Gramm-Leach-Bliley Act (GLBA)

The College has adopted policies and procedures for the purpose of safeguarding the privacy of a category of customer information defined as non-public personal information (NPI) which it may receive pertaining to its students and employees, in compliance the Gramm-Leach-Bliley Act (GLBA or the Act), as may be amended, and with other applicable regulations (e.g. the Federal Trade Commission’s Safeguards Rule and Financial Privacy Rule).

The Federal Trade Commission (FTC) is charged with administration and enforcement of the GLBA for financial institutions not regulated by other federal banking or finance-related authorities, including institutions of higher education (IHEs). The FTC has determined that most IHEs are “financial institutions” for purposes of the GLBA because “[m]any, if not all, such institutions appear to be significantly engaged in lending funds to consumers.” 64 Fed. Reg. 33648 (May 24, 2000). In addition, the Department of Education requires IHE compliance with the Safeguards Rule by contract, under the Federal Student Aid (FSA) Program Participation Agreement.

Under the GLBA, the College is required to implement safeguards to ensure the security and confidentiality of certain NPI that is obtained when the College offers or delivers a financial product or service to an individual for personal, family, or household purposes, with particular attention to information provided to the College by the Department of Education or information obtained by the College in support of the administration of the Title IV federal student financial aid programs authorized under Title IV of the Higher Education Act, as amended.

The College must implement an information security program that incorporates administrative, technical, and physical safeguards appropriate to its size and complexity, nature and scope of activities, and sensitivity of NPI at issue. The contents of this webpage summarize information related to this required information security program and provide links to obtain more information. Guidance relating to administrative, technical and physical security of NPI is identified in the College document entitled, Written Information Security Plan (WISP).

The objectives of the GLBA Safeguards Rule are to:

  • Ensure the security and confidentiality of customer information, including nonpublic personal information (NPI).
  • Protect against any anticipated threats or hazards to the security of such information.
  • Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to customers.

To comply, a covered institution must develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards appropriate to the organization’s size and complexity, nature, and scope of activities, and sensitivity of NPI at issue.

Requirements include:

  • Designating an employee(s) to coordinate the information security program.
  • Performing a risk assessment to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (including NPI) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assessing the sufficiency of any safeguards in place to control these risks. At minimum, the risk assessment must include consideration of risk in each relevant operational area, including:
    • Employee training and management.
    • Information systems, including network and software design, as well as information processing, storage, transmission, and disposal.
    • Detecting, preventing, and responding to attacks, intrusions, or other systems failures.
  • Implementing information safeguards to control identified risks and regularly testing or otherwise monitoring the effectiveness of the safeguards’ key controls, systems, and procedures.
  • Overseeing service providers by taking reasonable steps to select and retain providers capable of maintaining appropriate safeguards for NPI and requiring them by contract to implement and maintain such safeguards.
  • Evaluating and adjusting the information security program in light of the results of the required testing/monitoring, any material changes to operations or business arrangements, or any other circumstances that may have a material impact on the program.

NPI is any “personally identifiable financial information” that the College collects about an individual in connection with providing a financial product or service, including student financial aid and other business transactions, unless that information is otherwise “publicly available.” NPI includes:

  • any information an individual gives you to get a financial product or service (for example, name, address, income, Social Security number, or other information on an application);
  • any information you get about an individual from a transaction involving your financial product(s) or service(s) (for example, the fact that an individual is your consumer or customer, account numbers, payment history, loan or deposit balances, and credit or debit card purchases); or
  • any information you get about an individual in connection with providing a financial product or service (for example, information from court records or from a consumer report).

 Following are examples of NPI that may be obtained in connection with the delivery of a financial product or service:

  • Account balances
  • ACH numbers
  • Bank account numbers
  • Credit card numbers
  • Credit ratings
  • Date and/or location of birth
  • Driver’s license information
  • Income history
  • Payment history
  • Social Security numbers
  • Tax return information
  • Name, address, phone number on an application for financial aid

More information about what Nonpublic Personal Information includes and does not include can be found on the Federal Trade Commission site.

The Written Information Security Plan outlines safeguards the College follows to secure nonpublic personal information to ensure compliance with the GLBA.  Mandatory annual training in GLBA compliance, including safeguarding of NPI, is assigned to all College employees.

Organizational units that collect/maintain NPI that must be safeguarded are typically involved in the provision or servicing of student loans, other extensions of credit, and collection services.

If your department collects, processes, maintains, or otherwise handles NPI that is obtained when the College offers or delivers a financial product or service to an individual for personal, family, or household purposes, your department must comply with the GLBA Safeguards Rule. If your department accesses or maintains protected data (even if the unit does not have primary responsibility for offering the financial product or service), you must comply with the Safeguards Rule.

Following are examples of administrative, technical, and physical safeguards that should be implemented at the departmental level to protect NPI:

Administrative

  • Limit access to customer information to employees who have a business reason to see it.
  • Provide regular training and reminders to all employees of the requirement to keep customer information secure and confidential.

Technical

  • Know where sensitive customer information is stored electronically and store it securely. Make sure only authorized employees have access.
  • Take steps to ensure the secure transmission of customer information.
  • Dispose of customer information in a secure way.
  • Maintain up-to-date and appropriate programs and controls to prevent unauthorized access to customer information.
  • Use appropriate oversight or audit procedures to detect the improper disclosure or theft of customer information.

Physical

  • Know where sensitive customer information is stored physically and store it securely. Make sure only authorized employees have access.
  • Dispose of physical NPI through a secure shredding service.
  • Ensure that storage areas are protected against destruction or damage from physical hazards, like fire or floods.

The Burrell College of Osteopathic Medicine has implemented several policies and standard operating procedures (SOPs) to secure any financial nonpublic personal information that is collected and stored by the College. These policies and SOPs outline steps those at the College take to ensure all NPI safeguarding and policy compliance.