gramm-Leach-Bliley Act (“GLBA”) Standards for Safeguarding Customer Information Rule. An institution’s Program must include the components described below pursuant to which the institution intends to: (i) protect the security and confidentiality of customers’ nonpublic financial information; (ii) protect against any anticipated threats or hazards to the security or integrity of such information; and (iii) protect against unauthorized access or use of such records or information in ways that could result in substantial harm or inconvenience to customers. 

 

The Program may consist of existing institutional policies and procedures that are incorporated by reference into the Program, including but not limited to policies such as, computer / electronic records confidentiality policies, Family Educational Rights & Privacy Act policies, employee / personnel records confidentiality policies, etc.

III. SCOPE OF PROGRAM:  NONPUBLIC FINANCIAL INFORMATION

The Program shall apply to any paper or electronic record maintained by an institution that contains nonpublic financial information about an individual or a third party who has a relationship with the institution. Such nonpublic financial information shall be kept confidential and safeguarded by the institution, its affiliates and service providers pursuant to the provisions of the Program.

IV. REQUIREMENTS OF AN INFORMATION SECURITY PROGRAM

A.     PROGRAM COORDINATOR

 

The institution’s Security Information Program must include the designation of a Program Coordinator (“Coordinator”) who shall be responsible for implementing the Program.  The Coordinator may be a single employee as designated by the Program.  In the alternative, the Program may designate several employees as Coordinators such that one employee serves as the institution’s primary Coordinator who works in conjunction with departmental Coordinators who are responsible for oversight of safeguarding records in their departments in accordance with the institution’s Program.

 

 

 

 

The Coordinator shall, at a minimum, perform the following duties:

 

  1. consult with the appropriate offices to identify units and areas of the institution with access to customers’ nonpublic financial information and maintain a list of the same;
  2. assist the appropriate offices of the institution in identifying reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customers’ nonpublic financial information and make certain that appropriate safeguards are designed and implemented in each office and throughout the institution to safeguard the protected data;
  3. work in conjunction with the institution’s contract officer(s) to guarantee that all contracts with third party service providers that have access to and maintain nonpublic financial information of the institution’s customers include a provision requiring that the service provider comply with the GLBA safeguarding rule;
  4.  work with responsible institutional officers to develop and deliver adequate training and education for all employees with access to customers’ nonpublic financial information; and
  5. periodically evaluate and monitor the effectiveness of the current safeguards for controlling security risks by periodically verifying that the existing procedures and standards delineated in the Program are adequate.

 

B.    SECURITY AND PRIVACY RISK ASSESSMENTS

 

The Program shall identify reasonably foreseeable external and internal risks to the security, confidentiality, and integrity of nonpublic financial information that could result in the unauthorized disclosure, misuse, alteration, destruction, or otherwise compromise of such information, and assess the sufficiency of any safeguards in place to control those risks. Risk assessments should include consideration of risks in each office that has access to customers’ nonpublic financial information. The GLBA requires that the risk assessment section of the Program must, at a minimum, include consideration of the risks in the following areas.

 

  1. Employee training and management. A GLBA employee training program shall be developed by the Coordinator in conjunction with the human resources office and legal counsel, if necessary, for all employees who have access to individuals’ nonpublic financial information, such as information technology / systems employees and those employees who use such data as part of their essential job duties. The training shall occur on a regular basis, as deemed appropriate by the Coordinator, and it shall include education on relevant policies and procedures and other safeguards in place or developed to protect nonpublic financial information. 
  2. Safeguards of information systems / technology processing, storage, transmission and disposal (including network and software design). Programs should include safeguards so that network and software systems are reasonably designed to limit the risk of unauthorized access to nonpublic financial information. 
  3. Methods to detect, prevent, and respond to attacks, intrusions, or other system failures. 

 

 

 

 

C.        IMPLEMENTATION OF SAFEGUARDS

 

The Program must include information regarding the design and implementation of information safeguards to control the risks identified through the risk assessment described in the previous component, “B. SECURITY AND PRIVACY RISK ASSESSMENTS.” The Program shall also include methods to regularly test or otherwise monitor the effectiveness of the safeguarding procedures.  The Program’s monitoring may include technology system checks, reports of access to technology systems, and audits. 

 

D. OVERSIGHT OF SERVICE PROVIDERS AND CONTRACTS

 

The GLBA requires institutions to take reasonable steps to select and retain third party service providers that are capable of complying with the GLBA by maintaining appropriate safeguards for the customer information to which they have access. The GLBA requires that the institution’s current and potential service providers that have access to customers’ nonpublic financial information maintain sufficient procedures to detect and respond to security breaches. The Program must include a reference to the institution’s duty to require, by contract, that all applicable third party service providers implement and maintain appropriate GLBA safeguards for customers’ nonpublic financial information. 

 

E.  EVALUATION AND REVISION OF PROGRAM

 

The GLBA mandates that an institution’s Program be subject to periodic review, evaluation, and adjustment. The Program must include a plan by which it will be evaluated on a regular basis and a method to revise the Program, as necessary, for continued effectiveness.  

 

V.  ASSESSMENT OF THE INFORMATION SECURITY PROGRAM

 

The Coordinator, in conjunction with the appropriate administrators, shall assess the effectiveness of the Program annually.  The Coordinator shall make certain that necessary revisions to the Program are made at the time of the annual review to address any changes in the institutional organization that may affect the implementation and effectiveness of the Program.

VI.  PUBLICATION OF THE INFORMATION SECURITY PROGRAM 

To promote uniform compliance with the Program by all personnel employed by TBR institutions and to achieve the institution’s duty to safeguard the confidentiality of customers’ nonpublic financial information, the institution shall, at a minimum, display and disseminate the Program in accordance with the institution’s standard distribution methods. The institution’s current Program shall be available upon request for review and copy at all times.

Source:  November 5, 2003