Gramm-Leach-Bliley Act: Safeguarding Customer Information
The Gramm-Leach-Bliley Act (GLB Act) Safeguards Rule pertains to the safeguarding of customer ﬁnancial information. The rule requires ﬁnancial institutions, including colleges and universities, to develop plans and establish policies to protect such information.
The information below describes the various components of the university's information security program that are in accord with, and support compliance with, the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule, and provides references to additional materials and to applicable policies and guidelines.
The GLB Act broadly deﬁnes “ﬁnancial institution” as any institution engaging in the ﬁnancial activities enumerated under the Bank Holding Company Act of 1956, including “making, acquiring, brokering, or servicing loans” and “collection agency services.” Because higher education institutions participate in ﬁnancial activities, such as making Federal Perkins Loans, FTC regulations consider them ﬁnancial institutions for GLB Act purposes. The GLB Act spells out several speciﬁc requirements regarding the privacy of customer ﬁnancial information.
The objectives of the information security program are:
- To ensure the security and conﬁdentiality of customer information;
- To protect against any anticipated threats to the security or integrity of such information;
- To guard against the unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.
Examples of services or activities that IU may offer which result in the creation of customer information covered under GLBA could include but are not limited to:
- Financial aid (FAFSA data/tax returns for verification)
- Direct deposit banking information
- Making/Servicing/Collecting loans/tuition, including payment plans
- From 12 CFR § 225.28: employee benefits counseling/financial counseling/career counseling (if financial information)
Customer information means any record containing nonpublic personal information about a customer, whether in paper, electronic, or another form, that is processed by or on behalf of IU or its affiliates. An example would be information that a student provides on the Free Application for Federal Student Aid (FAFSA).
Information security program means the administrative, technical, or physical safeguards used to collect, process, store, and dispose of customer information.
Service provider means any person or entity that receives, processes, or otherwise is permitted access to customer information through its direct provision of services to IU.