Presentation is loading. Please wait.

Presentation is loading. Please wait.

GLB Safeguards Rule: Overview, Training and Enforcement Considerations NACUA 43 rd Annual Conference Peter C. Cassat Margaret O’Donnell.

Published byDuane Gilbert Modified over 9 years ago

Similar presentations

Presentation on theme: "GLB Safeguards Rule: Overview, Training and Enforcement Considerations NACUA 43 rd Annual Conference Peter C. Cassat Margaret O’Donnell."— Presentation transcript:

1 GLB Safeguards Rule: Overview, Training and Enforcement Considerations NACUA 43 rd Annual Conference Peter C. Cassat Margaret O’Donnell

2 Scope of GLBA Safeguards Rule The FTC’s Safeguards Rule, promulgated under the GLBA, went into effect on May 23, 2003 and is aimed at ensuring the safeguarding and confidentiality of customer information held in the possession of covered financial institutions. The FTC’s Safeguards Rule, promulgated under the GLBA, went into effect on May 23, 2003 and is aimed at ensuring the safeguarding and confidentiality of customer information held in the possession of covered financial institutions. Unlike the FTC’s earlier GLBA Privacy Rule, the Safeguards Rule contains no exemption for institutions that are subject to FERPA. As a result, educational institutions that engage in financial institution activities, such as processing student loans, are required to comply with the Safeguards Rule. Unlike the FTC’s earlier GLBA Privacy Rule, the Safeguards Rule contains no exemption for institutions that are subject to FERPA. As a result, educational institutions that engage in financial institution activities, such as processing student loans, are required to comply with the Safeguards Rule.

3 General Requirements The Safeguards Rule requires each covered institution to develop, implement, and maintain a “comprehensive information security program” that is “written in one or more readily accessible parts”, and that includes “administrative, technical and physical safeguards” designed to ensure the security and confidentiality of customer records. The Safeguards Rule requires each covered institution to develop, implement, and maintain a “comprehensive information security program” that is “written in one or more readily accessible parts”, and that includes “administrative, technical and physical safeguards” designed to ensure the security and confidentiality of customer records. The Safeguards Rule expressly recognizes that each institution’s information security program may vary, based on its size and complexity, the nature and scope of its activities, and the sensitivity of the customer information at issue. The Safeguards Rule expressly recognizes that each institution’s information security program may vary, based on its size and complexity, the nature and scope of its activities, and the sensitivity of the customer information at issue.

4 Comprehensive Written Information Security Program In order to “develop, implement and maintain” the required written information security program, the Safeguards Rule requires each institution to carry out certain steps: In order to “develop, implement and maintain” the required written information security program, the Safeguards Rule requires each institution to carry out certain steps: –designate one or more employees to coordinate the program;

5 Information Security Program Steps, cont.... Identify “reasonably foreseeable” internal and external risks to the security and confidentiality of customer information that could lead to unauthorized disclosure, use, alteration, destruction or other compromise of such information and “assess the sufficiency” of the institution’s safeguards in place to control these risks. Identify “reasonably foreseeable” internal and external risks to the security and confidentiality of customer information that could lead to unauthorized disclosure, use, alteration, destruction or other compromise of such information and “assess the sufficiency” of the institution’s safeguards in place to control these risks.

6 Information Security Program Steps, cont... Such risk assessment must include, at a minimum, risks in areas of operation such as: Such risk assessment must include, at a minimum, risks in areas of operation such as: –employee training and management, –information systems, and –detecting, preventing, and responding to attacks against the institution’s systems;

7 Security Program Steps, cont. implement safeguards to manage the identified risks and regularly test or monitor such safeguards; implement safeguards to manage the identified risks and regularly test or monitor such safeguards; oversee the institution’s service providers by: oversee the institution’s service providers by: –selecting and retaining service providers that are capable of maintaining appropriate safeguards for the customer information at issue, and –requiring service providers by contract to implement and maintain such safeguards ;

8 Ongoing Security Steps The Safeguards Rule requires institutions to evaluate and adjust the their security programs in light of the required risk assessment, any material change to institutional business operations or any other circumstances that may have a material impact on the institution’s information security program. The Safeguards Rule requires institutions to evaluate and adjust the their security programs in light of the required risk assessment, any material change to institutional business operations or any other circumstances that may have a material impact on the institution’s information security program.

