Transcript GLB: Identifying Exposures and Risks

GLB Safeguards Rule:
Overview, Training and
Enforcement
Considerations
NACUA 43rd Annual
Conference
Peter C. Cassat
Margaret O’Donnell
Scope of GLBA Safeguards Rule


The FTC’s Safeguards Rule, promulgated under
the GLBA, went into effect on May 23, 2003
and is aimed at ensuring the safeguarding and
confidentiality of customer information held in
the possession of covered financial institutions.
Unlike the FTC’s earlier GLBA Privacy Rule, the
Safeguards Rule contains no exemption for
institutions that are subject to FERPA. As a
result, educational institutions that engage in
financial institution activities, such as
processing student loans, are required to
comply with the Safeguards Rule.
General Requirements


The Safeguards Rule requires each covered
institution to develop, implement, and maintain
a “comprehensive information security
program” that is “written in one or more readily
accessible parts”, and that includes
“administrative, technical and physical
safeguards” designed to ensure the security
and confidentiality of customer records.
The Safeguards Rule expressly recognizes that
each institution’s information security program
may vary, based on its size and complexity, the
nature and scope of its activities, and the
sensitivity of the customer information at issue.
Comprehensive Written
Information Security Program

In order to “develop, implement and
maintain” the required written
information security program, the
Safeguards Rule requires each
institution to carry out certain steps:
– designate one or more employees to
coordinate the program;

Information Security Program
Steps, cont. . . .
Identify “reasonably foreseeable”
internal and external risks to the
security and confidentiality of
customer information that could lead
to unauthorized disclosure, use,
alteration, destruction or other
compromise of such information and
“assess the sufficiency” of the
institution’s safeguards in place to
control these risks.
Information Security Program
Steps, cont . . .

Such risk assessment must include, at
a minimum, risks in areas of operation
such as:
– employee training and management,
– information systems, and
– detecting, preventing, and
responding to attacks against the
institution’s systems;
Security Program Steps,
cont.


implement safeguards to manage the identified
risks and regularly test or monitor such
safeguards;
oversee the institution’s service providers by:
– selecting and retaining service providers that
are capable of maintaining appropriate
safeguards for the customer information at
issue, and
– requiring service providers by contract to
implement and maintain such safeguards;
Ongoing Security Steps

The Safeguards Rule requires
institutions to evaluate and adjust the
their security programs in light of the
required risk assessment, any material
change to institutional business
operations or any other circumstances
that may have a material impact on
the institution’s information security
program.
Practical Considerations



The most difficult challenge under the Safeguards
Rule is identifying the scope of information covered.
It may be possible to take the position that the
Safeguards Rule applies only to information
collected or maintained in connection with the
institution’s financial institution activities – i.e.,
student financial aid related activities.
It may be difficult, however, for institutions to
segregate information that is collected in
connection with financial institution related
activities (such as Social Security numbers) from
other information maintained with respect to its
student population.
Drafting Issues

The FTC rules expressly recognize that an
institution’s information security program
may be maintained in one or more
documents. Thus, it should be possible to
incorporate existing policies and procedures
relating to the safeguarding of information
and to the proper use of institutional
network resources, such as, existing
acceptable use, information technology
security and student record access policies
and procedures.
Risk Management Issues


The Safeguards Rule recognizes that an
institution need not make its security
program publicly available. However, open
records laws may provide access.
Drafts and deliberative documents relating
to the creation and implementation of the
program should be labeled as attorney client
privileged drafts.
Approaches to GLB
Compliance
NACUA 43rd Annual Conference
Tom Schumacher
University of Minnesota
June 25, 2003
Options for Organizational Mgmt.Program Leadership

“Designate an employee or employees to
coordinate” (§314.4(a))
1. Centralized Model, single person
2. Decentralized, several “coordinators”
3. Hybrid, central coordinator, designated
responsible parties in key units


Designation must be set out in written
security plan (§314.3(a))
Try to integrate with existing responsibilities
Centralized Model

