The Gramm-Leach-Bliley Act (GLB Act), also known as the Financial Modernization Act of 1999, is a federal law that includes provisions to protect consumers’ personal financial information held by financial institutions. A portion of these regulations are applicable to colleges and universities and require that the University establish and periodically revise an information security program.
All offices and individuals campus wide who are engaged in the following activities or practices are required to participate in the Gramm Leach Bliley Information Security Program:
- Academic and administrative offices that handle electronic or printed personnel records, financial records, transactional records, or student records.
- Academic and administrative offices that transmit confidential information (protected data) to off-site locations as part of a periodic review or submission requirement.
- Centers and Institutes that provide services and acquire personal or financial information from participants or constituents.
- Faculty serving as directors, coordinators, principal investigators, or program directors for programs collecting protected data.
- Faculty, staff, and administrators with contracts to use, access, or provide protected data to or receive from a non-campus entity (e.g., government databases, science databases).
- Performing arts organizations that collect patron information.
CSULA set forth a comprehensive GLB Information Security Program that would serve as a guide for how all information security, in both paper and electronic format, would be maintained on this campus. Information covered under the plan is defined by three categories:
- Personally Identifiable Information (PII) – Also known as protected data, PII includes first and last name, social security number, date of birth, home address, home telephone number, academic performance record, physical description, medical history, disciplinary history, gender, and ethnicity.
- Financial Information – Information that the University has obtained from employees, alumni, auxiliary agencies, patrons, external program participants, or the like in the process of offering a financial product or service, or conducting a program. Examples include bank and credit card account numbers, and income and credit histories.
- Student Financial Information – Information that the University has obtained from a student in the process of offering a financial product or service, or such information provided to the University by another financial institution. Examples include student loans, income tax information received from a student’s parent when offering a financial aid package, bank and credit card account numbers, and income and credit histories.
All departments that handle or maintain protected data must perform a risk assessment of their areas and put safeguards in place to secure personally identifiable, financial, and student financial information. Administrators are responsible for educating all department personnel about information security best practices in their respective areas. In addition, oversight must be provided to service providers who are given access to protected data or may come in contact with protected data while carrying out contracted service responsibilities.
The complete Gramm Leach Bliley Information Security Program, including a responsibilities matrix, is available on the ITS Web site at: www.calstatela.edu/its/guidelines