The Gramm – Leach – Bliley Act (GLBA), enacted in 1999, was largely directed at financial institutions and creates obligations to protect customer financial information. However, it has been determined that colleges and universities are also covered by the act.
The GLBA has two major sections: privacy and security. The Federal Trade Commission’s (FTC) regulations implementing the GLBA specifically provide that colleges and universities will be deemed to be in compliance with the privacy provisions of the GLBA if they are in compliance with FERPA. Therefore, GLBA privacy requirements should not affect educational institutions. They should therefore focus mainly on the security sections of the GLBA.
The information security or Safeguard section has five major requirements that a USG participant organization must follow:
- Designate one or more employees to coordinate the security safeguards;
- Identify and assess the risks to customer information in each relevant area and evaluate the effectiveness of the current safeguards;
- Design and implement a safeguards program and regularly monitor and test it;
- Select appropriate service providers and contract with them to implement safeguards; and,
- Evaluate and adjust the program in light of relevant circumstances or the results of testing.