What is GLBA?

The Gramm-Leach-Bliley Act (GLBA) is a law enacted in 1999 that requires financial institutions to protect the privacy of consumer information. It also mandates that companies provide consumers with privacy statements that describe in detail the companies’ information-sharing policies and practices. The GLBA’s Safeguards and Privacy rules are designed to protect the non-public personal information (NPI) of consumers. NPI is defined as any personally identifiable financial information that a financial institution collects about an individual in connection with providing a financial product or service, unless that information is otherwise publicly available.

Examples of NPI protected by GLBA include:

  • Any information an individual gives the institution in order to get a financial product or service (for example, name, address, income, Social Security Number, or other information on an application)
  • Any information an organization receives about an individual from a transaction involving a financial product or service (for example, the fact that an individual is a consumer or customer of the company, account numbers, payment history, loan or deposit balances, and credit or debit card purchases)
  • Any information the company gets about an individual in connection with providing a financial product or service (for example, information from court records or from a consumer report).

How Does GLBA apply to UAB?

At first glance, one might think that GLBA does not apply to universities because its focus primarily is on financial institutions, financial products and services, and any associated customer data. When reviewing the Federal Trade Commission’s (FTC) guidance on GLBA-related data and the Safeguards Rule, however, it becomes evident that universities do collect and manage data that falls under GLBA protection:

Many companies collect personal information from their customers, including names, addresses, and phone numbers; bank and credit card account numbers; income and credit histories; and Social Security numbers. The Gramm-Leach-Bliley (GLB) Act requires companies defined under the law as ‘financial institutions’ to ensure the security and confidentiality of this type of information. As part of its implementation of the GLB Act, the Federal Trade Commission (FTC) issued the Safeguards Rule, which requires financial institutions under FTC jurisdiction to have measures in place to keep customer information secure.”

As one can see in the highlighted text above, those data fields are tied to student-related information that is gathered regularly by universities. That information is included in, but not limited to, the following:

  • Student financial aid and grant information,
  • Payment history, and
  • Student loan information

Any such data collected, processed, transmitted, and/or stored are protected by GLBA’s Safeguards and Privacy rules. Compliance with GLBA requirements is mandatory. Per UAB’s Data Classification Rule, GLBA data is classified as Restricted/PHI data —“sensitive data that is highly confidential in nature, carries significant risk from unauthorized access, or uninterrupted accessibility is critical to UAB operation. Privacy and Security controls are typically required by law or contract.”

UAB’s Data Protection Rule defines the minimum security controls that must be applied to protect GLBA data.Please refer to that document for additional guidance.

What Does the Safeguards Rule Require?

The Safeguards Rule requires the development and operation of a comprehensive information security program whose aim is to provide administrative, technical, and physical security controls to protect GLBA data. At a high level, the Safeguards Rule defines the following objectives:

  1. Ensure the security and confidentiality of customer information,
  2. Protect against any anticipated threats or hazards to the security or integrity of such information, and
  3. Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.

As a part of this information security program, the FTC states that each compliant organization must:

  • Designate one or more employees to coordinate its information security program;
  • Identify and assess the risks to customer information in each relevant area of the company’s operation, and evaluate the effectiveness of the current safeguards for controlling these risks;
  • Design and implement a safeguards program, and regularly monitor and test it;
  • Select service providers that can maintain appropriate safeguards, make sure your contract requires them to maintain safeguards, and oversee their handling of customer information; and
  • Evaluate and adjust the program in light of relevant circumstances, including changes in the firm’s business or operations, or the results of security testing and monitoring.

For more information, please visit the FTC’s Complying with the Safeguards Rule website.

In addition to guidance from the FTC, EDUCAUSE provides recommendations related to GLBA compliance requirements for universities. One such recommendation is to use federal guidelines for protecting controlled unclassified information (CUI) when building an information security program to protect GLBA data. Those guidelines can be found in the National Institute of Standards and Technology’s (NIST) Special Publication (SP) 800-171. For more information on NIST SP 800-171, please review the following links: