The Gramm-Leach-Bliley Act (GLBA)

  1. About
  2. Administrative Services
  3. University Policies
  4. Information Technology Policies
  5. The Gramm-Leach-Bliley Act (GLBA)

Gramm-Leach-Bliley Act (GLBA), effective May 23, 2003, addresses the safeguarding and confidentiality of customer information held in the possession of financial institutions such as banks and investment companies. GLBA contains no exemption for colleges or universities. In 2021, the Federal Trade Commission (FTC) issued amendments that were approved by its governing agency, the Gramm-Leach-Bliley Act (GLBA); subsequently, these changes updated the compliance requirements for those higher educational institutions with a financial connection to the Title IV Program. As a result, educational entities that engage in financial activities, such as processing student loans, are required to comply. GLBA and other emerging legislation could result in standards of care for information security across all areas of data management practices (employee, student, customer, alumni, donor, etc.), both electronic and physical.

Current Compliance Policies will have a direct impact from the changes listed below:

  • designate a qualified individual to oversee their information security program,
  • develop a written risk assessment,
  • limit and monitor who can access sensitive customer information,
  • encrypt all sensitive information,
  • train security personnel,
  • develop an incident response plan,
  • periodically assess the security practices of service providers and implement multi-factor authentication or another method with equivalent protection for any individual accessing customer information

These updates to current Compliance Policies at Holy Family University are for certain highly critical and private financial and related information. This Compliance Program applies to customer financial information (covered data) that the University receives during business as required by GLBA, and other confidential financial information included within its scope. 

GLBA Compliance Program

The GLBA Compliance Program covers the entirety of the activities and practices of the following offices and individuals:

  • Academic and administrative offices that handle electronic or printed personnel, financial, transactional, or student records.
  • Academic and administrative offices that transmit confidential information (protected data) to off-site locations as part of a periodic review or submission requirement.
  • Centers and Institutes that provide services and acquire personal or financial information from participants or constituents.
  • Faculty serving as directors, Task Forces, principal investigators, or program directors for programs collecting protected data.
  • Faculty, staff, and administrators with contracts to use, access, or provide protected data to or receive from a non-campus entity (e.g., government databases, science databases).

Categories of Information under the Plan

Information covered under the plan is defined by three categories: 

  • Personal Identifiable Information (PII) – Also known as protected data, PII includes first and last name, social security number, date of birth, home address, home telephone number, academic performance record, physical description, medical history, disciplinary history, gender, and ethnicity.
  • Financial Information – Information that the University has obtained from faculty, staff, students, alumni, auxiliary agencies, and patrons in the process of offering financial aid or conducting a program. Examples include bank and credit card account numbers, and income and credit histories.
  • Student Financial Information – Information that the University has obtained from a student while offering a financial product or service or such information provided to the University by another financial institution. Examples include student loans, income tax information received from a student’s parent when offering a financial aid package, bank and credit card account numbers, and income and credit histories. 

Key Points

  • The Compliance Program is a continuous process that is undertaken at periodic intervals.
  • The GLBA Compliance Program Task Force is responsible for implementing this Compliance Program.
  • IT, with the collaboration of HR, develops appropriate training programs to ensure staff are aware of protocols for protecting customer information.
  • The Task Force works with the Finance and Administration Office and other offices as appropriate to make sure that service provider contracts contain appropriate terms to protect the security of covered data.
  • The Task Force, working with responsible units and offices, monitors, evaluates and adjusts the Compliance Program in light of the risk management process results. 

Purpose

To continue to protect private information and data and to comply with the provisions of the Federal Trade Commission's safeguard rules implementing applicable provisions of the GLBA, the University has adopted this Compliance Program for certain highly critical and private financial and related information. The Compliance Program forms part of the university's overall strategic information security program. This program applies to customer financial information (covered data) the University receives during business as required by GLBA as well as other confidential financial information the University has voluntarily chosen as a matter of policy to include within its scope.

This page describes many of the activities undertaken by the University to maintain the security and privacy of the covered data according to GLBA requirements.

