Glb safeguards rule overview training and enforcement considerations
1 / 51

GLB Safeguards Rule: Overview, Training and Enforcement Considerations - PowerPoint PPT Presentation

  • Uploaded on

GLB Safeguards Rule: Overview, Training and Enforcement Considerations. NACUA 43 rd Annual Conference Peter C. Cassat Margaret O’Donnell. Scope of GLBA Safeguards Rule.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'GLB Safeguards Rule: Overview, Training and Enforcement Considerations' - jereni

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Glb safeguards rule overview training and enforcement considerations

GLB Safeguards Rule: Overview, Training and Enforcement Considerations

NACUA 43rd Annual Conference

Peter C. Cassat

Margaret O’Donnell

Scope of glba safeguards rule
Scope of GLBA Safeguards Rule

  • The FTC’s Safeguards Rule, promulgated under the GLBA, went into effect on May 23, 2003 and is aimed at ensuring the safeguarding and confidentiality of customer information held in the possession of covered financial institutions.

  • Unlike the FTC’s earlier GLBA Privacy Rule, the Safeguards Rule contains no exemption for institutions that are subject to FERPA. As a result, educational institutions that engage in financial institution activities, such as processing student loans, are required to comply with the Safeguards Rule.

General requirements
General Requirements

  • The Safeguards Rule requires each covered institution to develop, implement, and maintain a “comprehensive information security program” that is “written in one or more readily accessible parts”, and that includes “administrative, technical and physical safeguards” designed to ensure the security and confidentiality of customer records.

  • The Safeguards Rule expressly recognizes that each institution’s information security program may vary, based on its size and complexity, the nature and scope of its activities, and the sensitivity of the customer information at issue.

Comprehensive written information security program
Comprehensive Written Information Security Program

  • In order to “develop, implement and maintain” the required written information security program, the Safeguards Rule requires each institution to carry out certain steps:

    • designate one or more employees to coordinate the program;

Information security program steps cont
Information Security Program Steps, cont. . . .

  • Identify “reasonably foreseeable” internal and external risks to the security and confidentiality of customer information that could lead to unauthorized disclosure, use, alteration, destruction or other compromise of such information and “assess the sufficiency” of the institution’s safeguards in place to control these risks.

Information security program steps cont1
Information Security Program Steps, cont . . .

  • Such risk assessment must include, at a minimum, risks in areas of operation such as:

    • employee training and management,

    • information systems, and

    • detecting, preventing, and responding to attacks against the institution’s systems;

Security program steps cont
Security Program Steps, cont.

  • implement safeguards to manage the identified risks and regularly test or monitor such safeguards;

  • oversee the institution’s service providers by:

    • selecting and retaining service providers that are capable of maintaining appropriate safeguards for the customer information at issue, and

    • requiring service providers by contract to implement and maintain such safeguards;

Ongoing security steps
Ongoing Security Steps

  • The Safeguards Rule requires institutions to evaluate and adjust the their security programs in light of the required risk assessment, any material change to institutional business operations or any other circumstances that may have a material impact on the institution’s information security program.

Practical considerations
Practical Considerations

  • The most difficult challenge under the Safeguards Rule is identifying the scope of information covered.

  • It may be possible to take the position that the Safeguards Rule applies only to information collected or maintained in connection with the institution’s financial institution activities – i.e., student financial aid related activities.

  • It may be difficult, however, for institutions to segregate information that is collected in connection with financial institution related activities (such as Social Security numbers) from other information maintained with respect to its student population.

Drafting issues
Drafting Issues

  • The FTC rules expressly recognize that an institution’s information security program may be maintained in one or more documents. Thus, it should be possible to incorporate existing policies and procedures relating to the safeguarding of information and to the proper use of institutional network resources, such as, existing acceptable use, information technology security and student record access policies and procedures.

Risk management issues
Risk Management Issues

  • The Safeguards Rule recognizes that an institution need not make its security program publicly available. However, open records laws may provide access.

  • Drafts and deliberative documents relating to the creation and implementation of the program should be labeled as attorney client privileged drafts.