Options for Responsible Office
–
–
–
–
–
–
–
–
–

Chief Information Officer?
Controller?
CFO?
Registrar?
Privacy Officer (if have one)?
Custodian of Student Record?
Auditor?
IT Security Officer?
Others
Delegate administrative duties as
appropriate
Decentralized Model

Designate responsible coordinator in areas
with “covered data”
– Student Finance Director(s)

–
–
–
–
–
–
–

One at each campus
IT Office(s)
Collections
Human Resources
Accounting
Collegiate contacts
Athletics
Others
Consider some oversight method
Hybrid Model



Single Central Coordinator
Formally designated contacts in units
with “covered data” responsible for
carrying out risk assessments and
monitoring where required
Communication with leadership from
areas with covered data
Coordinator Program
Responsibilities

Risk Assessment - § 313.4(b)
– Identify/inventory access to covered data
– Assess Risk

Internal Controls
– “Design and implement safeguards to
control the risks you identify” (§ 313.4(c))
– Match these to level of assessed risk
Internal Controls







Program Oversight
Risk Assessment
Roles and Responsibilities
Policies and Procedures
Education, Training & Awareness
Monitoring, Testing, Oversight
Corrective action/Communication
– Iterative and continuing process
Example Risk Assessment-for each
significant area to evaluate




Electronic
–
–
–
–
Access
Storage
Transmission
Destruction
–
–
–
–
Access
Storage
Transmission
Destruction
Print materials
Service Providers
System Integrity
Employee permitted to access to database
without proper authorization
Misuse of information by employee with
Authorized access
Etc.
Example Risk/Internal Controls
matrix approach
(Area: student financial collections)
Wrongful
access to
private
Electronic information by
access
employee
Prob.
Risk Area
Risk
Description
Impact
Rank
before
Controls
INTERNAL CONTROLS
Policy/
Procedure
Education
Operational Controls
Access limited by passwords
to need based upon job
description, manager must
specify access level prior to
approval; IT staff must review
and approve requested
access level; system records
Required
operators id with transaction;
FERPA training employees must sign
Regents Policy prior to
certification about
on Access to
authorizing
understanding of rules and
student records access
permissible use annually.
Oversight/Monitoring
Controls
Audit
Controls
Transactions reviewed
periodically by Assoc
Dir Student Finance to Audit trail
insure access
created for
appropriate used
access
Rank After
controls
(Probability)
Example: Hybrid Model

Coordinator makes sure Risk Assessment
and Internal controls for each covered area
are in place
– For significant areas, conducted by designated
contacts
– For isolated, conducted by Coordinator

Designated contacts annually provide report
to Coordinator
– Annual confirmation that risks are current

Coordinator annually reports on risk
environment and controls to Compliance
and leadership
– Identifies problem areas
Identifying and Evaluating
Exposures and Risks
NACUA 43rd Annual Conference
Christopher Holmes
Baylor University
June 25, 2003
Scope of Risk Assessment
“You shall...identify reasonably foreseeable
internal and external risks to the security,
confidentiality, and integrity of customer
information that could result in the
unauthorized disclosure, misuse, alteration,
destruction or other compromise of such
information, and assess the sufficiency of
any safeguards in place to control these
risks.” 16 CFR §314.4 (b).
Areas to Include
1)
2)
3)
Employee training and management;
Information systems, including
network and software design, as well
as information processing, storage,
transmission and disposal; and
Detecting, preventing and
responding to attacks, intrusions, or
other systems failures.
Steps to Risk Assessment




Meet with all business owners facing the
risks and discuss their experiences
Prepare a list that encompasses the risks
(both internal and external) they observe
Determine whether current steps are
sufficient in controlling the risks
Discuss additional reasonable steps that
could be taken to increase security
List of Potential Risks




Compromise of
system security
(e.g., hacker)
Interception of data
during transmission
Physical loss of data
due to disaster
Corruption of data
or systems