9 Practical Considerations The most difficult challenge under the Safeguards Rule is identifying the scope of information covered. The most difficult challenge under the Safeguards Rule is identifying the scope of information covered. It may be possible to take the position that the Safeguards Rule applies only to information collected or maintained in connection with the institution’s financial institution activities – i.e., student financial aid related activities. It may be possible to take the position that the Safeguards Rule applies only to information collected or maintained in connection with the institution’s financial institution activities – i.e., student financial aid related activities. It may be difficult, however, for institutions to segregate information that is collected in connection with financial institution related activities (such as Social Security numbers) from other information maintained with respect to its student population. It may be difficult, however, for institutions to segregate information that is collected in connection with financial institution related activities (such as Social Security numbers) from other information maintained with respect to its student population.

10 Drafting Issues The FTC rules expressly recognize that an institution’s information security program may be maintained in one or more documents. Thus, it should be possible to incorporate existing policies and procedures relating to the safeguarding of information and to the proper use of institutional network resources, such as, existing acceptable use, information technology security and student record access policies and procedures. The FTC rules expressly recognize that an institution’s information security program may be maintained in one or more documents. Thus, it should be possible to incorporate existing policies and procedures relating to the safeguarding of information and to the proper use of institutional network resources, such as, existing acceptable use, information technology security and student record access policies and procedures.

11 Risk Management Issues The Safeguards Rule recognizes that an institution need not make its security program publicly available. However, open records laws may provide access. The Safeguards Rule recognizes that an institution need not make its security program publicly available. However, open records laws may provide access. Drafts and deliberative documents relating to the creation and implementation of the program should be labeled as attorney client privileged drafts. Drafts and deliberative documents relating to the creation and implementation of the program should be labeled as attorney client privileged drafts.

12 Approaches to GLB Compliance NACUA 43 rd Annual Conference Tom Schumacher University of Minnesota June 25, 2003

13 Options for Organizational Mgmt.- Program Leadership “Designate an employee or employees to coordinate” (§314.4(a)) “Designate an employee or employees to coordinate” (§314.4(a)) 1. Centralized Model, single person 2. Decentralized, several “coordinators” 3. Hybrid, central coordinator, designated responsible parties in key units Designation must be set out in written security plan (§314.3(a)) Designation must be set out in written security plan (§314.3(a)) Try to integrate with existing responsibilities Try to integrate with existing responsibilities

14 Centralized Model Options for Responsible Office Options for Responsible Office –Chief Information Officer? –Controller? –CFO? –Registrar? –Privacy Officer (if have one)? –Custodian of Student Record? –Auditor? –IT Security Officer? –Others Delegate administrative duties as appropriate Delegate administrative duties as appropriate

15 Decentralized Model Designate responsible coordinator in areas with “covered data” Designate responsible coordinator in areas with “covered data” –Student Finance Director(s) One at each campus One at each campus –IT Office(s) –Collections –Human Resources –Accounting –Collegiate contacts –Athletics –Others Consider some oversight method Consider some oversight method

16 Hybrid Model Single Central Coordinator Single Central Coordinator Formally designated contacts in units with “covered data” responsible for carrying out risk assessments and monitoring where required Formally designated contacts in units with “covered data” responsible for carrying out risk assessments and monitoring where required Communication with leadership from areas with covered data Communication with leadership from areas with covered data

17 Coordinator Program Responsibilities Risk Assessment - § 313.4(b) Risk Assessment - § 313.4(b) –Identify/inventory access to covered data –Assess Risk Internal Controls Internal Controls –“Design and implement safeguards to control the risks you identify” (§ 313.4(c)) –Match these to level of assessed risk

18 Internal Controls Program Oversight Program Oversight Risk Assessment Risk Assessment Roles and Responsibilities Roles and Responsibilities Policies and Procedures Policies and Procedures Education, Training & Awareness Education, Training & Awareness Monitoring, Testing, Oversight Monitoring, Testing, Oversight Corrective action/Communication Corrective action/Communication –Iterative and continuing process

19 Example Risk Assessment-for each significant area to evaluate Electronic Electronic –Access –Storage –Transmission –Destruction Print materials Print materials –Access –Storage –Transmission –Destruction Service Providers Service Providers System Integrity System Integrity Employee permitted to access to database without proper authorization Misuse of information by employee with Authorized access Etc.

