SUBJECT: Safeguarding of Customers’ Nonpublic Financial Information (Gramm-Leach-Bliley Act)
Federal law requires that financial institutions, the definition of which includes the Tennessee Board of Regents and its institutions, comply with the Gramm-Leach-Bliley Act and, in so doing, safeguard the confidentiality of nonpublic financial information of its constituents. This guideline is issued to aid Tennessee Board of Regents institutions in drafting Information Security Programs to comply with the Federal Trade Commission’s “Standards for Safeguarding Customer Information” Rule promulgated under the authority of the Gramm-Leach-Bliley Act.
I. DEFINITIONS
As used in this guideline the following terms shall mean:
B. Nonpublic financial information is any record that an institution obtains from a customer in the process of offering a financial product or service, or such information provided to the institution by another financial institution. The term nonpublic financial information means any information: (1) (a) that a student or other third party provides in order to obtain a financial service from the institution; (b) about a student or other third party resulting from any transaction with the institution involving a financial service; or (c) otherwise obtained about a student or other third party in connection with providing a financial service to that person, and (2) any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available.
C. Offering a financial product or service includes, but is not limited to, offering / processing student loans; granting emergency or long term loans to students or employees; receiving income tax information from a student’s parent when offering a financial aid package; offering career counseling services to individuals who seek employment at financial institutions; and management consulting activities on any subject to a financial institution and on financial, economic, accounting, or audit matters to any company.
D. Financial Institution refers to any institution the business of which is significantly engaged in financial activities, which may include but are not limited to, extending credit and servicing loans; lending, exchanging, transferring, investing for others, or safeguarding money or securities; insuring, guaranteeing, or indemnifying against loss harm, damage, illness, disability, or death. The FTC has classified institutions of higher education as financial institutions for purposes of compliance with the Gramm-Leach-Bliley Act’s safeguarding rule as such institutions process student loans.
E. Service Providers refers to all third parties who, in the ordinary course of institutional business, are provided access to customers’ covered data and information. Service Providers may include, but are not limited to, business retained to store, transport, and / or dispose of covered data; collection agencies; and technology systems support providers.
II. PURPOSE
This guideline explains the procedure by which Tennessee Board of Regents institutions must develop a comprehensive written Information Security Program (the “Program”) as mandated by the Gramm-Leach-Bliley Act (“GLBA”) Standards for Safeguarding Customer Information Rule. An institution’s Program must include the components described below pursuant to which the institution intends to: (i) protect the security and confidentiality of customers’ nonpublic financial information; (ii) protect against any anticipated threats or hazards to the security or integrity of such information; and (iii) protect against unauthorized access or use of such records or information in ways that could result in substantial harm or inconvenience to customers.
The Program may consist of existing institutional policies and procedures that are incorporated by reference into the Program, including but not limited to policies such as, computer / electronic records confidentiality policies, Family Educational Rights & Privacy Act policies, employee / personnel records confidentiality policies, etc.
III. SCOPE OF PROGRAM: NONPUBLIC FINANCIAL INFORMATION
The Program shall apply to any paper or electronic record maintained by an institution that contains nonpublic financial information about an individual or a third party who has a relationship with the institution. Such nonpublic financial information shall be kept confidential and safeguarded by the institution, its affiliates and service providers pursuant to the provisions of the Program.
IV. REQUIREMENTS OF AN INFORMATION SECURITY PROGRAM
A. PROGRAM COORDINATOR
The institution’s Security Information Program must include the designation of a Program Coordinator (“Coordinator”) who shall be responsible for implementing the Program. The Coordinator may be a single employee as designated by the Program. In the alternative, the Program may designate several employees as Coordinators such that one employee serves as the institution’s primary Coordinator who works in conjunction with departmental Coordinators who are responsible for oversight of safeguarding records in their departments in accordance with the institution’s Program.
The Coordinator shall, at a minimum, perform the following duties:
B. SECURITY AND PRIVACY RISK ASSESSMENTS
The Program shall identify reasonably foreseeable external and internal risks to the security, confidentiality, and integrity of nonpublic financial information that could result in the unauthorized disclosure, misuse, alteration, destruction, or otherwise compromise of such information, and assess the sufficiency of any safeguards in place to control those risks. Risk assessments should include consideration of risks in each office that has access to customers’ nonpublic financial information. The GLBA requires that the risk assessment section of the Program must, at a minimum, include consideration of the risks in the following areas.
C. IMPLEMENTATION OF SAFEGUARDS
The Program must include information regarding the design and implementation of information safeguards to control the risks identified through the risk assessment described in the previous component, “B. SECURITY AND PRIVACY RISK ASSESSMENTS.” The Program shall also include methods to regularly test or otherwise monitor the effectiveness of the safeguarding procedures. The Program’s monitoring may include technology system checks, reports of access to technology systems, and audits.
D. OVERSIGHT OF SERVICE PROVIDERS AND CONTRACTS
The GLBA requires institutions to take reasonable steps to select and retain third party service providers that are capable of complying with the GLBA by maintaining appropriate safeguards for the customer information to which they have access. The GLBA requires that the institution’s current and potential service providers that have access to customers’ nonpublic financial information maintain sufficient procedures to detect and respond to security breaches. The Program must include a reference to the institution’s duty to require, by contract, that all applicable third party service providers implement and maintain appropriate GLBA safeguards for customers’ nonpublic financial information.
E. EVALUATION AND REVISION OF PROGRAM
The GLBA mandates that an institution’s Program be subject to periodic review, evaluation, and adjustment. The Program must include a plan by which it will be evaluated on a regular basis and a method to revise the Program, as necessary, for continued effectiveness.
V. ASSESSMENT OF THE INFORMATION SECURITY PROGRAM
The Coordinator, in conjunction with the appropriate administrators, shall assess the effectiveness of the Program annually. The Coordinator shall make certain that necessary revisions to the Program are made at the time of the annual review to address any changes in the institutional organization that may affect the implementation and effectiveness of the Program.
VI. PUBLICATION OF THE INFORMATION SECURITY PROGRAM
To promote uniform compliance with the Program by all personnel employed by TBR institutions and to achieve the institution’s duty to safeguard the confidentiality of customers’ nonpublic financial information, the institution shall, at a minimum, display and disseminate the Program in accordance with the institution’s standard distribution methods. The institution’s current Program shall be available upon request for review and copy at all times.
Source: November 5, 2003