Presentation is loading. Please wait.

Presentation is loading. Please wait.

Scott McGlynn, Marketing & Content Manager

Published byMelvyn Jordan Modified over 6 years ago

Similar presentations

Presentation on theme: "Scott McGlynn, Marketing & Content Manager"— Presentation transcript:

1 Scott McGlynn, Marketing & Content Manager
Protecting Your Piece of the PII: Gramm Leach Bliley Act and Red Flag Rules Scott McGlynn, Marketing & Content Manager Annmarie Buchanan, Vice President of Compliance & Acting Chief Compliance Officer

2 Disclaimer The information contained within this presentation is not legal advice and is not a full and exhaustive explanation of GLBA or Red Flag Rules and their applications. This information should not be used to replace the sound advice of your own legal counsel who has a working knowledge of your business and all its applicable state and federal laws. This information is provided for informational and educational purposes only.

3 Gramm-Leach-Bliley Act (GLBA): Welcome to the Club

4 Welcome to the Club Who here has been to the BJ’s Wholesale Club in Brooklyn? Identity theft isn’t the exception to the rule anymore

5 Identity Theft According to the Identity Theft Resource Center’s® 2017 Data Breach Year-End Review: 1,579 data breaches in 2017 44.7% increase from 2016 (2016 was record high) Educational Sector accounted for 8% of data breaches That is 126 data breaches in the education sector in 2017. 50% of instances of Identity Theft happened via cyber methods

6 Take a moment What would happen if your institution had a data breach?
Loss of reputation Headache Long hours of work Thousands of dollars I couldn’t stop my information from being stolen, but I can have a plan prepared to manage it So how do you prepare?

7 Gramm-Leach-Bliley Act
Photo: Justin Lane/The New York Times/Redux

8 Background of the GLBA Financial Services Modernization Act of 1999
Repealed the Glass-Steagall Act of 1933 Allowed banks, financial institutions, security companies, and insurance agencies to combine Allowed banks to offer both savings and investment services Financial Privacy Rule Compliance is mandatory Higher Education Institutions are treated as financial institutions under FTC regulations

9 What’s the Point? “The Gramm-Leach-Bliley Act requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data.” - FTC

10 GLBA Requirements Must have policy in place to protect non-public information from threats in security and data integrity Components include: Financial Privacy Rule Safeguard Rules Pretexting Protection Colleges and universities can be in compliance under privacy provisions if compliant with FERPA Required to meet administrative, technical, and physical safeguarding of information

11 Department of Education on GLBA
“Our expectation is that all FSA partners will quickly assess and implement strong security policies and controls and undertake ongoing monitory and management for their systems, databases and processes that support all aspects of the administration of Federal student financial aid programs authorized under Title IV of the Higher Education Act of 1965, as amended (the HEA). Such systems, databases and processes include all systems that collect, process, and distribute information – including PII – in support of application for and receipt of Title IV student assistance.” – Dear Colleague Letter GEN-15-18 Student Aid Internet Gateway (SAIG) Enrollment Agreement requires GLBA compliance

12 GLBA Compliance Audit The U.S. Office of Management and Budget (OMB) plans to include new Special Tests and Provisions in its 2018 Compliance Supplement. Department of Education expected to add the testing requirements in the Audit Guide shortly after Compliance with certain GLBA provisions will be tested as part of the single audit beginning in either 2018 or 2019. ED drafted provisions for 2017 but removed to-be-tested-as-part-of-the-higher-education-audit

13 Compliance Elements of GLBA
Develop, implement and maintain a written information security program Designate the employee(s) responsible for coordinating the information security program Identify and assess risks to customer information Design and implement an information safeguards program Select appropriate service providers that are capable of maintaining appropriate safeguards Periodically evaluate and update security program

14 Security Program Objectives
Ensure security and confidentiality of customer information Protect against anticipated threats to the security or integrity of information Guard against unauthorized access to or use information that could result in substantial harm or inconvenience 01.ashx?la=en&hash=54DF89E68289BDB6FA72E13BC E0 810

15 Data Breach Requirements
Unauthorized disclosure, misuse, alteration, destruction or other compromise of information Doesn’t have to be electronic in nature Does not have a minimum number of compromised records to qualify Failure to report actual or suspected breaches can include a fine of up to $54,789 per violation. What information to report: Date of breach, information and number of records compromised, how breach occurred, security program officer’s contact information, and detailed description of how your organization is handling notification and mitigation of impact.

16 Use strong passwords; the more characters, the better Use combination of uppercase, lowercase, special characters and numbers Follow guidelines of your organization’s policies Periodically change passwords Do not write down passwords where publically accessible Do not share passwords

17 What is PII? Information that can be used to distinguish or trace an individual’s identity either directly or indirectly through other information All personal information associated with an individual Student’s Name, name of family members, address, personal identifier such as social security number, student number, date of birth, place of birth, mother’s maiden name, etc.