20 Example Risk/Internal Controls matrix approach (Area: student financial collections)

21 Example: Hybrid Model Coordinator makes sure Risk Assessment and Internal controls for each covered area are in place Coordinator makes sure Risk Assessment and Internal controls for each covered area are in place –For significant areas, conducted by designated contacts –For isolated, conducted by Coordinator Designated contacts annually provide report to Coordinator Designated contacts annually provide report to Coordinator –Annual confirmation that risks are current Coordinator annually reports on risk environment and controls to Compliance and leadership Coordinator annually reports on risk environment and controls to Compliance and leadership –Identifies problem areas

22 Identifying and Evaluating Exposures and Risks NACUA 43 rd Annual Conference Christopher Holmes Baylor University June 25, 2003

23 Scope of Risk Assessment “You shall...identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks.” 16 CFR §314.4 (b). “You shall...identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks.” 16 CFR §314.4 (b).

24 Areas to Include 1) Employee training and management; 2) Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and 3) Detecting, preventing and responding to attacks, intrusions, or other systems failures.

25 Steps to Risk Assessment Meet with all business owners facing the risks and discuss their experiences Meet with all business owners facing the risks and discuss their experiences Prepare a list that encompasses the risks (both internal and external) they observe Prepare a list that encompasses the risks (both internal and external) they observe Determine whether current steps are sufficient in controlling the risks Determine whether current steps are sufficient in controlling the risks Discuss additional reasonable steps that could be taken to increase security Discuss additional reasonable steps that could be taken to increase security

26 List of Potential Risks Compromise of system security (e.g., hacker) Compromise of system security (e.g., hacker) Interception of data during transmission Interception of data during transmission Physical loss of data due to disaster Physical loss of data due to disaster Corruption of data or systems Corruption of data or systems Unauthorized access by employees Unauthorized access by employees Unauthorized requests for data (e.g., pretext calling) Unauthorized requests for data (e.g., pretext calling) Unauthorized transfer of data by third parties Unauthorized transfer of data by third parties

27 FTC Suggestions: Employee Management and Training Check references prior to hiring employees who will have access to cdi Check references prior to hiring employees who will have access to cdi Employees sign confidentiality agreement Employees sign confidentiality agreement Train employees to take basic steps (passwords, pretext calling, etc.) Train employees to take basic steps (passwords, pretext calling, etc.) Regular reminders of policy and legal requirement to keep cdi confidential Regular reminders of policy and legal requirement to keep cdi confidential Limit access to those employees with a business reason for seeing it Limit access to those employees with a business reason for seeing it

28 FTC Suggestions: Information Systems Store records in a secure area Store records in a secure area Provide for secure data transmission (use of SSL, password protect email accounts, etc.) Provide for secure data transmission (use of SSL, password protect email accounts, etc.) Dispose of customer information in secure manner Dispose of customer information in secure manner Inventory computers on network systems Inventory computers on network systems

29 FTC Suggestions: Managing Systems Failures Develop a written contingency plan to address breaches Develop a written contingency plan to address breaches Maintain software and hardware (security patches, anti-virus software, etc.) Maintain software and hardware (security patches, anti-virus software, etc.) Backups of all cdi Backups of all cdi Configure systems to ensure that access to cdi is granted only to appropriate users Configure systems to ensure that access to cdi is granted only to appropriate users Notify customers promptly if cdi is disclosed Notify customers promptly if cdi is disclosed

30 Review and Assessment of Plan GLB requires continued evaluation and adjustment of the safeguards program in light of relevant circumstances. Periodically review changes in the university’s operations or business arrangements or the results of testing and monitoring of enacted safeguards. GLB requires continued evaluation and adjustment of the safeguards program in light of relevant circumstances. Periodically review changes in the university’s operations or business arrangements or the results of testing and monitoring of enacted safeguards.

31 “Service Provider” Rules Under the Gramm-Leach- Bliley Act 2003 NACUA National Conference June 25, 2003 Gregory C. Brown Associate General Counsel Office of the General Counsel University of Minnesota

32 Overview of Presentation Review FTC Safeguard Rule on the oversight, selection and retention of service providers and mandatory contract provisions. Discuss ways, by contract, to protect Universities once security has been breached or customer information has been loss, misused or altered.

33 Who is a “Service Provider”? “ Any person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to a financial institution....” FTC Safeguard Rule, § 314.2(d), 67 Fed. Reg. 36,484, 36,494 (May 23, 2002).

34 Duty to Oversee Service Providers Institutions must take “reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information....” FTC Safeguard Rule, § 314.4(d)(1), 67 Fed. Reg. 36,484, 36,494 (May 23, 2002).

