Educause Security Discussion mailing list archives
Re: FTC Regulations - Notification Question
From: "Steven R. Smith" <Steven.R.Smith () HOFSTRA EDU>
Date: Wed, 16 Apr 2003 18:21:02 -0400
I spoke with Mary Bachinger at NACUBO, and GLB does apply to Universities, partially. If the University is in compliance with FERPA it is in compliance with the privacy part of the GLB. However, Universities must comply with the safeguarding requirements of GLB by May 23, 2003. See http://www.nacubo.org/public_policy/advisory_reports/2003/2003-01.pdf and http://www.nacubo.org/public_policy/bulletins/2003/04102003c.asp. Because Universities collect financial information as part of the financial aid process, the GLB applies. At least this is what NACUBO has told me. Has anyone started the process of establishing the written information security program? I have the program we put together from my old job at a bank. Its essentially a summary of what you've done to identify the risks of internal and external threats, and what you're doing to protect against those threats. You also must identify how you are educating your user community regarding information security. Hope this helps. Steven R. Smith IS Security Specialist Hofstra University 516.463.3944
tbm3 () CORNELL EDU 04/16/03 16:11 PM >>>
Brian, FYI, and for whatever it is worth towards answering your question, from our university counsel's office:
The FTC regulations apply to any "nonpublic personal information" held by financial institutions -- i.e., "personally identifiable financial information" and "any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available." Because of the latter half of the definition of "non-public personal information," I interpret the regs as covering more than financial information per se.
I have also copied Peg O'Donnell to whom we are increasingly all looking for guidance! Tracy At 02:53 PM 4/16/2003 -0500, you wrote:
I would say no from what I understand. GLBA only applies to true Financial Institutions, Bank, Credit Union, S&L, Insurance Company. Unless you are running a Student Credit Union a college would not fit the definition of an organization that needs to comply with the privacy notice requirement. That does not mean from a "due diligence" perspective that you don't need to keep your students informed and provide "opt in" or "opt out" for the sharing of their information with other entities, or provide the option of knowing who the information is shared with. Ken CISSP, CISA, CISM, IAM Information Security Solutions Manager Omni Tech Corporation, www.omnitechcorp.com (262) 523-3300 x486 -----Original Message----- From: Walsh, Brian R. (Information Services) [mailto:brwal () CONNCOLL EDU] Sent: Wednesday, April 16, 2003 2:08 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] FTC Regulations - Notification Question I've read through the documents from Educause, NACUBO, and some of the FTC documents regarding the GLB Act but I'm still not clear on the notification part of it. The rules call for written financial privacy notices to be given to "customers" when the relationship is established and again annually. Does this apply to colleges and universities? What does everyone think? Brian ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/.
Current thread:
- FTC Regulations - Notification Question Walsh, Brian R. (Information Services) (Apr 16)
- <Possible follow-ups>
- Re: FTC Regulations - Notification Question Ken Shaurette (Apr 16)
- Re: FTC Regulations - Notification Question Marty Hoag (Apr 16)
- Re: FTC Regulations - Notification Question Tracy Mitrano (Apr 16)
- Re: FTC Regulations - Notification Question Steven R. Smith (Apr 16)