Approaches to glb compliance

Approaches to GLB Compliance

NACUA 43rd Annual Conference

Tom Schumacher

University of Minnesota

June 25, 2003

Options for organizational mgmt program leadership
Options for Organizational Mgmt.-Program Leadership

  • “Designate an employee or employees to coordinate” (§314.4(a))

    1. Centralized Model, single person

    2. Decentralized, several “coordinators”

    3. Hybrid, central coordinator, designated responsible parties in key units

  • Designation must be set out in written security plan (§314.3(a))

  • Try to integrate with existing responsibilities

Centralized model
Centralized Model

  • Options for Responsible Office

    • Chief Information Officer?

    • Controller?

    • CFO?

    • Registrar?

    • Privacy Officer (if have one)?

    • Custodian of Student Record?

    • Auditor?

    • IT Security Officer?

    • Others

  • Delegate administrative duties as appropriate

Decentralized model
Decentralized Model

  • Designate responsible coordinator in areas with “covered data”

    • Student Finance Director(s)

      • One at each campus

    • IT Office(s)

    • Collections

    • Human Resources

    • Accounting

    • Collegiate contacts

    • Athletics

    • Others

  • Consider some oversight method

Hybrid model
Hybrid Model

  • Single Central Coordinator

  • Formally designated contacts in units with “covered data” responsible for carrying out risk assessments and monitoring where required

  • Communication with leadership from areas with covered data

Coordinator program responsibilities
Coordinator Program Responsibilities

  • Risk Assessment - § 313.4(b)

    • Identify/inventory access to covered data

    • Assess Risk

  • Internal Controls

    • “Design and implement safeguards to control the risks you identify” (§ 313.4(c))

    • Match these to level of assessed risk

Internal controls
Internal Controls

  • Program Oversight

  • Risk Assessment

  • Roles and Responsibilities

  • Policies and Procedures

  • Education, Training & Awareness

  • Monitoring, Testing, Oversight

  • Corrective action/Communication

    • Iterative and continuing process

Example risk assessment for each significant area to evaluate
Example Risk Assessment-for each significant area to evaluate

Employee permitted to access to database

without proper authorization

  • Electronic

    • Access

    • Storage

    • Transmission

    • Destruction

  • Print materials

    • Access

    • Storage

    • Transmission

    • Destruction

  • Service Providers

  • System Integrity

Misuse of information by employee with

Authorized access


Example risk internal controls matrix approach area student financial collections
Example Risk/Internal Controls matrix approach evaluate(Area: student financial collections)

Glb safeguards rule overview training and enforcement considerations

Example: Hybrid Model evaluate

  • Coordinator makes sure Risk Assessment and Internal controls for each covered area are in place

    • For significant areas, conducted by designated contacts

    • For isolated, conducted by Coordinator

  • Designated contacts annually provide report to Coordinator

    • Annual confirmation that risks are current

  • Coordinator annually reports on risk environment and controls to Compliance and leadership

    • Identifies problem areas

Identifying and evaluating exposures and risks

Identifying and Evaluating evaluateExposures and Risks

NACUA 43rd Annual Conference

Christopher Holmes

Baylor University

June 25, 2003

Scope of risk assessment
Scope of Risk Assessment evaluate

“You shall...identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks.” 16 CFR §314.4 (b).

Areas to include
Areas to Include evaluate

  • Employee training and management;

  • Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and

  • Detecting, preventing and responding to attacks, intrusions, or other systems failures.

Steps to risk assessment
Steps to Risk Assessment evaluate

  • Meet with all business owners facing the risks and discuss their experiences

  • Prepare a list that encompasses the risks (both internal and external) they observe

  • Determine whether current steps are sufficient in controlling the risks

  • Discuss additional reasonable steps that could be taken to increase security

List of potential risks

Compromise of system security (e.g., hacker) evaluate

Interception of data during transmission

Physical loss of data due to disaster

Corruption of data or systems

Unauthorized access by employees

Unauthorized requests for data (e.g., pretext calling)

Unauthorized transfer of data by third parties

List of Potential Risks

Ftc suggestions employee management and training
FTC Suggestions: Employee Management and Training evaluate

  • Check references prior to hiring employees who will have access to cdi

  • Employees sign confidentiality agreement

  • Train employees to take basic steps (passwords, pretext calling, etc.)

