The University of Connecticut Health Center
|Law/Act:||Gramm-Leach-Bliley Act or the Financial Services Modernization Act of 1999|
|U.S. Code Citation:||15 U.S.C. 6801 et seq.|
|Code of Federal Regulations Citation:||16 CFR 313.1 et seq.(privacy) 16 CFR 314.1 et seq. (safeguarding)|
|Responsible Regulator:||Federal Trade Commission (FTC) and Consumer Financial Protection Bureau (CFPB)|
|UConn Health Responsible Officer:||Chief Financial Officer|
|Updated: January 2016||Updated By: DAG|
|Version 1.0||Effective Date: Nov. 12, 1999|
The Gramm-Leach-Bliley Act (GLBA) is a federal law that protects the privacy of consumers and limits when and what consumer information can be disclosed to third parties. Under the GLBA, financial institutions must ensure the confidentiality of consumers’ non-public identifiable financial information.  The GLBA sets forth the “standards for developing, implementing, and maintaining reasonable . . . safeguards to protect the security, confidentiality, and integrity of customer information.”
In response to the financial failures of the Great Depression, Congress passed the Glass-Steagall Act in 1933 to prohibit commercial banks from affiliating with securities companies. Subsequent acts and revisions resulted in many American banks with unregulated privacy standards and a lack of consumer protection against unwanted information sharing. After a series of high profile cases involving banks selling consumer information with adverse consequences for customers—including credit fraud and identity theft—the GLBA was introduced in the Senate by Republican Senator Phil Gramm and the House of Representatives by Republican Representative James Leach. The GLBA was signed by President Bill Clinton on November 12, 1999. The Federal Trade Commission (FTC) has promulgated two rules under the GLBA: the Privacy Rule, which took effect on July 1, 2001, and the Safeguards Rule, which took effect on May 23, 2003.
Institutions that offer financial products or services—including student loan activities—are considered covered financial institutions regulated by the GLBA. Specifically, if an institution is “significantly engaged in lending funds to consumers” through such means as institutional loans or revolving credit accounts, then the institution is “engaging in financial activities” and is considered a financial institution.
The GLBA consists of two rules governing financial institutions, the Privacy Rule and the Safeguards Rule. Universities are deemed compliant with the Privacy Rule if they comply with the Family Educational Rights and Privacy Act (FERPA). However, universities are not exempt from the safeguarding regulations and thus must adopt an information security program. The law does not apply to information collected in business or commercial activities. Furthermore, retailers are not considered a financial institution because “a retailer is not a financial institution merely because it accepts payment in the form of cash, checks, or credit cards that it did not issue.”
Under the privacy regulations created by the FTC, financial institutions are required to do the following to protect consumer financial information:
- Provide annual notice to customers about the institution’s privacy policies and practices;
- Describe the conditions under which the institution may disclose nonpublic personal information about consumers to nonaffiliated third parties; and
- Provide a method for consumers to opt out of personal information disclosures to most nonaffiliated third parties.
The Federal Trade Commission suggests that a business determine if the company’s clients are consumers or customers.  A consumer is any individual who obtains or has obtained a financial product or service from the institution that is to be used primarily for personal, family, or household purposes, or that individual’s legal representative. A customer, however, is a consumer who has a continuing customer relationship with a financial institution.
The distinction between consumer and customer is important because only customers are entitled to receive a financial institution’s privacy notice every year for as long as the customer relationship lasts. On the other hand, consumers only need to receive a privacy notice if the financial institution shares the consumers’ information with nonaffiliated third parties. Furthermore, the privacy notice must be given to individual customers or consumers by mail or in-person delivery; it may not, say, be posted on a wall.
Since institutions of higher education must already comply with FERPA regulations, an exhaustive list of privacy requirements are not included in this research memo. A university that complies with FERPA and its regulations is deemed to have met the privacy provisions of the GLBA for those student records subject to FERPA.
The safeguarding provisions of the GLBA set forth “standards for developing, implementing, and maintaining reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information.” These provisions apply to not only customers with whom a university has a customer relationship, but also to customers of other financial institutions that have provided such information to a university.
A financial institution must develop, implement, and maintain a comprehensive information security program. This program shall contain administrative, technical, and physical safeguards appropriate for the size, complexity, nature, and scope of a financial institution’s activities. To establish an information security program one must do the following:
- Designate: Designate an employee or employees to coordinate the information security program.
