Gramm-Leach-Bliley Act Program
Background
The Gramm Leach Bliley Act (GLBA) requires financial institutions to take steps to ensure the privacy, security and confidentiality of student records containing non-public customer information.
GLBA regulations include both a Privacy Rule (16 CFR 313) and a Safeguards Rule (16 CFR 314), both of which are enforced by the Federal Trade Commission (FTC). The FTC considers the University to be a financial institution based on its student loan processing activities.
Privacy Rule
This rule enforces several requirements related to the handling of non-public customer information.
The University is considered to be in compliance with the Privacy Rule through its adherence to the Family Educational Rights and Privacy Act (FERPA). Information about FERPA is available on Clemson University's Office of General Counsel website.
In addition, we also provide information regarding the University’s Privacy Program online.
Coordination and Responsibility
The Controller’s Office works closely with Clemson University Office of Information Security and business owners who maintain, store, transmit and process covered data to ensure compliance with all requirements of GLBA. The University has designated its Chief Information Security Officer as the Qualified individual to oversee its information security program.
Overview of Responsibilities by Area
The Controller's Office
- Serve as program coordinator
- Track and document the location of covered data
- Send communications related to GLBA
CU Office of Information Security
- Provide technical oversight
- Develop and maintain GLBA compliant risk assessment
- Review complete assessments and identify areas of risk
- Maintain the University’s Information Security Program
Business Owners
- Have knowledge of and understanding of GLBA compliance requirements
- Identify systems containing covered data
- Complete departmental/procedural assessments
- Determine and implement mitigation strategies
Risk Assessments
Risk assessments are the foundation upon which informed security management decisions are made. As a result, business owners who maintain, operate, or manage information systems containing GLBA covered data are expected to conduct periodic risk assessments. In addition to performing risk assessments, business units are expected to implement mitigation strategies to reduce or eliminate identified risks.
Training
GLBA requires the University to offer security awareness training to employees with access to covered data. These employees will be required to complete the Information Security Training as part of the University’s Annual Required Training Program. If training is not completed, access to covered data may be revoked.
Key Terms
The terms listed here and their corresponding definitions apply to the GLBA compliance program.
Business Owner - Any University unit, department, area or employee who maintains, stores, transmits or processes covered data.
Covered Data - Non-public customer information is required to be protected under GLBA. This also includes any data or information the University chooses to include, even if not covered by GLBA. This information may be in paper, electronic, or other form.
Customer - Any person who is provided financial services by the University, such as obtaining a loan from the University or having a loan for which the University has servicing rights or responsibilities.
Financial Product or Service - Includes student loans, employee loans, activities related to extending credit, financial and investment advisory activities, management consulting and counseling activities, community development activities and other miscellaneous financial services (12 CFR 225.28).
Information System - Any location where covered data resides, including servers, networks, and computing stations.
Non-Public Customer Information - Any financial information or record given by a consumer to a financial institution for the purpose of obtaining a financial product. This information may be in paper, electronic, or other form. (16 CFR 313.3(n))
Non-public personal information means:
- Personally identifiable financial information.
- Any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available.
Examples of non-public personal information include but are not limited to:
- Social Security Number
- Credit Card Number
- Account Numbers
- Account Balances
- Any Financial Transactions
- Tax Return Information
- Driver's License Number
- Date/Location of Birth
Examples of services or activities that the University may offer which result in the creation of customer information could include but are not limited to:
- Student (or other) loans, including receiving application information and the making or servicing of such loans
- Credit counseling services
- Collection of delinquent loans and accounts
- Check cashing services
- Real estate settlement services
- Issuing credit cards or long-term payment plans involving interest charges
- Obtaining information from a consumer report
Service Provider - Any person or entity that maintains, stores, transmits or processes customer information through its provision of services directly to the University.