Re: FTC Regulations - Notification Question

["Steven R. Smith" <Steven.R.Smith () HOFSTRA EDU>]

I spoke with Mary Bachinger at NACUBO, and GLB does apply to Universities, partially.  If the University is in 
compliance with FERPA it is in compliance with the privacy part of the GLB.  However, Universities must comply with the 
safeguarding requirements of GLB by May 23, 2003.  See 
http://www.nacubo.org/public_policy/advisory_reports/2003/2003-01.pdf and 
http://www.nacubo.org/public_policy/bulletins/2003/04102003c.asp.  Because Universities collect financial information 
as part of the financial aid process, the GLB applies.  At least this is what NACUBO has told me.

Has anyone started the process of establishing the written information security program?  I have the program we put 
together from my old job at a bank.  Its essentially a summary of what you've done to identify the risks of internal 
and external threats, and what you're doing to protect against those threats.  You also must identify how you are 
educating your user community regarding information security.

Hope this helps.

Steven R. Smith
IS Security Specialist
Hofstra University
516.463.3944
> > > tbm3 () CORNELL EDU 04/16/03 16:11 PM >>>
Brian,

FYI, and for whatever it is worth towards answering your question, from our
university counsel's office:

>  The FTC regulations apply to any "nonpublic personal information" held
> by financial institutions -- i.e., "personally identifiable financial
> information" and "any list, description, or other grouping of consumers
> (and publicly available information pertaining to them) that is derived
> using any personally identifiable financial information that is not
> publicly available."   Because of the latter half of the definition of
> "non-public personal information," I interpret the regs as covering more
> than financial information per se.


I have also copied Peg O'Donnell to whom we are increasingly all looking
for guidance!

Tracy



At 02:53 PM 4/16/2003 -0500, you wrote:
> I would say no from what I understand.  GLBA only applies to true
> Financial Institutions, Bank, Credit Union, S&L, Insurance Company.
> Unless you are running a Student Credit Union a college would not fit
> the definition of an organization that needs to comply with the privacy
> notice requirement.
>
> That does not mean from a "due diligence" perspective that you don't
> need to keep your students informed and provide "opt in" or "opt out"
> for the sharing of their information with other entities, or provide the
> option of knowing who the information is shared with.
>
> Ken
> CISSP, CISA, CISM, IAM
> Information Security Solutions Manager
> Omni Tech Corporation, www.omnitechcorp.com
> (262) 523-3300 x486
>
>
>
> -----Original Message-----
> From: Walsh, Brian R. (Information Services) [mailto:brwal () CONNCOLL EDU]
>
> Sent: Wednesday, April 16, 2003 2:08 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] FTC Regulations - Notification Question
>
>
> I've read through the documents from Educause, NACUBO, and some of the
> FTC documents regarding the GLB Act but I'm still not clear on the
> notification part of it. The rules call for written financial privacy
> notices to be given to "customers" when the relationship is established
> and again annually. Does this apply to colleges and universities? What
> does everyone think?
>
> Brian
>
> **********
> Participation and subscription information for this EDUCAUSE Discussion
> Group discussion list can be found at
> http://www.educause.edu/memdir/cg/.
>
> **********
> Participation and subscription information for this EDUCAUSE Discussion
> Group discussion list can be found at http://www.educause.edu/memdir/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/.