18 Sensitive PII Information which lost, compromised or disclosed could result in substantial harm, embarrassment, inconvenience, or unfairness Can be stand-alone or paired with other PII Can be based on PII context: List of Employees compared to List of Low Performing Employees Stand-Alone Paired with other PII Social Security Number Medial Information Driver’s License Number Account Passwords Financial Account Number Date of Birth Biometric Identifiers Criminal History

19 Questions that Need Answers
What kind of data do you have or maintain? Where is the data housed / stored? Who has access to it? How is data being monitored?

20 Useful Strategies Turn monitors away from public view
Properly dispose of all documents Lock your computer anytime you leave Shortcut: “Windows Key” + “L” Keep your desk clean and organized Do not leave PII in your desk if not locked Do not leave PII in public areas Keep areas containing PII locked at all times

21 GLBA Takeaways Compliance is required
Safeguarding data is your priority Be mindful of how you treat data Have a written policy to handle data security and integrity

22 Red Flag Rules

23 Red Flag Rules Final rules and guidelines on identity theft “red flags” were published on November 9, 2007, (“Red Flags rule”) to implement section 615(e) of the Fair Credit Reporting Act (FCRA) (15 U.S.C. 1681m(e)) Requires written identity theft prevention program to mitigate risk of identity theft for consumers FTC estimates nine million Americans have their identity stolen each year Can carry $3,500 fine per violation Individuals can seek damages Required if a “Creditor”

24 Definition of a Creditor
Obtains or uses consumer reports in connection with a credit transaction; Furnishes information to consumer reporting agencies in connection with a credit transaction; or Advances funds to or on behalf of a person, in certain cases.

25 Does my Institution Need a Plan?
If you fall under any of the activities in the definition of a creditor and answer yes to one or more of the following questions, you do. Does your institution: Defer payments for goods and services or bill customers? Grant or arrange credit? Participate in the decision to extend, renew or set the terms of credit?

26 Developing Your Plan FTC provides guidelines in developing a Red Flag Rule Policy Plan identity-theft-red-flags-rule-how-guide-business

27 Red Flag Program Parts Must include reasonable policies and procedures to identify signs of identity theft (“red flags”) in day-to-day operations Must be designed to detect the red flags of identity theft identified by the business Must set out actions the business will take upon detecting red flags Must re-evaluate its Program periodically to reflect new risks from this crime

28 Example If your institution requires valid ID for identity verification: Formally recognize that ID’s could result in Red Flags Create guidelines of the components of invalid ID and methods to test for validity Create policies and procedures to handle instances of invalid IDs Review for new / changes in IDs

29 Identify Relevant Red Flags
Risk Factors Sources of Red Flags Categories of Common Red Flags: Alerts, notifications and warnings from a credit reporting company Suspicious documents or information Personal identifying information inconsistent Unusual account activity Notice from other sources

30 Detect Red Flags Use identity verification and authentication methods to help detect red flags. Reasonable procedures for new and existing accounts.

31 Prevent and Mitigate Identity Theft
Monitor accounts for evidence of identity theft. Contact the customer (student). Change passwords or security codes. Close account and reopen with new number. Do not refer to debt collector or try to collect. Notify law enforcement.

32 Update the Program Board of Directors or a committee appointed by the Board must approve initial plan. Train all relevant staff as necessary. Third Party services providers must comply Periodically review plan and update as new red flags are identified.

33 Personal Identity Measures
Use complex passwords Use different passwords for different purposes and make financial passwords unique and separate Keep your secure Two-Factor Authentication where possible Monitor what you say on Social Media Use Credit Freezes as necessary Diversify Only use secured wireless networks Update software Monitor credit reports and financial statements regularly Immediately respond to potential threats Have a plan in place

34 Additional Information:
NACUBO: Property/GLBA-Data-Security-Resources Department of Education Dear Colleague Letters: GEN-15-18: GEN-16-12:

35 Questions?

36 Thank you! For additional questions, please speak with:
Corky Mobley, Regional Account Executive (714) Brooke Singletary, Director of Sales & Marketing (318)

Download ppt "Scott McGlynn, Marketing & Content Manager"

Similar presentations

Red-Flag Identity Theft Requirements February 19th 2009 Cathy Casagrande, Privacy Officer.

Red-Flag Identity Theft Requirements February 19th 2009 Cathy Casagrande, Privacy Officer.
UNDERSTANDING RED FLAG REGULATIONS AND ENSURING COMPLIANCE University of Washington Red Flag Rules Protecting Against Identity Fraud.

