Download presentation
Presentation is loading. Please wait.
1
Scott McGlynn, Marketing & Content Manager
Protecting Your Piece of the PII: Gramm Leach Bliley Act and Red Flag Rules Scott McGlynn, Marketing & Content Manager Annmarie Buchanan, Vice President of Compliance & Acting Chief Compliance Officer
2
Disclaimer The information contained within this presentation is not legal advice and is not a full and exhaustive explanation of GLBA or Red Flag Rules and their applications. This information should not be used to replace the sound advice of your own legal counsel who has a working knowledge of your business and all its applicable state and federal laws. This information is provided for informational and educational purposes only.
3
Gramm-Leach-Bliley Act (GLBA): Welcome to the Club
4
Welcome to the Club Who here has been to the BJ’s Wholesale Club in Brooklyn? Identity theft isn’t the exception to the rule anymore
5
Identity Theft According to the Identity Theft Resource Center’s® 2017 Data Breach Year-End Review: 1,579 data breaches in 2017 44.7% increase from 2016 (2016 was record high) Educational Sector accounted for 8% of data breaches That is 126 data breaches in the education sector in 2017. 50% of instances of Identity Theft happened via cyber methods
6
Take a moment What would happen if your institution had a data breach?
Loss of reputation Headache Long hours of work Thousands of dollars I couldn’t stop my information from being stolen, but I can have a plan prepared to manage it So how do you prepare?
7
Gramm-Leach-Bliley Act
Photo: Justin Lane/The New York Times/Redux
8
Background of the GLBA Financial Services Modernization Act of 1999
Repealed the Glass-Steagall Act of 1933 Allowed banks, financial institutions, security companies, and insurance agencies to combine Allowed banks to offer both savings and investment services Financial Privacy Rule Compliance is mandatory Higher Education Institutions are treated as financial institutions under FTC regulations
9
What’s the Point? “The Gramm-Leach-Bliley Act requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data.” - FTC
10
GLBA Requirements Must have policy in place to protect non-public information from threats in security and data integrity Components include: Financial Privacy Rule Safeguard Rules Pretexting Protection Colleges and universities can be in compliance under privacy provisions if compliant with FERPA Required to meet administrative, technical, and physical safeguarding of information
11
Department of Education on GLBA
“Our expectation is that all FSA partners will quickly assess and implement strong security policies and controls and undertake ongoing monitory and management for their systems, databases and processes that support all aspects of the administration of Federal student financial aid programs authorized under Title IV of the Higher Education Act of 1965, as amended (the HEA). Such systems, databases and processes include all systems that collect, process, and distribute information – including PII – in support of application for and receipt of Title IV student assistance.” – Dear Colleague Letter GEN-15-18 Student Aid Internet Gateway (SAIG) Enrollment Agreement requires GLBA compliance
12
GLBA Compliance Audit The U.S. Office of Management and Budget (OMB) plans to include new Special Tests and Provisions in its 2018 Compliance Supplement. Department of Education expected to add the testing requirements in the Audit Guide shortly after Compliance with certain GLBA provisions will be tested as part of the single audit beginning in either 2018 or 2019. ED drafted provisions for 2017 but removed to-be-tested-as-part-of-the-higher-education-audit
13
Compliance Elements of GLBA
Develop, implement and maintain a written information security program Designate the employee(s) responsible for coordinating the information security program Identify and assess risks to customer information Design and implement an information safeguards program Select appropriate service providers that are capable of maintaining appropriate safeguards Periodically evaluate and update security program
14
Security Program Objectives
Ensure security and confidentiality of customer information Protect against anticipated threats to the security or integrity of information Guard against unauthorized access to or use information that could result in substantial harm or inconvenience 01.ashx?la=en&hash=54DF89E68289BDB6FA72E13BC E0 810
15
Data Breach Requirements
Unauthorized disclosure, misuse, alteration, destruction or other compromise of information Doesn’t have to be electronic in nature Does not have a minimum number of compromised records to qualify Failure to report actual or suspected breaches can include a fine of up to $54,789 per violation. What information to report: Date of breach, information and number of records compromised, how breach occurred, security program officer’s contact information, and detailed description of how your organization is handling notification and mitigation of impact.
