INFORMATION
SECURITY PROGRAM
The Gramm-Leach-Bliley Act
(GLBA), together with an implementing “Safeguards Rule” issued by the Federal
Trade Commission, regulate the security and confidentiality of non-public
customer personal information collected or maintained by or on behalf of
financial institutions or their affiliates. To the extent that
It is the policy of the University to comply, and to require its employees, student workers, volunteers, and other agents to comply, with all applicable federal, state, and local laws and regulations, as well as University policies and procedures, governing information security, confidentiality, and privacy. The Program incorporates, voluntarily and by reference, existing University or department policies and procedures that address the security and confidentiality of data encompassed by the definition of “covered data and information” below, and is in addition to any University or department policies and procedures required under other federal and state laws and regulations.
Non-public customer personal information means any personally identifiable financial information, not otherwise publicly available, that the University has obtained from a student, student parent or spouse, employee, alumnus, or other third party, in the process of offering a financial product or service, OR such information provided to the University by another financial institution, OR such information otherwise obtained by the University in connection with providing a financial product or service. Offering a financial product or service includes such activities as student loans, employee mortgage loans, employee educational grants, and other miscellaneous financial services as defined in 12 CFR Section 225.28. Examples of personally identifiable financial information include names, addresses, phone numbers, bank and credit card account numbers, income and credit histories, tax returns, asset statements, and social security numbers, in both paper and electronic form.
Publicly available for the purpose of this Program means information that W&L has a reasonable basis to believe is lawfully available to the general public from government records, widely distributed media, or disclosures to the general public required under law. Examples of publicly available financial information include, but are not limited to, listings in telephone and online directories and financial information contained in recorded deeds of trust, judgments, or liens.
Covered data and information for the purpose of this Program includes non-public customer personal information required to be protected under GLBA. In addition to this required coverage, W&L chooses as a matter of policy to also define covered data and information to include any bank and credit card account numbers, income and credit information, tax returns, asset statements, and social security numbers received in the course of business by the University, whether or not such financial information is covered by GLBA. Covered data and information includes both paper and electronic records.
In order to comply with GLBA, the
Provost has designated an Information Security Program Coordinator
(Coordinator) to be responsible for coordinating and overseeing the Program.
The Coordinator is presently the University Registrar and Director of
Institutional Research. The Provost has also designated a Financial Information
Security Program Committee (Committee) to work closely with the Coordinator in
carrying out the elements of the Program. The Committee reports to the Provost
and initially includes an administrator from each of the following offices and
departments whose operations are likely to be most significantly impacted by
this Program: Business Office, Development (law and undergraduate
representatives), Financial Aid, University Computing (law and undergraduate
representatives), Vice President for Admninistration, Vice President for
Finance/Treasurer, and the Coordinator. The Provost may add representatives
from other offices and departments, as he deems appropriate. The Office of
General Counsel will work closely with the Coordinator and the Committee and
will serve as a resource on all elements of the Program.
Each University office or department handling covered data and information, as identified by the Coordinator and the Committee, will take steps to identify and assess internal and external risks to the security, confidentiality, and integrity of covered data and information that could result in the unauthorized access, disclosure, misuse, alteration, destruction or other compromise of such information.
The risk assessment should (at a minimum) include consideration of risks, and current safeguards to manage those risks, to covered data and information in each relevant aspect of University operations, including: employee, student worker, and volunteer training and management regarding access to and use of such information; information systems (including network and software design, as well as information processing, storage, transmission and disposal for both paper and electronic records); and detecting, preventing and responding to attacks, intrusions, or other system failures (including data processing and telephone communication), as well as contingency planning and business continuity.
The Coordinator and the Committee, with the assistance of the Office of General Counsel, will establish procedures for identifying and assessing risks in each relevant area of the University’s operations outlined above. The Coordinator will delegate the risk identification and assessment to the appropriate individual(s) within each affected office or department, who will be that office’s contact person with the Coordinator and the Committee.
Each affected office or department will design, implement, and maintain in writing, such administrative, technical, and physical safeguards as are necessary to control the risks identified through risk assessment, and will regularly monitor the effectiveness of such safeguards. Each office should design and implement safeguards in accordance with the nature and scope of that office’s activities and the sensitivity of the covered data and information at issue. The contact person for each such office must provide a copy of the written safeguards to the Coordinator and the Committee.
The Coordinator and the Committee, with the assistance of the Office of General Counsel, will provide guidance on appropriate safeguards to all affected offices and departments, and will work with individual offices as requested or appropriate in the design and implementation of safeguards.
GLBA requires the University to
take reasonable steps to select and retain service providers who maintain
appropriate safeguards for non-public customer personal information. In
addition, W&L will, as a matter of policy, take reasonable steps to select
and retain service providers who maintain appropriate safeguards for other
covered data and information, whether or not required under GLBA. A “service
provider” is any person or entity that receives, maintains, processes, or
otherwise is permitted to access covered data and information through its
provision of services directly to W&L. The Office of General Counsel will
develop a form letter to be sent to all covered service providers, requesting
assurances of GLBA compliance. While contracts entered into prior to
GLBA requires that this Program
be subject to periodic review and adjustment. The most frequent of these
reviews will likely occur within University Computing, whose operations involve
constantly changing technology and constantly evolving risks. Processes in
other relevant offices of the University should also be reviewed regularly,
particularly as appropriate to any operational changes that may have a material
impact on the Program. The Coordinator and the Committee will review the
Program itself annually to assure ongoing compliance with GLBA and the Federal
Trade Commission Safeguards Rule, as well as consistency with other existing
and future laws and regulations.
original draft: May 15, 2003
approved by Provost H. Thomas Williams, September 15, 2003
revised: October 12, 2003