Transcript Protecting Non-Public, Personal Information Under the

Protecting Non-Public, Personal Information Under
the Gramm-Leach-Bliley Act
Greg Brady
Assistant University Counsel
[email protected]; Phone 753-2621
Last Updated 5/5/04 – Please contact Greg
about updates to this presentation before
relying on the content contained within.
Identity Theft and Consumer Fraud
From a January 23, 2004 MSNBC Article:
Americans reported losses of $437 million last
year to identity theft and Internet fraud
The FTC has received more than half a million
complaints in the last four years
Consumers lost an average of $1,868 per
consumer fraud incident
The FTC estimates that 1 in 8 U.S. adults were
affected by identity theft last year
For more information on Identity Theft, please see
http://www.consumer.gov/idtheft/
Gramm-Leach-Bliley Act (GLB)
The Act requires
“financial institutions” to
safeguard customers’
nonpublic, personal
information.
Customers of NIU include
students, employees,
applicants, and other third
parties as well.
The NIU Interim Security
Plan Coordinator is Ken
Davidson, Associate Vice
President and General
Counsel.
University Legal Services
302 Lowden Hall
Northern Illinois University
DeKalb, IL 60115
Phone: 753-1774
Fax: 753-8686
www.niu.edu/legalservices/
Technical Support
questions should be
directed to your respective
IT professional.
Related Laws
The Family Educational Rights and Privacy Act of 1974
(FERPA), which deals with the protection of student
education records.
– See the training session presented by Sheri Kallembach of
Registration and Records.
Health Insurance Portability and Accountability Act of
1996 (HIPAA), which deals with the protection of
protected health information that is transmitted
electronically.
Illinois Freedom of Information Act (FOIA)
– If you receive a FOIA request, or any other legal document, do
not sign for it yourself. Instead, please direct that individual to
the Office of University Legal Services.
GLB Motto:
If you collect or have access to
it, then protect it!!!
If you are unsure, error on the
side of caution and do not hand
over the information.
Strive for best practices.
Incident Response
Individuals who are aware of any attempted or
actual unauthorized access to “customer
information” are required to report such
incident to the ITS Customer Support Center at
815-753-8100. Callers should state that they
would like to report a GLB incident and ask
that IT Security be notified.
Use [email protected] for e-mail reporting.
For ITS Policies, see
http://www.its.niu.edu/its/Policies/policies_inde
x.shtml
What type of information must I protect?
Names
Addresses
Phone numbers
Bank and credit card account numbers
Income and credit histories
Social Security Numbers
Phone numbers
Other financial and tax information
– regardless of whether it is in paper or electronic form
Financial Activities (12 USC
1843(k))
This broad definition includes:
– Leasing real or personal property or advising
in such leasing
– Financial advisory activities, including
management consulting and counseling
activities
– Tax planning, preparation and advising
Universities conduct these activities:
– Extension of credit (student loans)
– Debt collecting (of student loans)
Whose information must I protect?
Students (because of student loans,
primarily)
NIU Employees
Applicants
Other third parties
GLB does not cover business entities
(e.g., FEIN numbers), BUT this training
can still be used to protect that information
Safeguarding electronic customer information
Use encryption technology to send and receive
information electronically; SSL (https://...)
Only send that information that is absolutely necessary;
e.g., a Social Security Number can be represented as
***-**-5678.
Be careful of Replying or Forwarding Emails with info.
Never give out your username and password to anyone,
even your student workers!
Never leave your user name or password near your
computer, like on post-its.
Do not leave your computers unlocked when not at your
desk; e.g., CTRL+ALT+DEL, then “Lock Workstation.”
Turn computer screens away from visitors.
Only log in as Administrator when necessary.
Safeguarding hard copy customer
information (i.e., paper documents)
Do not leave customer information laying about.
Limit access to paper documents to those NIU
employees with a legitimate business reason to know the
information contained within.