16
Use strong passwords; the more characters, the better Use combination of uppercase, lowercase, special characters and numbers Follow guidelines of your organization’s policies Periodically change passwords Do not write down passwords where publically accessible Do not share passwords
17
What is PII? Information that can be used to distinguish or trace an individual’s identity either directly or indirectly through other information All personal information associated with an individual Student’s Name, name of family members, address, personal identifier such as social security number, student number, date of birth, place of birth, mother’s maiden name, etc.
18
Sensitive PII Information which lost, compromised or disclosed could result in substantial harm, embarrassment, inconvenience, or unfairness Can be stand-alone or paired with other PII Can be based on PII context: List of Employees compared to List of Low Performing Employees Stand-Alone Paired with other PII Social Security Number Medial Information Driver’s License Number Account Passwords Financial Account Number Date of Birth Biometric Identifiers Criminal History
19
Questions that Need Answers
What kind of data do you have or maintain? Where is the data housed / stored? Who has access to it? How is data being monitored?
20
Useful Strategies Turn monitors away from public view
Properly dispose of all documents Lock your computer anytime you leave Shortcut: “Windows Key” + “L” Keep your desk clean and organized Do not leave PII in your desk if not locked Do not leave PII in public areas Keep areas containing PII locked at all times
21
GLBA Takeaways Compliance is required
Safeguarding data is your priority Be mindful of how you treat data Have a written policy to handle data security and integrity
22
Red Flag Rules
23
Red Flag Rules Final rules and guidelines on identity theft “red flags” were published on November 9, 2007, (“Red Flags rule”) to implement section 615(e) of the Fair Credit Reporting Act (FCRA) (15 U.S.C. 1681m(e)) Requires written identity theft prevention program to mitigate risk of identity theft for consumers FTC estimates nine million Americans have their identity stolen each year Can carry $3,500 fine per violation Individuals can seek damages Required if a “Creditor”
24
Definition of a Creditor
Obtains or uses consumer reports in connection with a credit transaction; Furnishes information to consumer reporting agencies in connection with a credit transaction; or Advances funds to or on behalf of a person, in certain cases.
25
Does my Institution Need a Plan?
If you fall under any of the activities in the definition of a creditor and answer yes to one or more of the following questions, you do. Does your institution: Defer payments for goods and services or bill customers? Grant or arrange credit? Participate in the decision to extend, renew or set the terms of credit?
26
Developing Your Plan FTC provides guidelines in developing a Red Flag Rule Policy Plan identity-theft-red-flags-rule-how-guide-business
27
Red Flag Program Parts Must include reasonable policies and procedures to identify signs of identity theft (“red flags”) in day-to-day operations Must be designed to detect the red flags of identity theft identified by the business Must set out actions the business will take upon detecting red flags Must re-evaluate its Program periodically to reflect new risks from this crime
28
Example If your institution requires valid ID for identity verification: Formally recognize that ID’s could result in Red Flags Create guidelines of the components of invalid ID and methods to test for validity Create policies and procedures to handle instances of invalid IDs Review for new / changes in IDs
29
Identify Relevant Red Flags
Risk Factors Sources of Red Flags Categories of Common Red Flags: Alerts, notifications and warnings from a credit reporting company Suspicious documents or information Personal identifying information inconsistent Unusual account activity Notice from other sources
30
Detect Red Flags Use identity verification and authentication methods to help detect red flags. Reasonable procedures for new and existing accounts.
31
Prevent and Mitigate Identity Theft
Monitor accounts for evidence of identity theft. Contact the customer (student). Change passwords or security codes. Close account and reopen with new number. Do not refer to debt collector or try to collect. Notify law enforcement.
32
Update the Program Board of Directors or a committee appointed by the Board must approve initial plan. Train all relevant staff as necessary. Third Party services providers must comply Periodically review plan and update as new red flags are identified.
33
Personal Identity Measures
Use complex passwords Use different passwords for different purposes and make financial passwords unique and separate Keep your secure Two-Factor Authentication where possible Monitor what you say on Social Media Use Credit Freezes as necessary Diversify Only use secured wireless networks Update software Monitor credit reports and financial statements regularly Immediately respond to potential threats Have a plan in place
34
Additional Information:
NACUBO: Property/GLBA-Data-Security-Resources Department of Education Dear Colleague Letters: GEN-15-18: GEN-16-12:
35
Questions?
36
Thank you! For additional questions, please speak with:
Corky Mobley, Regional Account Executive (714) Brooke Singletary, Director of Sales & Marketing (318)
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.