UNDERSTANDING RED FLAG REGULATIONS AND ENSURING COMPLIANCE University of Washington Red Flag Rules Protecting Against Identity Fraud.
Red Flags Compliance BANKERS ADVISORY 1 Red Flags Compliance Fair & Accurate Credit Transactions Act (FACTA) Identity Theft Prevention.

Red Flags Compliance BANKERS ADVISORY 1 Red Flags Compliance Fair & Accurate Credit Transactions Act (FACTA) Identity Theft Prevention.
Compliance with Federal Trade Commission’s “Red Flag Rule”

Compliance with Federal Trade Commission’s “Red Flag Rule”
Red Flags Rule BAS Forum August 18, 2010. What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.

Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
Red Flag Rules: What they are? & What you need to do

Red Flag Rules: What they are? & What you need to do
Privacy Laws & Higher Education. Agenda 1.Five Privacy Laws a.FERPA b.HIPAA c.GLB d.FACTA Disposal Rule e.CAN-SPAM 2.Overview of the Laws a.What does.

Privacy Laws & Higher Education. Agenda 1.Five Privacy Laws a.FERPA b.HIPAA c.GLB d.FACTA Disposal Rule e.CAN-SPAM 2.Overview of the Laws a.What does.
© 2014 ACA International. All Rights Reserved. Obtaining Optimum Compliance Performance Foundational Training on ACA’s Professional Practices Management.

© 2014 ACA International. All Rights Reserved. Obtaining Optimum Compliance Performance Foundational Training on ACA’s Professional Practices Management.
Springfield Technical Community College Security Awareness Training.

Springfield Technical Community College Security Awareness Training.
The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA) UNDERSTANDING AND DEVELOPING A STRATEGIC PLAN TO BECOME COMPLIANT.

The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA) UNDERSTANDING AND DEVELOPING A STRATEGIC PLAN TO BECOME COMPLIANT.
Protecting Personal Information Guidance for Business.

Protecting Personal Information Guidance for Business.
I.D. Theft Alaska’s New Protection of Personal Information Act Ed Sniffen Senior Assistant Attorney General Alaska Department of Law.

I.D. Theft Alaska’s New Protection of Personal Information Act Ed Sniffen Senior Assistant Attorney General Alaska Department of Law.
1 SAFEGUARDING REGULATIONS AND HOW THEY EFFECT US MICHIGAN ASSOCIATION FOR STUDENT FINANACIAL SERVICE ADMINISTRATORS BY: KAREN REDDICK NATIONAL CREDIT.

1 SAFEGUARDING REGULATIONS AND HOW THEY EFFECT US MICHIGAN ASSOCIATION FOR STUDENT FINANACIAL SERVICE ADMINISTRATORS BY: KAREN REDDICK NATIONAL CREDIT.
FAIR AND ACCURATE CREDIT TRANSACTIONS ACT (FACTA)- RED FLAG RULES University of Washington Red Flag Rules Protecting Against Identity Fraud.

FAIR AND ACCURATE CREDIT TRANSACTIONS ACT (FACTA)- RED FLAG RULES University of Washington Red Flag Rules Protecting Against Identity Fraud.
© 2014 Nelson Brown Hamilton & Krekstein LLC. All Rights Reserved PRIVACY & DATA SECURITY: A LEGAL FRAMEWORK MOLLY LANG, PARTNER, NELSON BROWN & CO.

© 2014 Nelson Brown Hamilton & Krekstein LLC. All Rights Reserved PRIVACY & DATA SECURITY: A LEGAL FRAMEWORK MOLLY LANG, PARTNER, NELSON BROWN & CO.
Are You Ready? Identity fraud and identity management are quickly becoming critical operational concerns for the financial industry. The Red Flags Guidelines.

Are You Ready? Identity fraud and identity management are quickly becoming critical operational concerns for the financial industry. The Red Flags Guidelines.
Time to Wave the White Flag – Compliance with the FTC’s Identity Theft Red Flags Rule William P. Dillon, Esq. Messer, Caparello & Self, P.A. 2618 Centennial.

Time to Wave the White Flag – Compliance with the FTC’s Identity Theft Red Flags Rule William P. Dillon, Esq. Messer, Caparello & Self, P.A Centennial.
Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.

Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.
RMG:Red Flags Rule 1 Regal Medical Group Red Flags Rule Identify Theft Training.

RMG:Red Flags Rule 1 Regal Medical Group Red Flags Rule Identify Theft Training.
IDENTITY THEFT & THE RED FLAGS RULE Presented by Brady Keith, Assistant General Counsel CREDIT MANAGEMENT SERVICES, INC.

IDENTITY THEFT & THE RED FLAGS RULE Presented by Brady Keith, Assistant General Counsel CREDIT MANAGEMENT SERVICES, INC.

Similar presentations

Ads by Google