UCA Gramm-Leach Bliley Act (GLBA) Safeguards Rule Compliance Training Effective June 12, 2018 Adapted from materials published by the Federal Trade Commission (FTC) and University of Minnesota

Training Objectives To provide information to the UCA campus community and customers regarding: What is the Safeguards Rule and why it applies to UCA How the Safeguards Rule differs from FERPA What information is covered by the Safeguards Rule What is required of UCA to comply Examples of safeguards How UCA is complying

What is GLBA? GLBA was passed in 1999 and is intended “to protect consumers & customers who obtain ‘financial products or services to be used primarily for personal or other household purposes.’” (Choroszy, “Beyond FERPA”) Through FERPA compliance, UCA is exempt from privacy regulations in GLBA. (16 CFR 313.1(b)) However, compliance with FERPA is not an exemption from the Safeguards Rule; UCA and other colleges and universities are required to comply. (Schneider, “ED Proposes Auditing Safeguards Rule Compliance”)

How is GLBA different from FERPA? FERPA relates to students’ educational records, including their right to access and inspect them, what types of records and to whom information can be disclosed, etc. (http://uca.edu/registrar/ferpa/) GLBA Safeguards Rule pertains to nonpublic personal information, which is typically limited to an individual’s financial information obtained in connection with a financial product or service. (FTC, “Financial Institutions and Customer Information”) The University’s efforts should be aimed at ensuring the protection of all student, faculty, staff, and customer private data regardless of the applicable regulation (e.g., FERPA, HIPAA, GLBA).

What are the objectives of the Safeguards Rule? Insure the security and confidentiality of customer information Protect against any anticipated threats or hazards to the security or integrity of such information Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer. Source: 16 CFR 314.3(b)

Why is UCA required to comply? GLBA applies to financial institutions’ protection of customer information; colleges and universities are considered financial institutions under the Safeguards Rule primarily because they offer student loans, though other activities may also be covered (Schneider, “ED Proposes Auditing Safeguards Rule Compliance”) In the Program Participation Agreement (PPA) UCA has with the U.S. Department of Education, UCA agrees to comply with Standards for Safeguarding Customer Information issued by the FTC (specific GLBA provision added in 2015) (U.S. Dept of Education, DCL GEN-16-12, July 1, 2016)

What type(s) of information is covered? Personally identifiable financial information obtained in connection with a financial product or service offered or serviced by or on behalf of the University, including: Account balances Account numbers Debit/credit card numbers Income and payment history Credit score or rating Social security number Internet Service Provider (ISP) address Name, address, and other information provided on a loan application Important: This list is not comprehensive. Please direct any questions on whether information is covered by the Safeguards Rule to your department manager. Source: 16 CFR 313.3(o)(2)(i)

Customer Information Personally identifiable financial information (see previous slide) obtained in the following situations is covered by the Safeguards Rule: Information provided by a customer to obtain a financial product or service (e.g., loan, long-term payment plan with interest); Information about a customer resulting from a transaction involving a financial product or service between the customer and the University; and, Information otherwise obtained about a customer in connection with providing a financial product or service to that customer Important: Departments that accept loan or other applications for credit and then forward to another office, such as the Office of Student Financial Aid, are required to protect such information. Source: 16 CFR 313.3(o)(1)

Examples of activities not covered Customer use of a University ATM to withdraw funds, check account balances, etc. Offering and/or servicing deferred payments or short-term payment plans without interest Solely accepting payment by cash, check, or debit/credit card that the University did not issue Renting a University facility Payments for merchandise (e.g., books, clothing, etc.) Important: In general, financial products or services are those that would typically be offered by a financial institution, such as loans, investment/retirement accounts (e.g., IRA), insurance products, etc. Source: 16 CFR 313.3(i)(2)(ii) and the University of Minnesota