- Identify risks: Identify internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information. Potential risks could include compromise of system security (hackers), interception of data during transmission, physical loss of data during a disaster, system or data corruption, unauthorized employee access, unauthorized requests for data (pretext calling), and unauthorized transfer of data by third parties.
- Assess: Assess the sufficiency of any safeguards in place to control the internal and external risks, including the consideration of risks in the following areas: employee training and management; information systems (including network design, software design, information processing, storage, transmission, and disposal); and detecting, preventing, and responding to systems failures.
- Design safeguards: Design and implement information safeguards to control the risks identified through risk assessment.
- Test: Regularly test or monitor the effectiveness of the safeguards’ key controls, systems, and procedures.
- Evaluate: Evaluate and adjust the information security program pursuant to the required testing and monitoring, material changes to the operation or business arrangements, or any other circumstances that may have a material impact on the information security program.
- Oversee service providers: A financial institution must select and retain service providers capable of maintaining appropriate safeguards for the customer information at issue. This includes requiring the service providers by contract to implement and maintain such safeguards. A service provider includes any person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its provisions of services directly to a financial institution.
Dear Colleague Letters
With the continued proliferation of data breaches at organizations, including universities, that compromise personally identifiable information (PII), the Department of Education has issued two “Dear Colleague Letters” reminding universities of their responsibilities to combat cybersecurity threats and ensure the confidentiality, security and integrity of title IV financial aid information.
Dear Colleague Letter GEN-15-18 dated July 29, 2015, states: “Institutions are reminded that under various Federal and state laws and other authorities, including the HEA; the Family Educational Rights and Privacy Act (FERPA); the Privacy Act of 1974, as amended; the Gramm-Leach-Bliley Act; state data breach and privacy laws; and potentially other laws, they may be responsible for losses, fines and penalties (including criminal penalties) caused by data breaches.
Universities have an obligation under their Program participation Agreement as well as under GLB to protect student financial aid information. Additionally, under their Student Aid Internet Gateway (SAIG) enrollment Agreement, universities agree to “ensure that all users are aware of and comply with all of the requirements to protect and secure data from Departmental sources using SAIG.”
In Dear Colleague Letter GEN 16-12 dated July 1, 2016, the Department of Education reiterated the responsibility to comply with GLBA: “Under their Program Participation Agreement (PPA) and the Gramm-Leach-Bliley Act (15 U.S. Code § 6801), they must protect student financial aid information, with particular attention to information provided to institutions by the Department of Education or otherwise obtained in support of the administration of the Title IV Federal student financial aid programs authorized under Title IV of the Higher Education Act, as amended (the HEA). The Department noted that compliance with GLBA was a requirement of the Program Participation Agreement and they were adding the GLBA security controls to their Annual Audit Guide “in order to assess and confirm institutions’ compliance with the GLBA. The Department of Education also strongly encouraged institutions to utilize the standards recommended in the National Institute of Standards and Technology (NIST) special Publication 800-171 (NIST SP 800-171) to safeguard student financial aid information.
In order to comply with the GLBA Privacy Rule, a university must annually notify students of their rights under FERPA. The GLBA Safeguards Rule requires financial institutions to “regularly test or otherwise monitor the effectiveness of” the information safeguards the institution has established.
The following web sites provide valuable information regarding this law and its applicability.
|http://business.ftc.gov/privacy-and-security/gramm-leach-bliley-act||Overview of the act and provisions. Also contains updated news regarding the GLBA and companies who have charges brought against them for violations of the provisions of the GLBA.|
|http://counsel.cua.edu/FEDLAW/glb.cfm||Catholic University of America’s summary of the GLBA.|
|http://epic.org/privacy/glba/||Information about the GLBA from the Electronic Privacy Information Center.|
|http://www.law.cornell.edu/cfr/text/16/313||16 C.F.R. Part 313 – Privacy of Consumer Financial Information.|
|http://www.law.cornell.edu/cfr/text/16/314||16 C.F.R. Part 314 – Standards for Safeguarding Customer Information.|
|http://www.law.cornell.edu/uscode/text/15/chapter-94/subchapter-I||15 U.S.C. Chapter 94, Subchapter I – Disclosure of Nonpublic Personal Information.|
|http://business.ftc.gov/documents/bus67-how-comply-privacy-consumer-financial-information-rule-gramm-leach-bliley-act||How to Comply with the Privacy of Consumer Financial Information Rule of the Gramm-Leach-Bliley Act.|
|http://www.gpo.gov/fdsys/pkg/FR-2000-05-24/html/00-12755.htm||Privacy of Consumer Financial Information, 65 Fed. Reg. 33646.|
|http://business.ftc.gov/documents/bus54-financial-institutions-and-customer-information-complying-safeguards-rule||Financial Institutions and Customer Information: Complying with Safeguards Rule.|
|http://business.ftc.gov/documents/bus53-brief-financial-privacy-requirements-gramm-leach-bliley-act||In Brief: The Financial Privacy Requirements of the Gramm-Leach-Bliley Act.|
|http://www.nacua.org/nacualert/docs/GLB_Note_051603i.html||NACUA Alert on the FTC’s GLBA Safeguards Rule: Guidelines for Compliance|
 See 15 U.S.C. § 6802 (2013).