Scope and Applicability

The program is poised to protect private information and data and to comply with the provisions of the Federal Trade Commission's safeguard rules implementing applicable provisions of the GLBA; the University has adopted this Compliance Program for certain highly critical and private financial and related information. The Compliance Program forms part of the University's overall strategic information security program. This program applies to customer financial information (covered data) the University receives during business as required by GLBA as well as other confidential financial information the University has voluntarily chosen as a matter of policy to include within its scope. 

The following table illustrates the mapping of the departments that fall under the scope of the GLBA Safeguard Rules.

GLBA Safeguard Rules Scope for Title IV Schools Departments Covered Under the GLBA

Departments Covered Under the GLBA

  • Student Loans (Holy Family Loans, bank loans, and federal loans)
  • Private Student Loans

  • Personal Identifiable Information (PII)

    – SSN, Billing Information, Credit Card, Account Balance, Citizenship, Passport Information, Tax Return Information, Bank Account Information, Driver’s License and Date of Birth

  • Disbursement of Financial Aid
  • Payment Plans
  • 1098
  • 403(b) Loans

Financial Aid

Office of Student Accounts Admissions

Admissions

Registrar’s Office

  • 403(b) Loans
  • Emergency Faculty Loans
  • Emergency Staff Loans
  • Payroll W2’s

Human Resources (HR)

  • G5 Drawdown of Federal Funds
  • Refunds and T & E Payments
  • Reconciliations
  • Coordination of Audits
  • 1099

Finance and Administration

Roles and Responsibilities

This section discusses the main roles and responsibilities required to execute the GLBA Compliance program effectively.

Vice President

  • Designates or serves as the GLBA Compliance Plan Task Force.
  • Responsible for systemwide compliance with the GLBA Safeguarding Rule through appropriate communication
  • responsibility and authority for information technology resources

Information Technology Office

  • Establishes and disseminates enforceable rules regarding access to and acceptable use of information technology resources
  • Establishes reasonable security policies and measures to protect data and systems
  • Monitors and manages system resource usage
  • Investigate problems and alleged violations of University information technology policies and report violations to appropriate University offices, such as the Finance and Administration Office and Human Resources, for resolution or disciplinary action

Deans, Department Heads, and other Managers

  • Keep employees informed about policies and programs that pertain to their work, including those that govern GLBA compliance, and ensure that they successfully complete the required training

Data Stewards/Wardens/Guardians

  • Abide by University policies and procedures governing covered data and any additional practices or guidelines established by their unit heads or directors
  • Report concerns to their supervisor

Controller

  • Assist units with setting risk evaluation schedules and processes as requested

University Auditors and Cross-Department GLBA Working Team

  • Review conformance to the GLBA Compliance Plan as part of routine internal audits


The GLBA Compliance Program Coordinators (GLBA Task Force) is responsible for implementing this Compliance Program in conjunction with the Qualified Individual. The Chair of the Task Force is appointed by the Vice President of Institutional Effectiveness, Technology, and Innovation.

The Task Force:

  • Works closely with IT, the University Registrar, Human Resources, Finance and Administration, the Office of Student Accounts, the Office of Student Financial Aid, and other offices and units as they have an interface with or control over covered data.
  • Consult with responsible offices to identify units and areas of the University with access to covered data. As part of this Compliance Program, the Task Force has identified units and areas of the University with access to covered data.
  • Conducts surveys or utilizes other reasonable measures to confirm that all areas with covered information are included within the scope of this Compliance Program. The Task Force maintains a list of areas and units of the University with access to covered data.
  • Ensures that risk assessments and monitoring are carried out for each unit or area that has covered data and that appropriate controls are in place for the identified risks.
  • Works to ensure adequate training and education are developed and delivered for all employees with access to covered data.
  • Verifies that existing policies, standards, and guidelines that provide for the security of covered data are reviewed and adequate.
  • Makes recommendations for revisions to policy, or the development of new policy, as appropriate.
  • Updates this Compliance Program, including this and related documents, from time to time.
  • Ensures the written security plan is maintained and makes the plan available to the University community.