What is required of UCA? The Safeguards Rule requires financial institutions to develop and maintain an Information Security Program (ISP), which must include: A designated ISP Coordinator (currently the Vice President for Finance & Administration or designee); A risk assessment to identify internal and external threats to customer information; Implementation and monitoring of safeguards to control threats to customer information identified in the risk assessment; An evaluation and adjustment of the ISP due to changing circumstances or business operations; and, Actions to oversee third-party service providers to ensure they are capable of adequately safeguarding customer information Source: 16 CFR 314

Risk Assessment Requirements The University’s identification & assessment of risks to customer information should address, at a minimum, the following: Employee training & management; Information systems, including network & software design, as well as information processing, storage, transmission, & disposal; and Detecting, preventing, & responding to attacks, intrusions, or other systems failures Source: 16 CFR 314.4(b)

Examples of safeguards Reference checks/background checks on new employees who will be accessing customer information; Having new employees sign an agreement to follow the institution’s confidentiality and security standards for customer information; Limiting access to customer information to employees who have a business need/reason to access it; Requiring “strong” passwords (minimum number of characters; combination of letters, numbers, and symbols; etc.); Appropriate use policies for technology devices, including mobile devices; Immediately deactivating login credentials for terminated employees to prevent unauthorized network access; Source: FTC, “Financial Institutions and Customer Information”

Examples of safeguards (cont.) Ensuring only authorized employees have access to physical records containing customer information; Ensuring the transmission of customer information is done via a secure connection and/or encrypted; Properly disposing of customer information by shredding or another suitable method; Erasing or wiping data from technology devices containing customer information prior to disposal; Keeping network activity logs and monitor for unauthorized network access; and, Utilizing an intrusion detection system (IDS) to alert the institution of attempted network attacks Source: FTC, “Financial Institutions and Customer Information”

How UCA is complying The University has: Developed an Information Security Program (ISP) outlining the requirements of the Safeguards Rule and the roles and responsibilities of the ISP Coordinator and campus departments; Created a two-page reference guide on the types of information and activities that may be covered; Created a questionnaire to determine what campus areas handle covered information and how it is protected; Created a certification form for departments/administrative units to attest to compliance; and, Provided links to applicable University policies and external resources for additional information on the Safeguards Rule.

Resources Information Security Program (ISP) – contains the requirements of the Safeguards Rule and how the University is complying Safeguards Rule Examples – a short reference guide of activities and information that may be covered under the Safeguards Rule Safeguards Rule Compliance Training – this PowerPoint® providing an overview of the Safeguards Rule and how UCA is complying Safeguards Rule Compliance Questionnaire – required to be completed annually by departments handling customer information covered under the Safeguards Rule. It helps determine whether appropriate safeguards are in place. Safeguards Rule Certification Form – required to be completed annually by departments handling customer information covered under the Safeguards Rule. It demonstrates the necessary requirements for compliance have been satisfied.

Contacts For questions on procedures and information specific to your area, please ask your supervisor. For questions on the University’s Information Security Program (ISP) or compliance materials, please visit the Division of Finance & Administration web page. For assistance with network and computer security, policies, and procedures; please visit the Division of Information Technology (IT) web page.

Sources Choroszy, Melisa. “Beyond FERPA: Maintaining the Privacy and Confidentiality of Student Data.” Accessed April 18, 2017. Electronic Code of Federal Regulations (CFR): 16 CFR 313, 314 FTC, Financial Institutions and Customer Information: Complying with the Safeguards Rule. Published April 2006. Accessed April 17, 2017. Schneider, Megan. “ED Proposes Auditing Safeguards Rule Compliance.” NACUBO. April 13, 2017. UCA Registrar, FERPA. https://uca.edu/registrar/ferpa/. Accessed April 18, 2017. University of Minnesota Controller’s Office: Gramm-Leach Bliley-Act: Safeguards Rule. https://finsys.umn.edu/glba. Published June 1, 2012. Accessed April 18, 2017. U.S. Department of Education, Dear Colleague Letter GEN-16-12. Subject: Protecting Student Information. Publication Date July 1, 2016.