35 Duty to Oversee Service Providers Each institution is expected to “take reasonable steps to assure itself that its current and potential service providers maintain sufficient procedures to detect and respond to security breaches....” FTC Safeguard Rule, § C, 67 Fed. Reg. 36,484, 36,490 (May 23, 2002) (emphasis added).

36 Duty to Oversee Service Providers Each institution is expected to “maintain reasonable procedures to discover and respond to widely-known security failures by its current and potential service providers.” FTC Safeguard Rule, § C, 67 Fed. Reg. 36,484, 36,490 (May 23, 2002) (emphasis added).

37 Duty to Oversee Service Providers The FTC did not mandate any specific reviews or steps an institution must take to comply. Institutions need not undertake “unlimited evaluation(s) of their service providers’ capabilities.” FTC Safeguard Rule, § C, 67 Fed. Reg. 36,484, 36,490 (May 23, 2002). Review will depend on the “circumstances and the relationship” between the institution and the service provider. Id.

38 Mandatory Contract Provisions Each contract entered into after June 24, 2002, must require the service provider “to implement and maintain such safeguards.” FTC Safeguard Rule, §§ 314.4(d)(2) and 314.5(b), 67 Fed. Reg. 36,484, 36,494 (May 23, 2002). A contract in place before that date need not include the mandatory provision until May 24, 2004. FTC Safeguard Rule, § 314.5(b), 67 Fed. Reg. 36,484, 36,494 (May 23, 2002).

39 Mandatory Contract Provisions So as to give institutions flexibility, the FTC did not mandate particular contract language.

40 Mandatory Contract Provisions Sample clause: “ Throughout the term of this Agreement, Service Provider shall implement and maintain ‘appropriate safeguards,’ as that term is used in § 314.4(d) of the FTC Safeguard Rule, 16 C.F.R. § 314 (the ‘FTC Rule’), for all ‘customer information,’ as that term is defined in §314.2(b) of the FTC Rule, owned by the University and delivered to Service Provider pursuant to this Agreement.

41 Mandatory Contract Provisions Sample Clause cont’d: “Service Provider shall promptly notify the University, in writing, of each instance of (i) unauthorized access to or use of that customer information that could result in substantial harm or inconvenience to a customer of the University or (ii) unauthorized disclosure, misuse, alteration, destruction or other compromise of that customer information. Within 30 days of the termination or expiration of this Agreement, Service Provider shall destroy and shall cause each of its agents to destroy all records, electronic or otherwise, in its or its agent’s possession that contain such customer information and shall deliver to the University a written certification of the destruction.”

42 Mandatory Contract Provisions FTC Safeguard Rule is silent as to the penalty for institution entering into or maintaining a contract with a service provider that does not comply.

43 Additional Contract Terms Right to on-site audit of Service Provider’s security program. Right to terminate if Service Provider has allowed a material breach of its security program, if Service Provider has lost or materially altered customer information, or if the University reasonably determines that Service Provider’s program is inadequate.

44 Additional Contract Terms Service Provider to indemnify and defend the University for security breaches, violations of GLB caused by Service Provider’s negligence, and loss or material alteration of customer information. Service Provider to reimburse the University for its direct damages (e.g., costs to reconstruct lost or altered information) resulting from the security breach, loss, or alteration of customer information.

45 Conclusion GLB is another step on the ever-lengthening road to the land of perfect privacy. FTC Safeguard Rule should be seen a part of an institution’s comprehensive privacy policy. Institutions need to address the protection of (meaning here access to) information already in the “hands” of both current and past service providers.

46 What is Required for Training under GLB Safeguards Rule Training should be very simple. Training should be very simple. You don't even need to mention GLB. You don't even need to mention GLB.

47 What Points to Include in Training Both physical and computer records must be protected Both physical and computer records must be protected Do not give anyone else your password or ask anyone for theirs Do not give anyone else your password or ask anyone for theirs Encrypt sensitive customer information when transmitted over networks. Conversely, do not ask customers to send data such as credit card # or SSN over non-encrypted networks. Encrypt sensitive customer information when transmitted over networks. Conversely, do not ask customers to send data such as credit card # or SSN over non-encrypted networks. Refer calls or requests for customer information to employees who have had safeguard training Refer calls or requests for customer information to employees who have had safeguard training Beware "social engineering" (pretext calling) Beware "social engineering" (pretext calling) Identify where at the university to report fraudulent attempts to obtain customer information or questionable data access (might be Internal Auditor for financial records, Registrar for Student Records, other to Information Security Coordinator) Identify where at the university to report fraudulent attempts to obtain customer information or questionable data access (might be Internal Auditor for financial records, Registrar for Student Records, other to Information Security Coordinator)