 16 C.F.R. §§ 313.1(a), 314.3(b) (2013); 15 U.S.C. § 6801(a); Gramm-Leach-Bliley Act, Bureau of Consumer Protection Business Center, http://business.ftc.gov/privacy-and-security/gramm-leach-bliley-act (last visited Sept. 6, 2016).
 16 C.F.R. § 314.1(a).
 Gramm-Leach-Bliley Act, Pub. L. No. 106-102, 113 Stat. 1338 (1999).
 Privacy of Consumer Financial Information, 65 Fed. Reg. 33,646, 33,648 (May 24, 2000) (codified at 16 C.F.R. pt. 313).
 15 U.S.C. § 6809(3)(A).
 16 C.F.R. § 313.1(b).
 16 C.F.R. § 313.1(b) (noting that the privacy rule “does not apply to information about companies or individuals who obtain financial products or services for business, commercial, or agricultural purposes”).
 Id. § 313.3(k)(4)(ii).
 15 U.S.C. § 6803(a); 16 C.F.R. §§ 313.6, 313.9. A sample notice is available. See 16 C.F.R. § 313 App. A.
 Nonpublic personal information includes personally identifiable financial information and any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available. 16 C.F.R. § 313.3(n)(1)(i)-(ii).
 15 U.S.C. § 6803(c)(1). A nonaffiliated third party is defined as any person except the financial institution affiliate; or a person employed jointly by the financial institution and any company that is not the institution’s affiliate (but nonaffiliated third party includes the other company that jointly employs the person). Id. § 313.3(m)(1)(i)-(ii).
 15 U.S.C. § 6802(b); 16 C.F.R. § 313.1(a)(1)-(3).
 In Brief: The Financial Privacy Requirements of the Gramm-Leach-Bliley Act, Federal Trade Commission, http://business.ftc.gov/documents/bus53-brief-financial-privacy-requirements-gramm-leach-bliley-act (last visited Sept. 6, 2016).
 15 U.S.C. § 6809(9); 16 C.F.R. § 313.3(e)(1).
 15 U.S.C. § 6809(11); 16 C.F.R. § 313.3(h).
 16 C.F.R. § 313.5(a)(1).
 Id. § 313.4(b)(1).
 Id. § 313.9(a)-(b); In Brief: The Financial Privacy Requirements of the Gramm-Leach-Bliley Act, Federal Trade Commission, http://business.ftc.gov/documents/bus53-brief-financial-privacy-requirements-gramm-leach-bliley-act (last visited Sept. 6, 2016).
 16 C.F.R. § 313.1(b).
 Id. § 313.1(b).
 Id. § 314.1(a).
 Id. § 314.1(b).
 Id. § 314.3(a).
 Id. § 314.4(a).
 Id. § 314.4(b).
 Peter C. Cassat & Margaret O’Donnell, GLB Safeguards Rule: Overview, Training and Enforcement Considerations, Nacua 43rd Annual Conference, 26 (June 2003), http://counsel.cua.edu/glb/publications/index.cfm (last visited Sept. 6, 2016; follow “NACUA June 2003 Power Point Presentation” hyperlink).
 16 C.F.R. § 314.4(b)(1)-(3).
 Id. § 314.4(c).
 Id. § 314.4(e).
 Id. § 314.4(d)(1)-(2).
 Id. § 314.2(d).
 15 U.S.C. § 6803(a) (requiring annual disclosures to customers); 34 C.F.R. § 99.7(a)(1) (setting forth equivalent requirement under FERPA).
 16 C.F.R. § 314.4(c). The regulation states that the information security program should be developed and maintained in a manner that is “appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue.” Id. § 314.3. Thus “regularly” may be interpreted differently for each financial institution.