GRAMM-LEACH-BLILEY GLB ACT

Download Report

Transcript GRAMM-LEACH-BLILEY GLB ACT

2006 Spring MASFAP
CONFERENCE
Ginny D’Angelo
Vice President of Student Loans
Commerce Bank
Leo Hertling
Associate Director
St. Louis College of Pharmacy
GRAMM-LEACH-BLILEY
GLB ACT
Financial Modernization Act of
1999
Gramm-Leach-Bliley Act
GLB is a federal law, which includes provisions
in requiring financial institutions to take steps
ensuring the security and confidentiality of a
consumers/customers personal information.
In 2003, the Federal Trade Commission (FTC)
confirmed that higher education institutions
are considered financial institutions under this
law.
Gramm-Leach-Bliley Act
 Colleges
and universities must be in
compliance with provisions of the GLB
Act that relate to the Safeguards Rule.
 Colleges
and universities that already
comply with FERPA will be deemed to
be in compliance with FTC privacy rules
under the GLB Act.
Gramm-Leach-Bliley Act
The law requires that institutions must
protect information collected about
individuals:
 Names
 Addresses and phone numbers
 Bank and credit card accounts
 Social Security numbers
 Income and credit histories
Gramm-Leach-Bliley Act
According to the Safeguards Rule, financial
institutions must develop a written information
security plan that describes their program to
protect customer information. Privacy notices
explaining an institution’s information-sharing
practices must also be provided to each
customer.
Gramm-Leach-Bliley Act
Experts suggest that three areas of operation
present special challenges and risks to
information security:
 Employee training and management
 Information systems (network and
software),storage,transmissions and
retrievals
 Security management, including prevention,
detection and response to attacks, intrusions
or other system failures
Gramm-Leach-Bliley Act
Quick Tips for Safeguarding information:
 Identify what is considered sensitive
information
 Protect all sensitive information from
unauthorized access or use
 Put safeguarding into practice
 Report suspicious activity
How does this apply to you?
Privacy of Information – FERPA
Safety of Information
Which Units are Most Affected by
GLB?
Registrar
Financial Aid Office
Bursar
Development Office
IT
Academic Departments
Privacy of Information
FERPA – Family Educational Rights &
Privacy Act (1974)
If you are FERPA-compliant, you are
meeting GLB criteria to protect
information privacy
FERPA protects privacy of all student
educational records and financial
information
FERPA Policies
Written policy – College Catalogue
Staff training; i.e., memos from Registrar’s Office to
faculty & staff regarding FERPA policy
Information is shared on a “need to know” basis, i.e.:
Audits
Law enforcement officials (must have proper
documentation and credentials)
Contracted services (loan, collection agencies)
Development Office
Rights Guaranteed under FERPA
Right to inspect and review educational
records
Right to seek amendment of educational
records
Right to have control over the disclosure of
educational records
Right to file a complaint with ED for alleged
failures of an institution’s compliance
What Can Be Shared?
MAY SHARE










MAY NOT SHARE
 Social Security #
Name
 Student ID #
Address
 Race
telephone #
 Ethnicity
Major
 Nationality
DOB and location
 Gender
Photo
Dates of attendance
School activities
Enrollment status
Most recent previous school attended
Dealing with Parents
Major differences between FAO policies and those of the
Registrar
For the Registrar

Parents may have access to student records if:





