Office of General Counsel

Gramm-Leach-Bliley Act

 

The Gramm-Leach-Bliley Act of 1999 (the "GLB Act") was enacted on November 12, 1999, primarily to ease or repeal certain business prohibitions for financial institutions. In exchange, the GLB Act imposes new privacy protections for customers of financial institutions.

The Federal Trade Commission (the "FTC") promulgated regulations to implement the GLB Act privacy protections. The FTC's regulation became effective on May 23, 2003, and are intended to set standards to "ensure the security and confidentiality of customer records and information; protect against any anticipated threats or hazard to the security or integrity of such records; and protect against unauthorized access to or use of such records or information that could result in substantial harm or inconvenience to any customer." 15 U.S.C. §6801(b).

While many people may not think of ASU as a financial institution, the GLB Act covers activities that are financial in nature including the student lending activities of ASU. Accordingly, ASU is required to comply with the privacy protections of the GLB Act. The privacy protections have two components: the nondisclosure of nonpublic information and the safeguarding of such information. The FTC has taken the position that educational institutions that comply with the Family Educational Rights and Privacy Act (FERPA), such as ASU, are exempted from the privacy rules dealing with nondisclosure of nonpublic information. However, these educational institutions, including ASU, are still subject to the safeguarding of information requirements.

The standards for safeguarding information require the development, implementation and maintenance of "a comprehensive information security program . . . appropriate to [the] size and complexity, the nature and scope of . . . activities" which designates a coordinator and identifies reasonably foreseeable risks. 16 C.F.R. § 314.3.

ASU's Interim Information Security Plan is posted at http://www.asu.edu/privacy/security/html. ASU's Chief Information Office and the Vice President for Student Affairs (this will be amended later to be the Vice President for Undergraduate Initiatives), in consultation with an advisory committee, are the designated coordinators. While a primary assessment of foreseeable risks is described in ASU's Interim Information Security Plan, the assessment is an on-going effort and will require the assistance of employees who handle nonpublic information. Safeguards are primarily focused on physical and electronic access to nonpublic information and on compliance by third party vendors with the safeguard rules. All ASU employees are responsible for safeguarding nonpublic information. This would entail measures such as limiting access to offices/computers where nonpublic information is stored, requiring proper identification before release of ANY information that may contain nonpublic information, turning off computers when absent from the computer system, locking offices and undergoing continuous training. By May 2004, every vendor who may have access to nonpublic information must contractually agree to comply with the safeguarding requirements. Departments will need to work with Purchasing and Business Services and the Office of General Counsel to ensure that all applicable current contracts have been amended, and all new contracts have language to provide for safeguarding of nonpublic information by vendors.

The term nonpublic information includes any personally identifiable information that is collected in connection with ASU's student lending activities. But it will be difficult to determine what is collected by ASU for student lending activities and what is collected for other purposes. Accordingly, as a practical matter, all nonpublic information collected by ASU should be safeguarded by ASU. This would include information such as social security numbers, personal income and tax information, loan information and bank account information.

An on-going GLB Working Group has been convening to review the Interim Information Security Plan and to make recommendations for its continuous implementation and compliance with the safeguarding rules. To stay in compliance, departments throughout ASU will need to help the GLB Working Group identify and determine which departments receive, use or store nonpublic customer information. Training programs at ASU will need to include compliance with the GLB Act as part of its curriculum.

 


Some of the legal material found at this site has been abridged from laws, regulations, court decisions, administrative rulings, ABOR and ASU policies and other sources. Further details may be necessary for complete analysis and understanding in particular matters. The information contained at this site, and related links, is not a substitute for professional legal counsel. Any discrepancy between the information at this site and ASU policy is not intended to alter or amend official ASU policy or procedure.

Any links to non-Arizona State University information are provided as a courtesy. They are not intended to nor do they constitute an endorsement by the Arizona Board of Regents or Arizona State University of the linked materials.