  • Regular reminders of policy and legal requirement to keep cdi confidential

  • Limit access to those employees with a business reason for seeing it

Ftc suggestions information systems
FTC Suggestions: evaluateInformation Systems

  • Store records in a secure area

  • Provide for secure data transmission (use of SSL, password protect email accounts, etc.)

  • Dispose of customer information in secure manner

  • Inventory computers on network systems

Ftc suggestions managing systems failures
FTC Suggestions: evaluateManaging Systems Failures

  • Develop a written contingency plan to address breaches

  • Maintain software and hardware (security patches, anti-virus software, etc.)

  • Backups of all cdi

  • Configure systems to ensure that access to cdi is granted only to appropriate users

  • Notify customers promptly if cdi is disclosed

Review and assessment of plan
Review and Assessment of Plan evaluate

GLB requires continued evaluation and adjustment of the safeguards program in light of relevant circumstances. Periodically review changes in the university’s operations or business arrangements or the results of testing and monitoring of enacted safeguards.

Service provider rules under the gramm leach bliley act
“Service Provider” Rules evaluateUnder the Gramm-Leach-Bliley Act

2003 NACUA National Conference

June 25, 2003

Gregory C. Brown

Associate General Counsel

Office of the General Counsel

University of Minnesota

Overview of presentation
Overview of Presentation evaluate

Review FTC Safeguard Rule on the oversight, selection and retention of service providers and mandatory contract provisions.

Discuss ways, by contract, to protect Universities once security has been breached or customer information has been loss, misused or altered.

Who is a service provider
Who is a “Service Provider”? evaluate

“Any person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to a financial institution . . . .” FTC Safeguard Rule, § 314.2(d), 67 Fed. Reg. 36,484, 36,494 (May 23, 2002) .

Duty to oversee service providers
Duty to Oversee Service Providers evaluate

Institutions must take “reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information . . . .” FTC Safeguard Rule, § 314.4(d)(1), 67 Fed. Reg. 36,484, 36,494 (May 23, 2002) .

Duty to oversee service providers1
Duty to Oversee Service Providers evaluate

Each institution is expected to “take reasonable steps to assure itself that its current and potential service providers maintain sufficient procedures to detect and respond to security breaches . . . .” FTC Safeguard Rule, § C, 67 Fed. Reg. 36,484, 36,490 (May 23, 2002) (emphasis added).

Duty to oversee service providers2
Duty to Oversee Service Providers evaluate

Each institution is expected to “maintain reasonable procedures to discover and respond to widely-known security failures by its current and potential service providers.” FTC Safeguard Rule, § C, 67 Fed. Reg. 36,484, 36,490 (May 23, 2002) (emphasis added).

Duty to oversee service providers3
Duty to Oversee Service Providers evaluate

The FTC did not mandate any specific reviews or steps an institution must take to comply.

Institutions need not undertake “unlimited evaluation(s) of their service providers’ capabilities.” FTC Safeguard Rule, § C, 67 Fed. Reg. 36,484, 36,490 (May 23, 2002).

Review will depend on the “circumstances and the relationship” between the institution and the service provider.Id.

Mandatory contract provisions
Mandatory Contract Provisions evaluate

Each contract entered into after June 24, 2002, must require the service provider “to implement and maintain such safeguards.” FTC Safeguard Rule, §§314.4(d)(2) and 314.5(b), 67 Fed. Reg. 36,484, 36,494 (May 23, 2002) .

A contract in place before that date need not include the mandatory provision until May 24, 2004. FTC Safeguard Rule, §314.5(b), 67 Fed. Reg. 36,484, 36,494 (May 23, 2002) .

Mandatory contract provisions1
Mandatory Contract Provisions evaluate

So as to give institutions flexibility, the FTC did not mandate particular contract language.