Unauthorized
access by
employees
Unauthorized
requests for data
(e.g., pretext
calling)
Unauthorized
transfer of data by
third parties
FTC Suggestions: Employee
Management and Training





Check references prior to hiring employees
who will have access to cdi
Employees sign confidentiality agreement
Train employees to take basic steps
(passwords, pretext calling, etc.)
Regular reminders of policy and legal
requirement to keep cdi confidential
Limit access to those employees with a
business reason for seeing it
FTC Suggestions:
Information Systems




Store records in a secure area
Provide for secure data transmission
(use of SSL, password protect email
accounts, etc.)
Dispose of customer information in
secure manner
Inventory computers on network
systems
FTC Suggestions:
Managing Systems Failures





Develop a written contingency plan to
address breaches
Maintain software and hardware (security
patches, anti-virus software, etc.)
Backups of all cdi
Configure systems to ensure that access to
cdi is granted only to appropriate users
Notify customers promptly if cdi is disclosed
Review and Assessment
of Plan
GLB requires continued evaluation and
adjustment of the safeguards program
in light of relevant circumstances.
Periodically review changes in the
university’s operations or business
arrangements or the results of testing
and monitoring of enacted safeguards.
“Service Provider” Rules
Under the Gramm-LeachBliley Act
2003 NACUA National Conference
June 25, 2003
Gregory C. Brown
Associate General Counsel
Office of the General Counsel
University of Minnesota
Overview of Presentation
Review FTC Safeguard Rule on the
oversight, selection and retention of
service providers and mandatory
contract provisions.
Discuss ways, by contract, to protect
Universities once security has been
breached or customer information has
been loss, misused or altered.
Who is a “Service
Provider”?
“Any person or entity that receives,
maintains, processes, or otherwise is
permitted access to customer
information through its provision of
services directly to a financial
institution . . . .” FTC Safeguard Rule, §
314.2(d), 67 Fed. Reg. 36,484, 36,494
(May 23, 2002) .
Duty to Oversee Service
Providers
Institutions must take “reasonable steps to select
and retain service providers that are capable of
maintaining appropriate safeguards for the
customer information . . . .” FTC Safeguard Rule,
§ 314.4(d)(1), 67 Fed. Reg. 36,484, 36,494 (May 23,
2002) .
Duty to Oversee Service
Providers
Each institution is expected to “take reasonable
steps to assure itself that its current and
potential service providers maintain sufficient
procedures to detect and respond to security
breaches . . . .” FTC Safeguard Rule, § C, 67 Fed.
Reg. 36,484, 36,490 (May 23, 2002) (emphasis added).
Duty to Oversee Service
Providers
Each institution is expected to “maintain
reasonable procedures to discover and respond to
widely-known security failures by its current and
potential service providers.” FTC Safeguard Rule, §
C, 67 Fed. Reg. 36,484, 36,490 (May 23, 2002) (emphasis
added).
Duty to Oversee Service
Providers
The FTC did not mandate any specific reviews or
steps an institution must take to comply.
Institutions need not undertake “unlimited
evaluation(s) of their service providers’ capabilities.”
FTC Safeguard Rule, § C, 67 Fed. Reg. 36,484, 36,490 (May
23, 2002).
Review will depend on the “circumstances and the
relationship” between the institution and the service
provider. Id.
Mandatory Contract
Provisions
Each contract entered into after June 24, 2002,
must require the service provider “to implement
and maintain such safeguards.” FTC Safeguard
Rule, §§314.4(d)(2) and 314.5(b), 67 Fed. Reg. 36,484,
36,494 (May 23, 2002) .
A contract in place before that date need not
include the mandatory provision until May 24,
2004. FTC Safeguard Rule, §314.5(b), 67 Fed. Reg.
36,484, 36,494 (May 23, 2002) .
Mandatory Contract
Provisions
So as to give institutions flexibility, the FTC
did not mandate particular contract
language.
Mandatory Contract
Provisions
Sample clause:
“Throughout the term of this Agreement, Service
Provider shall implement and maintain ‘appropriate
safeguards,’ as that term is used in § 314.4(d) of the
FTC Safeguard Rule, 16 C.F.R. § 314 (the ‘FTC Rule’),
for all ‘customer information,’ as that term is defined in
§314.2(b) of the FTC Rule, owned by the University
and delivered to Service Provider pursuant to this
Agreement.
Mandatory Contract
Provisions
Sample Clause cont’d:
“Service Provider shall promptly notify the University, in
writing, of each instance of (i) unauthorized access to or use
of that customer information that could result in substantial
harm or inconvenience to a customer of the University or
(ii) unauthorized disclosure, misuse, alteration, destruction
or other compromise of that customer information. Within
30 days of the termination or expiration of this Agreement,
Service Provider shall destroy and shall cause each of its
agents to destroy all records, electronic or otherwise, in its
or its agent’s possession that contain such customer
information and shall deliver to the University a written
certification of the destruction.”
Mandatory Contract
Provisions
FTC Safeguard Rule is silent as to the penalty for
institution entering into or maintaining a contract
with a service provider that does not comply.
Additional Contract Terms
Right to on-site audit of Service Provider’s security
program.
Right to terminate if Service Provider has allowed a
material breach of its security program, if Service
Provider has lost or materially altered customer
information, or if the University reasonably
determines that Service Provider’s program is
inadequate.
Additional Contract Terms
Service Provider to indemnify and defend the
University for security breaches, violations of GLB
caused by Service Provider’s negligence, and loss
or material alteration of customer information.
Service Provider to reimburse the University for its
direct damages (e.g., costs to reconstruct lost or
altered information) resulting from the security
breach, loss, or alteration of customer information.
Conclusion
GLB is another step on the ever-lengthening road
to the land of perfect privacy. FTC Safeguard
Rule should be seen a part of an institution’s
comprehensive privacy policy.
Institutions need to address the protection of
(meaning here access to) information already in
the “hands” of both current and past service
providers.
What is Required for Training under
GLB Safeguards Rule
 Training
should be very simple.
 You don't even need to
mention GLB.
What Points to Include in
Training






