Financial and Business

Gramm-Leach-Bliley Compliance Policy

Section: Governance, Ethics, and General Policies
Policy Name: Gramm-Leach-Bliley Act Compliance Policy (Interim)
Policy Owner: Vice President and General Counsel
Responsible University Office: Office of General Counsel
Origination Date: December 1, 2005
Revisions: February 2022, February 2025 (Interim)
Legacy Policy Number: 1-23
  1. SCOPE OF POLICY
    This Policy addresses how the University safeguards Nonpublic Personal Information, defined below, as required by the Gramm-Leach-Bliley Act (“GLBA”).
  2. DEFINITIONS
    1. “Nonpublic Personal Information”means Personally Identifiable Financial Information and any list, description, or other grouping of students and their families (and publicly available information pertaining to them) that is derived using any Personally Identifiable Financial Information that is not publicly available. Nonpublic Personal Information excludes de-identified, aggregated information.
    2. “Personally Identifiable Financial Information”means any information about students or their families provided to the University when students seek financial assistance or that involves a transaction related to such financial assistance or that the University otherwise obtains when administering student financial assistance.
    3. “Information Security Program”means the administrative, technical, or physical safeguards used to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle Nonpublic Personal Information.
    4. “Risk Assessment”identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of Nonpublic Personal Information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such Nonpublic Personal Information, and assesses the sufficiency of any safeguards in place to control these risks.
    5. “GLBA Component”means the following parts of the University, as they may change from time to time, that use Personally Identifiable Financial Information to process applications for or to otherwise administer student financial assistance and related reporting and operational obligations:
      • English Language Institute
      • Finance
      • Graduate Admissions
      • Graduate and Professional Education
      • Information Technologies
      • Institutional Research and Effectiveness
      • Internal Audit and Compliance
      • Office for International Students & Scholars
      • Office of the University Registrar
      • Procurement Services
      • Student Financial Services
      • Undergraduate Admissions
  3. POLICY STATEMENT
    The GLBA Components must comply with the requirements of the University’s GLBA Information Security Program as specified in this Policy to protect Nonpublic Personal Information from (i) a breach of security or confidentiality, (ii) unanticipated threats or hazards to security or integrity, and (iii) unauthorized access or use. Violations of this Policy may result in disciplinary action.
  4. POLICY STANDARDS AND PROCEDURES                                                              The University’s Chief Privacy Officer (“CPO”) and Chief Information Security Officer (“CISO”) oversee the University’s GLBA compliance and coordinate with the GLBA Components to ensure appropriate compliance with the University’s GLBA Information Security Program.
    1. The CPO coordinates and monitors GLBA compliance by:
      1. Periodically convening meetings with the CISO and representatives of each of the GLBA Components to (i) review changes to the operational environment of the GLBA Components, if any; (ii) review or identify required updates to the GLBA risk assessments and control plans; and (iii) obtain assurances from GLBA Components of their material compliance with the GLBA requirements and this Policy or, if necessary, to document appropriate corrective action plans and their completion;
      2. Identifying and periodically validating GLBA Components and updating this Policy, if required;
      3. Assisting the CISO in developing annual written assessments on the status of the Information Security Program for the Board of Trustees;
      4. Assisting the GLBA Components with training obligations;
      5. Informing University leadership of noncompliance, if any;
      6. Participating in the investigation of security events involving Nonpublic Personal Information as required by the University’s Information Security Event Reporting policy and the Data Security Incident Response Plan; [1]
      7. Maintaining documentation of actions taken to comply with this Policy.
    2. The CISO is the qualified individual the University has designated to oversee, implement, and enforce the GLBA Information Security Program (directly or through a qualified designee) by:
      1. In conjunction with the GLBA Components (i) conducting, periodically reassessing, and updating Risk Assessments; and (ii) identifying, implementing, monitoring, and updating, as appropriate, safeguards to control identified risks to Nonpublic Personal Information in accordance with GLBA specifications;
      2. Periodically testing safeguards and recommending changes, as appropriate;
      3. Verifying that information security personnel are adequately trained and qualified to manage and address changing information security threats and countermeasures;
      4. Evaluating and periodically reassessing how the University’s vendors with access to Nonpublic Personal Information maintain appropriate safeguards for the Nonpublic Personal Information;
      5. Leading investigations of security events involving Nonpublic Personal Information as specified in the Information Security Event Reporting policy and the Data Security Incident Response Plan;
      6. Providing the University’s Board of Directors with annual written assessments of the status of the University’s Information Security Program;
      7. Informing the CPO about compliance concerns with this Policy; and
      8. Maintaining documentation of actions taken to comply with this Policy.
    3. The GLBA Components manage the day-to-day operations involving Nonpublic Personal Information and must: [2]
      1. Participate in periodic reassessments Risk Assessments as requested by the CISO;
      2. Implement and update, as appropriate, the Information Security Program safeguards;
      3. Promptly notify the CISO and CPO of systems or other operational changes affecting Nonpublic Personal Information, such as the use of new systems or equipment or granting access to new vendors;
      4. Require personnel with access to Nonpublic Personal Information to complete training annually on the privacy and security obligations associated with the Nonpublic Personal Information and provide the CPO no later than August of each year with a (i) a description of the training, (ii) a listing of the people who completed the training, and (iii) a plan for ensuring the remaining personnel complete the training;
      5. Maintain an up-to-date list of personnel and vendors with access to Nonpublic Personal Information and periodically reassess the need for such access;
      6. Maintain an inventory of devices used to access and maintain Nonpublic Personal Information;
      7. Document the procedure for securely destroying Nonpublic Personal Information, regardless of form, and ensuring Nonpublic Personal Information is not maintained longer than necessary for legitimate business operations;
      8. Report events that affect, or are reasonably suspected to affect, the privacy or security of the Nonpublic Personal Information as specified in the University’s Security Event Reporting policy and participate as requested in subsequent investigation of such reports; and
      9. Maintain documentation of compliance efforts.

___________________________

[1] The Information Security Event Reporting Policy and the Report Form are available at https://sites.udel.edu/generalcounsel/policies/information-security-event-reporting/.

[2] In addition to complying with other applicable University Policies, the GLBA Components should take special note of their obligation under the University’s Federal Education Rights and Privacy Act (“FERPA”) policy which governs the uses and disclosures of Nonpublic Personal Information in education records as opposed to the security of that data.