48 Who to Train Depends on Specifics of your Information Security Plan Depends on Specifics of your Information Security Plan Narrow v. Broad Approach Narrow v. Broad Approach Broad = Anyone who has access to student records, either paper or online Broad = Anyone who has access to student records, either paper or online If your plan also covers credit card information, anyone who has access to credit card information (CUA taking this approach) If your plan also covers credit card information, anyone who has access to credit card information (CUA taking this approach) Narrow = only those offices with access to student financial data, or offices who engage in covered financial transactions, e.g. extending a loan for credit, gift annuity agreements, etc. (Georgetown taking this approach) Narrow = only those offices with access to student financial data, or offices who engage in covered financial transactions, e.g. extending a loan for credit, gift annuity agreements, etc. (Georgetown taking this approach)

49 How to Train By video (see online video at http://counsel.cua.edu/glb/publication s/) By video (see online video at http://counsel.cua.edu/glb/publication s/) By brochures (online by end of summer at above site) By brochures (online by end of summer at above site) In person in small groups for those who have managerial responsibilities in covered areas In person in small groups for those who have managerial responsibilities in covered areas

50 Enforcement and 3 rd Party Lawsuits No private right of action under GLB No private right of action under GLB Plaintiff could bring case based on negligence Plaintiff could bring case based on negligence Not much (if any) case law on negligent release of information such as SSN or credit card Not much (if any) case law on negligent release of information such as SSN or credit card

51 Avoiding Lawsuits Likely to be a growing field with advent of laws like HIPAA, GLB and state laws protecting privacy Likely to be a growing field with advent of laws like HIPAA, GLB and state laws protecting privacy See: Henderson, Steve, and Yarbrough, Matthew, Frontiers of Law: The Internet and Cyberspace: Suing the Insecure?: A Duty of Care in Cyberspace, 32 N.M.L. Rev. 11 (2002) for summary of theory of law in this area See: Henderson, Steve, and Yarbrough, Matthew, Frontiers of Law: The Internet and Cyberspace: Suing the Insecure?: A Duty of Care in Cyberspace, 32 N.M.L. Rev. 11 (2002) for summary of theory of law in this area Follow standard of reasonableness. Stay current or ahead of curve on privacy protection, e.g. be there with the patch as soon as it is available. Follow standard of reasonableness. Stay current or ahead of curve on privacy protection, e.g. be there with the patch as soon as it is available.

Download ppt "GLB Safeguards Rule: Overview, Training and Enforcement Considerations NACUA 43 rd Annual Conference Peter C. Cassat Margaret O’Donnell."

Similar presentations

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
University of Minnesota

University of Minnesota
Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Privacy Laws & Higher Education. Agenda 1.Five Privacy Laws a.FERPA b.HIPAA c.GLB d.FACTA Disposal Rule e.CAN-SPAM 2.Overview of the Laws a.What does.

Privacy Laws & Higher Education. Agenda 1.Five Privacy Laws a.FERPA b.HIPAA c.GLB d.FACTA Disposal Rule e.CAN-SPAM 2.Overview of the Laws a.What does.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.

Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.
The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA) UNDERSTANDING AND DEVELOPING A STRATEGIC PLAN TO BECOME COMPLIANT.

The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA) UNDERSTANDING AND DEVELOPING A STRATEGIC PLAN TO BECOME COMPLIANT.
Protecting Personal Information Guidance for Business.

Protecting Personal Information Guidance for Business.
Security Professionals Workshop: Legal Issues in Computer and Network Security Peter C. Cassat.

Security Professionals Workshop: Legal Issues in Computer and Network Security Peter C. Cassat.
Coping with Electronic Records Setting Standards for Private Sector E-records Retention.

Coping with Electronic Records Setting Standards for Private Sector E-records Retention.
E B a n k i n g Information Security Guidelines ABA’s Technology Risk Management – A Strategic Approach Telephone/Webcast Briefing June 17, 2002.

E B a n k i n g Information Security Guidelines ABA’s Technology Risk Management – A Strategic Approach Telephone/Webcast Briefing June 17, 2002.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Developing a Records & Information Retention & Disposition Program:

Developing a Records & Information Retention & Disposition Program:
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

Similar presentations

Ads by Google