Customer information is any record containing non-public personal information about a customer, student, or employee of a financial institution, whether paper, electronic or another form, that is handled or maintained by or on behalf of the financial institution or its affiliates. GLBA applies to customer/student information obtained in a variety of situations, including:

  • Information provided to obtain a financial product or service;
  • Information about a customer resulting from any transaction involving a financial product or service between the institution and customer/student; and,
  • Information otherwise obtained about a customer in connection with providing a financial product or service to the customer./student

Non-Public Personal Information means personally identifiable financial information that is:

  • Provided by a consumer to a financial institution, “higher education institutions are now defined as a financial institution ;
  • Resulting from any transaction with the consumer/student or any service performed for the consumer/student; or,
  • Otherwise obtained by the financial institution.

The term also includes any list, description, or other groupings of consumers/students and publicly available information pertaining to them that is derived using any personally identifiable financial information that is not publicly available.

Examples of Non-Public Person Information (NPI) include:

  • Social Security Number (SSN)
  • Financial account numbers
  • Credit card numbers
  • Date of birth
  • Name, address, and phone numbers when collected with financial data
  • Details of any financial transactions

Controlled Unclassified Information (CUI)

Controlled Unclassified Information (CUI) refers to unclassified information that is to be protected from public disclosure. The CUI designation replaces “sensitive but unclassified”. 

CSU Policy for CUI:

Controlled Unclassified Information is any information that law, regulation, or government-wide policy requires to have safeguarding or disseminating controls, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended.

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf

Gramm Leach Bliley Act (GLBA)

  • The Gramm Leach Bliley Act (GLBA) is a comprehensive, federal law affecting institutions. The law requires financial institutions to develop, implement, and maintain administrative, technical, and physical safeguards to protect the security, integrity, and confidentiality of customer information.
  • The Federal Trade Commission (FTC) enforces compliance with GLBA.
  • The FTC may bring an administrative enforcement action against any financial institution for non-compliance with the GLBA.

Safeguard Rules

Administrative Safeguards

Administrative Safeguards include developing and publishing policies, standards, procedures, and guidelines, and are generally within the direct control of a department, such as:

  • Reference checks for potential employees.
  • Confidentiality agreements include standards for handling customer/student information.
  • Training employees on basic steps they must take to protect customer/student information.
  • Assure employees are knowledgeable about applicable policies and expectations.
  • Limit access to customer information to employees who have a business need to see it.
  • Impose disciplinary measures where appropriate.

Physical Safeguards

Physical Safeguards are also generally within a department’s control and include:

  • Locking rooms and file cabinets where customer information is kept.
  • Using password-activated screensavers.
  • Using strong passwords.
  • Changing passwords periodically and not writing them down.
  • Referring calls or requests for customer information to staff trained to respond to such requests.
  • Being alert to fraudulent attempts to obtain customer information and reporting these to management for referral to appropriate law enforcement agencies.
  • Ensure the storage areas are protected against destruction or potential damage from physical hazards, like fire or floods.
  • Store records in a secure area and limit access to authorized employees.
  • Dispose of customer information appropriately:
    • Designate a trained staff member to supervise the disposal of records containing customer/student personal information.
    • Shred or recycle customer information recorded on paper and store it in a secure area until the confidential recycling service picks it up.
    • Erase all data when disposing of computers, diskettes, magnetic tapes, hard drives, or any other electronic media that contains customer/student information.
    • Promptly dispose of outdated customer/student information according to record retention policies.

Technical Safeguards

Technical Safeguards include:

  • Storing electronic customer/student information on a secure server that is accessible only with a password or has other security protections and is kept in a physically secure area.
  • Avoiding the storage of customer/student information on machines with an Internet connection.
  • Maintaining secure backup media and securing archived data.
  • Using anti-virus software that updates automatically.
  • Obtaining and installing patches that resolve software vulnerabilities.
  • Following written contingency plans to address breaches of safeguards.
  • Maintaining up-to-date firewalls particularly if the institution uses broadband Internet access or allows staff to connect to the network from home.
  • Providing central management of security tools and keeping employees informed of security risks and breaches.