Compliance Program Plan

Compliance means following the laws, regulations, and University policies that govern our everyday activities as University community members. This Compliance Program is a continuous process that is evaluated and adjusted in light of the following:

  • The results of the required testing/monitoring,
  • Any material changes to Holy Family operations or business arrangements
  • Any other circumstances that may have a material impact on Holy Family’s information security program.
  • Data Mapping
  • Risk Assessment and Implementation of Safeguards
  • Access Control
  • Encryption
  • Awareness, Training, and Education
  • Incident Response Plan and Procedures
  • Evaluate Service Providers’ Agreements and Processes
  • Continuous Program Maintenance
  • Defined Policies and Standards

This section highlights the approach taken by the University to ensure compliance with the GLBA requirements.

Defined Policy and Standards

Keeping security risks low is Holy Family's priority. The university’s structure for maintaining confidentiality with information security ensures that risks of any kind are minimal. There is a quality assurance that comprehensive processes are in place for best practices and information protection. The areas are listed below:

  • Risk Assessment
    • Third-party Risk Management
  • Vulnerability Assessment and Penetration Testing
  • Vulnerability and Patch Management
  • Access Control
  • Acceptable Use
  • Cryptography
  • Security Awareness, Training, and Education
  • Incident Response

Data Mapping

The Compliance Program identifies the flow of the data processed throughout the University to assist in the identification of risks to privacy and security. This activity includes determining:

  • The types of data being processed by the various business units
  • The format of the data processed, and the location of the data being used and stored
  • The purpose of the data being processed

Risk Assessment and Implementation of Safeguard

  • Identifies reasonably foreseeable external and internal risks to the security, confidentiality, and integrity of covered data that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromises of such information; and
  • Assesses the sufficiency of any safeguards in place to control these risks.
  • The Task Force works with all relevant departments to carry out comprehensive risk assessments.

Conduct Risk Assessment

This process includes system-wide risks as well as risks unique to each area with covered data and the effectiveness of management practices currently in place to ensure compliance and security enhancement. Risk assessments shall include a consideration of risks in each relevant area of operations and cover processes for handling, storing, and disposing of the paper records; processes for detecting, preventing, and responding to security failures; and employee training and management, including the appropriateness and frequency of staff and management security awareness training.

Design and Implement Safeguards

As a result of the risk assessment, recommendations are made as necessary to change management practices to improve business controls and/or to implement information safeguards. The University has developed a set of policies and procedures to guide the security and privacy of data covered by GLBA:

Testing and Monitoring of the Systems

Holy Family University is diligent in its routine testing and monitoring of its systems, and the safeguards implemented are a result of the risk assessment outcomes.

Vulnerability Assessment

The university ensures vulnerability assessment on systems that transmit, process, or store covered data.

Access Control

Access control is Holy Family University’s ability to maintain, implement, and control its policies, standards, and procedures.

Encryption

The University uses industry-acceptable and approved encryption algorithms and solutions for access control to control the integrity and privacy of data that is processed, stored, and transmitted.

Data Retention and Disposal

Holy Family University is diligent in its data collection, retention, and disposal efforts. The university’s record retention process is in accord with the GBLA. The program:

  • Removes the maintenance of unnecessary documents from the onset of data collection to the end of the retention process.
  • Supports the maintenance of records filing systems to facilitate retrieval better and use
  • Protects most important, up-to-date information while less valueless information is disposed of or transferred to the appropriate secured storage area.
  • Safeguard information essential to Holy Family's daily business operations.

Provide Awareness, Training and Education

The following shall guide the training and management of employees:

  • Holy Family University implements required training programs to ensure staff is aware of protocols for protecting customer information.
  • All training programs or materials incorporate concepts relevant to both electronic and paper-based customer information.
  • Department managers and supervisors keep employees informed about policies and programs that pertain to their work, including those that govern GLBA compliance.
  • Managers and supervisors ascertain which positions deal with customer information and assess whether these positions should be classified as “critical positions” requiring background checks, as provided for by Holy Family personnel policy.
  • Department managers and supervisors ensure employees complete the mandatory core security training and specific GLBA training as assigned.
  • All University employees that interact with the covered PII data during their daily activities are required to complete the GLBA Compliance training course describing their responsibilities while handling the personally identifiable information (PII).
    • Annual Cybersecurity training
    • Additional PII training requirements
    • Phishing exercises that have been designed and implemented by the IT department (and approval from security governance) to help employees to identify fake emails from authentic ones and not respond to questionable emails or communications
    • Informative campus-wide communications regarding phishing, spear phishing, and other types of spam email
    • Mandatory security training for specific users working with EPHI