Both physical and computer records must be protected
Do not give anyone else your password or ask anyone for
theirs
Encrypt sensitive customer information when transmitted over
networks. Conversely, do not ask customers to send data such
as credit card # or SSN over non-encrypted networks.
Refer calls or requests for customer information to employees
who have had safeguard training
Beware "social engineering" (pretext calling)
Identify where at the university to report fraudulent attempts
to obtain customer information or questionable data access
(might be Internal Auditor for financial records, Registrar for
Student Records, other to Information Security Coordinator)
Who to Train





Depends on Specifics of your Information Security
Plan
Narrow v. Broad Approach
Broad = Anyone who has access to student
records, either paper or online
If your plan also covers credit card information,
anyone who has access to credit card information
(CUA taking this approach)
Narrow = only those offices with access to student
financial data, or offices who engage in covered
financial transactions, e.g. extending a loan for
credit, gift annuity agreements, etc. (Georgetown
taking this approach)
How to Train



By video (see online video at
http://counsel.cua.edu/glb/publication
s/)
By brochures (online by end of
summer at above site)
In person in small groups for those
who have managerial responsibilities
in covered areas
Enforcement and 3rd
Party Lawsuits



No private right of action under GLB
Plaintiff could bring case based on
negligence
Not much (if any) case law on
negligent release of information such
as SSN or credit card
Avoiding Lawsuits



Likely to be a growing field with advent of laws like
HIPAA, GLB and state laws protecting privacy
See: Henderson, Steve, and Yarbrough, Matthew,
Frontiers of Law: The Internet and Cyberspace:
Suing the Insecure?: A Duty of Care in Cyberspace,
32 N.M.L. Rev. 11 (2002) for summary of theory of
law in this area
Follow standard of reasonableness. Stay current or
ahead of curve on privacy protection, e.g. be there
with the patch as soon as it is available.