The Financial Modernization Act of 1999, also known as the "Gramm-Leach-Bliley Act" or GLB Act, includes provisions to protect consumers' personal financial information held by financial institutions.
The University of Pittsburgh must comply with GLB's safeguarding regulations, based on GLB's final rules on Safeguarding Customer Information. Educational institutions are not exempt and must adopt an information security program. Key compliance requirements include:
- Designating an employee to coordinate an information security program.
- Identifying risks to the security of customer information (including a risk assessment of computer information systems).
- Contractually requiring service providers to implement and maintain safeguards.
Colleges and universities are deemed to be in compliance with the privacy provisions of the GLB Act if they are in compliance with the Family Educational Rights and Privacy Act (FERPA). However, higher education institutions are still subject to the provisions of the GLB Act related to the administrative, technical, and physical safeguarding of customer information.
To comply with GLB:
The University has designated an official Customer Information Security Officer, based in the Office of the Provost.
University units that are significantly engaged in financial activities that involve the collection or utilization of customer financial information must identity themselves to the University's Customer Information Security Officer. Examples of activities that GLB would apply to include administering financial aid, processing of credit card information, and collecting of any other form of customer financial information. University units must document all such collection and processing activities. They must describe the nature and extent of their utilization of customer information. And an employee must be appointed to oversee the unit's information safeguards practices.
University units must assess their current customer information practices, identify vulnerabilities, and take appropriate measures to secure customer information.