Mandatory contract provisions2
Mandatory Contract Provisions evaluate

  • Sample clause:

    • “Throughout the term of this Agreement, Service Provider shall implement and maintain ‘appropriate safeguards,’ as that term is used in § 314.4(d) of the FTC Safeguard Rule, 16 C.F.R. § 314 (the ‘FTC Rule’), for all ‘customer information,’ as that term is defined in §314.2(b) of the FTC Rule, owned by the University and delivered to Service Provider pursuant to this Agreement.

Mandatory contract provisions3
Mandatory Contract Provisions evaluate

Sample Clause cont’d:

“Service Provider shall promptly notify the University, in writing, of each instance of (i) unauthorized access to or use of that customer information that could result in substantial harm or inconvenience to a customer of the University or (ii) unauthorized disclosure, misuse, alteration, destruction or other compromise of that customer information. Within 30 days of the termination or expiration of this Agreement, Service Provider shall destroy and shall cause each of its agents to destroy all records, electronic or otherwise, in its or its agent’s possession that contain such customer information and shall deliver to the University a written certification of the destruction.”

Mandatory contract provisions4
Mandatory Contract Provisions evaluate

FTC Safeguard Rule is silent as to the penalty for institution entering into or maintaining a contract with a service provider that does not comply.

Additional contract terms
Additional Contract Terms evaluate

Right to on-site audit of Service Provider’s security program.

Right to terminate if Service Provider has allowed a material breach of its security program, if Service Provider has lost or materially altered customer information, or if the University reasonably determines that Service Provider’s program is inadequate.

Additional contract terms1
Additional Contract Terms evaluate

Service Provider to indemnify and defend the University for security breaches, violations of GLB caused by Service Provider’s negligence, and loss ormaterial alteration of customer information.

Service Provider to reimburse the University for its direct damages (e.g., costs to reconstruct lost or altered information) resulting from the security breach, loss, or alteration of customer information.

Conclusion evaluate

GLB is another step on the ever-lengthening road to the land of perfect privacy. FTC Safeguard Rule should be seen a part of an institution’s comprehensive privacy policy.

Institutions need to address the protection of (meaning here access to) information already in the “hands” of both current and past service providers.

What is required for training under glb safeguards rule
What is Required for Training under GLB Safeguards Rule evaluate

  • Training should be very simple.

  • You don't even need to mention GLB.

What points to include in training
What Points to Include in Training evaluate

  • Both physical and computer records must be protected

  • Do not give anyone else your password or ask anyone for theirs

  • Encrypt sensitive customer information when transmitted over networks. Conversely, do not ask customers to send data such as credit card # or SSN over non-encrypted networks.

  • Refer calls or requests for customer information to employees who have had safeguard training

  • Beware "social engineering" (pretext calling)

  • Identify where at the university to report fraudulent attempts to obtain customer information or questionable data access (might be Internal Auditor for financial records, Registrar for Student Records, other to Information Security Coordinator)

Who to train
Who to Train evaluate

  • Depends on Specifics of your Information Security Plan

  • Narrow v. Broad Approach

  • Broad = Anyone who has access to student records, either paper or online

  • If your plan also covers credit card information, anyone who has access to credit card information (CUA taking this approach)

  • Narrow = only those offices with access to student financial data, or offices who engage in covered financial transactions, e.g. extending a loan for credit, gift annuity agreements, etc. (Georgetown taking this approach)

How to train
How to Train evaluate

  • By video (see online video at

  • By brochures (online by end of summer at above site)

  • In person in small groups for those who have managerial responsibilities in covered areas

Enforcement and 3 rd party lawsuits
Enforcement and 3 evaluaterd Party Lawsuits

  • No private right of action under GLB

  • Plaintiff could bring case based on negligence

  • Not much (if any) case law on negligent release of information such as SSN or credit card

Avoiding lawsuits
Avoiding Lawsuits evaluate

  • Likely to be a growing field with advent of laws like HIPAA, GLB and state laws protecting privacy

  • See: Henderson, Steve, and Yarbrough, Matthew, Frontiers of Law: The Internet and Cyberspace: Suing the Insecure?: A Duty of Care in Cyberspace, 32 N.M.L. Rev. 11 (2002) for summary of theory of law in this area

  • Follow standard of reasonableness. Stay current or ahead of curve on privacy protection, e.g. be there with the patch as soon as it is available.