Skip to content

Controller's Office

Gramm-Leach-Bliley Act Program

Background

The Gramm Leach Bliley Act (GLBA) requires financial institutions to take steps to ensure the privacy, security and confidentiality of student records containing non-public customer information.

GLBA regulations include both a Privacy Rule (16 CFR 313) and a Safeguards Rule (16 CFR 314), both of which are enforced by the Federal Trade Commission (FTC). The FTC considers the University to be a financial institution based on its student loan processing activities.

Privacy Rule

This rule enforces several requirements related to the handling of non-public customer information.

The University is considered to be in compliance with the Privacy Rule through its adherence to the Family Educational Rights and Privacy Act (FERPA). Information about FERPA is available on Clemson University's Office of General Counsel website.

In addition, we also provide information regarding the University’s Privacy Program online.

Coordination and Responsibility

The Controller’s Office works closely with Clemson University Office of Information Security and business owners who maintain, store, transmit and process covered data to ensure compliance with all requirements of GLBA. The University has designated its Chief Information Security Officer as the Qualified individual to oversee its information security program.

Overview of Responsibilities by Area

The Controller's Office

  • Serve as program coordinator
  • Track and document the location of covered data
  • Send communications related to GLBA

CU Office of Information Security

  • Provide technical oversight
  • Develop and maintain GLBA compliant risk assessment
  • Review complete assessments and identify areas of risk
  • Maintain the University’s Information Security Program

Business Owners

  • Have knowledge of and understanding of GLBA compliance requirements
  • Identify systems containing covered data
  • Complete departmental/procedural assessments
  • Determine and implement mitigation strategies

Risk Assessments

Risk assessments are the foundation upon which informed security management decisions are made. As a result, business owners who maintain, operate, or manage information systems containing GLBA covered data are expected to conduct periodic risk assessments. In addition to performing risk assessments, business units are expected to implement mitigation strategies to reduce or eliminate identified risks.

Training

GLBA requires the University to offer security awareness training to employees with access to covered data. These employees will be required to complete the Information Security Training as part of the University’s Annual Required Training Program. If training is not completed, access to covered data may be revoked.

Key Terms

The terms listed here and their corresponding definitions apply to the GLBA compliance program. 

Business Owner - Any University unit, department, area or employee who maintains, stores, transmits or processes covered data.

Covered Data - Non-public customer information is required to be protected under GLBA. This also includes any data or information the University chooses to include, even if not covered by GLBA. This information may be in paper, electronic, or other form.

Customer - Any person who is provided financial services by the University, such as obtaining a loan from the University or having a loan for which the University has servicing rights or responsibilities.

Financial Product or Service - Includes student loans, employee loans, activities related to extending credit, financial and investment advisory activities, management consulting and counseling activities, community development activities and other miscellaneous financial services (12 CFR 225.28).

Information System - Any location where covered data resides, including servers, networks, and computing stations.

Non-Public Customer Information - Any financial information or record given by a consumer to a financial institution for the purpose of obtaining a financial product. This information may be in paper, electronic, or other form. (16 CFR 313.3(n))

Non-public personal information means:

  • Personally identifiable financial information.
  • Any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available.

Examples of non-public personal information include but are not limited to:

  • Social Security Number
  • Credit Card Number
  • Account Numbers
  • Account Balances
  • Any Financial Transactions
  • Tax Return Information
  • Driver's License Number
  • Date/Location of Birth

Examples of services or activities that the University may offer which result in the creation of customer information could include but are not limited to:

  • Student (or other) loans, including receiving application information and the making or servicing of such loans
  • Credit counseling services
  • Collection of delinquent loans and accounts
  • Check cashing services
  • Real estate settlement services
  • Issuing credit cards or long-term payment plans involving interest charges
  • Obtaining information from a consumer report

Service Provider - Any person or entity that maintains, stores, transmits or processes customer information through its provision of services directly to the University.