Paper records with customer information must be place
in locked storage units that are protected against
destruction and damage; e.g., fires and floods.
Avoid placing filing cabinets and other storage spaces in
easily accessible places; e.g. common hallways.
Instead, place them behind the desks or away in an
office.
When disposing documents, pursuant to the Illinois State
Records Act, shred those with customer information,
rather than just placing them in the trash.
Pre-text Calling and Phishing
“Pre-text calling” or “social engineering” is a method
people may use to support their claim that they are
calling from an official source; e.g. the “low mortgage
rate” example.
“Phishing” - the act of sending an e-mail to a user falsely
claiming to be an established legitimate enterprise in an
attempt to scam the user into surrendering private
information that will be used for identity theft (e.g., Ebay).
Always confirm/verify who you are dealing with before
turning over any information.
Verify the status of all NIU vendors with University Legal
Services.
Never confirm information for callers or requestors.
Refer requestors to the NIU online directory at
www.niu.edu/directory.shtml.
Office Procedures
Check references and
conduct background
checks on new hires.
Use confidentiality
agreements.
Limit access to customer
information to employees
with a legitimate business
reason to know.
Back-up customer
information.
Store customer
information on machines
that are not connected to
the Internet or the
network.
Check with your
respective IT professional
about the Big 3:
– Anti-virus software
– Firewall protection
– Periodic software updates
Continuously train and
remind employees, even
student workers, on how
to safeguard customer
information.
Report all unauthorized
access to customer
information to ITS and
University Legal Services
immediately.
Office Procedures (Cont)
Work at home – inform your IT
professional.
For home computers,
remember the Big 3:
– Anti-virus software
– Firewalls
– Periodic software updates
(see
windowsupdate.microsoft.co
m/default.html)
Consider Spyware Detection
Software
– Adaware
http://www.lavasoftusa.com/
– Spybot - http://www.safernetworking.org/
Beware of Instant Messaging
(IM) Software:
– Typically unencrypted and no
antivirus protection
Use VPN (Virtual Private
Network) software when
remotely connecting to the
NIU network, especially by
wireless technology.
– www.its.niu.edu/its/csuppor
t/vpn/default.html
Never open attachments
from “strangers.”
– Confirm with sender
– Scan attachments with antivirus
– Email “Spoofing”
– Virus Hoaxes (e.g.,
jdbgmgr.exe hoax)
Choose “hard-to-guess”
passwords
It may be futile to remove
your e-mail from spam/junk
mail lists.
Email Notifications
The US Computer Emergency Readiness Team
- http://www.us-cert.gov/index.html
Microsoft Windows Security E-Mail Updates http://www.microsoft.com/security/
– BUT…I recommend actually updating your software
from the following sites:
http://v4.windowsupdate.microsoft.com/en/default.asp
http://office.microsoft.com/officeupdate/
Remember other software like Realplayer or
MAC OS
Office Procedures (Cont)
Disposal of records with customer information.
– Follow the Illinois State Records Act
– For general questions, call June Bocklund at 753-1896 or
Deborah Kern at 753-6130 from the Accounting Office
Disposal of hardware
– IL law requires that all hard drives be wiped clean before being
discarded by the University
– For proper procedures, please see
www.its.niu.edu/its/downloads/wipedisk.shtml
Maintain an inventory of your computers and filing
systems, and use periodic auditing procedures.
Two-factor authentication for access to records
– Something employees have (like an ID card)
– Something employees know (like a password)
GLB Motto:
If you collect or have access to
it, then protect it!!!
If unsure, do not hand over the
information.
Incident Response
Contact ITS Customer Support at 753-8100, and
ask them to notify IT Security of GLB incident
Requests for Information
Requests by Law Enforcement Officials or
Authorities…
– Please call the NIU Department of Public
Safety at 753-1212.
Requests pursuant to other legal
documents (i.e., subpoenas, summons,
FOIA requests)…
– Please call University Legal Services at 7531774.