Incident Response Plan and Procedures

Holy Family University’s documented and outlined Incident Response Plan and Procedures addresses possible threats that could arise concerning Information Technology, privacy, and cyber incidents. The university’s preparation in planning regarding these threats includes instruction for university employees on how to respond against potential threats. These steps are listed below:

  1. Formal and detailed documented responses/reports for investigative purposes or for resolving cyber issues
  2. Detection tools that readily identify cyberattacks or system anomalies
  3. Official tabletop exercises to assist the team with preparing against common and known threats
  4. Incident Response Tickets with additioanl key information related to the incident, such as status, impact, assessment, evidence gathered, and the next steps, will be available in Softdocs.

Evaluate Service Providers’ Agreements and Processes

The University may, from time to time, appropriately share covered data with third parties. When third-party business is conducted, however, appropriate risk management activities are in place to minimize any corresponding potential risks. These activities include, but are not limited to, reputational, financial, operational, strategic, and compliance risks. The decision to engage with third parties must be consistent with the University’s business objectives, and it must be made after careful consideration of the risks involved in contracting for implementing and maintaining such safeguards.

Program Maintenance

The Task Force, working with responsible units and offices, monitors, evaluates, and adjusts the Compliance Program in light of the results of testing and monitoring of the risks identified as well as in response to any material changes to operations or business arrangements and any other circumstances which may reasonably have an impact on the Compliance Program. This Program document will be reviewed, at a minimum, annually by the VP and GLBA working committee.

Contact Information

Persons who may have questions regarding the security of any of the categories of information that is handled or maintained by or on behalf of the University may contact:

Mark Green, Ed.D.
Vice President
Institutional Effectiveness, Technology, and Innovation
Holy Family Hall
9801 Frankford Ave
Philadelphia, PA 19114
Email: cyberops@holyfamily.edu
Telephone: 267-341-3402
 

The complete Gramm-Leach-Bliley Information Security Program is available at the VP’s Office.

Conflict of Interest

All individuals involved in the implementation, oversight, and enforcement of the GLBA Compliance Program must disclose any personal, financial, or professional relationships that could create the appearance of or actual conflict of interest in the execution of their duties. This includes relationships with vendors, service providers, and consultants involved in data protection, auditing, or training. All disclosed conflicts shall be reported to and managed under the University’s Ethics and Compliance Policy.

Definitions

This section highlights some of the key terminologies used under the GLBA.

Customer Information - means any record containing non-public personal information as defined in 16 CFR 313.3(n), about faculty, staff, and students of Holy Family, whether in paper, electronic, or other forms, that is handled or maintained by or on behalf of Holy Family or its service providers.

The following are examples of data elements, but not limited to, that fall under customer information, whether they are stored as paper records or electronically:

  • Name
  • Home address
  • Home phone number
  • Date/location of birth
  • Driver’s license number
  • Name of spouse or other relatives
  • Citizenship
  • Bank and credit card number
  • Income and credit histories
  • Social Security numbers
  • Students’ performance evaluations or letters related to performance
  • Other information within the definition of “customer information

Non-public personal information - means any personally identifiable financial or other personal information, not otherwise publicly available, that the University has obtained from a customer in the process of offering a financial product or service; such information provided to the University by another financial institution; such information otherwise obtained by the University in connection with providing a financial product or service; or any list, description, or other grouping of customers (and publicly available information pertaining to them) that is derived using any information listed above that is not publicly available. Examples of personally identifiable financial information include names, addresses, telephone numbers, bank and credit card account numbers, income and credit histories, tax returns, asset statements, and social security numbers, both in paper and electronic form.

Financial Information - includes student financial aid, student, faculty, and staff loans. Covered data and information - This program includes customers' non-public personal information that is required to be protected under GLBA. In addition to this required coverage, the University chooses as a matter of policy to also define covered data and information to include any bank and credit card account numbers, income and credit information, tax returns, asset statements, and social security numbers received in the course of business by the University, whether or not such financial information is covered by GLBA. Covered data and information include both paper and electronic records.

Service provider - any person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to Holy Family, subject to this part.