They have obtained a SIGNED AND WRITTEN CONSENT or the
student
If the student is under the age of 24 and was claimed by the parent in
the prior tax year, the parent may access the students records after the
student has been advised of the institution’s intention to release
information to the parent. You must give the student adequate time to
respond.
You must return the tax return to the parent. You do not have the right
to keep it. Simply document that you checked it and that the student
was claimed.
If the student objects, the parent must obtained a signed written
consent before records may be released.
School must maintain records of the request and ANY disclosures
The FAO and Parents
Parents of dependent students are afforded
the right to access a student’s financial
records.
This applies for Dependent students in terms
of IRS dependency. NOT TIV aid terms.
FAOs may have student sign an annual
waiver granting the parents access on an
annual basis.
Dealing with Spouses
FERPA does not recognize spouses
therefore they must be treated as
unrelated 3rd parties
As such, spouses have NO rights to a
student’s educational or financial aid
records.
Period end of discussion.
GLB extends FERPA
If your institution makes loans to
parents and other individuals, you must
also protect their privacy
These loans can include:
PLUS
Alternative Parent Loans
Safeguard Rule
Institutions must develop a written
information security plan to protect
customer information
Institutions must send privacy notices
explaining the information-sharing
practices to each customer
Safeguards Rule Expanded
Must include plans to safeguard
information against:
Natural Disaster
 Human Error
 Fraud
 Data corruption
 Theft (hardware, software, reports)
 Unauthorized access

Safeguards Rule (cont)
Natural Disaster (Earthquake,
hurricane, flood, tornado, etc.)
Is your data backed up in a remote
location?
 Do you lock your computer when you leave
your work station during fire alarms – or
any other time, for that matter!?

Safeguards Rule (cont)
Deliberate Fraud
Must maintain a separation of duties
 Conflict of interest policies must be
observed

Human Error

Do you have audit trails and reports that
can be used to reconstruct data
Safeguards Rule (cont)
Data Corruption
Protect and secure access to data, i.e.,
limit query vs. update capability on a
“need-to-do” basis, limit student worker
access as needed
 Anti-virus software must be maintained and
applied
 Institution must erect firewalls and develop
protection against hackers

Safeguards Rule (cont)
Must secure against theft of hardware,
software and reports
Secure during non-business hours: offices
locked, keys secured
 Approved shredder: eliminates guess work
in how to feed in documents

More Safeguards
Must protect against unauthorized
access
Frequent password changes should be
systematically required
 Reports sent on a “need-to-know” basis
 Computer privacy shields
 Student ID card readers – prevents
inappropriate overhearing of SIDs or SSNs

More Safeguards
Communicating to students via e-mail:



•
Use student’s institutional e-mail address
Respond to non-institutional e-mail that an answer has been
sent to the student’s institutional e-mail address
Respond to parent inquiries through student’s institutional email and ask student to forward to parent
Mass e-mail communication to students should take
student’s to a secure web site that protects their
individual information
Whose Responsible Anyway?
Identify and involve all offices involved
with loans or collection of data
FAO
 Business Office
 IT/Computer Systems
 Development
 Academic departments (scholarship
applications)

Who’s the Compliance Officer?
Someone must be designated the
institutional Compliance Officer
This function is usually assumed by the
Business and Finance Division

At STLCOP our registrar is our CO
FAO responsibility rests in informing
potential units of GLB responsibility
FAO GLB Policies
Shred all student-specific documents
Policy for identifying students and
parents before sharing data
Refer non-student/parent requests (3rd
party) to appropriate staff
Report computer problems immediately
Additional FAO Policies
Don’t share passwords. Problem:
What do you do when an employee is
absent and you need to access
information on his/her computer?
Lock computers when leaving work area
Computer screens shielded from other
students
No visitor left behind – or unattended!
Resources
US Department of Education

http://www.ed.gov/policy/gen/guid/fpco/ferpa/index
.html
FSA Handbooks 05-06

Recordkeeping and Disclosure Chapter 2 156-164
The Blue Book

Chapter 7 Record Keeping and Disclosure pp 1-93
– 1-104
Ramirez, Clifford (2002) Managing the
Privacy of Student Records, LRP
Publications, Horsham PA
CONTACT INFORMATION
Ginny D’Angelo
(800) 666-3910
Fax: (314) 514-6228
[email protected]
Leo Hertling
314/446-8321
fax# 314/446-8310
[email protected]