Financial and Business

Gramm-Leach-Bliley Compliance Policy

Section:	Governance, Ethics, and General Policies
Policy Name:	Gramm-Leach-Bliley Compliance Policy
Policy Owner:	Vice President and General Counsel
Responsible University Office:	Office of General Counsel
Origination Date:	December 1, 2005
Revisions:	February 2022
Legacy Policy Number:	1-23

1. SCOPE OF POLICY
   The Gramm-Leach-Bliley Act (the “GLBA”) sets standards for using and disclosing information entities obtain when they offer financial products or services to consumers and for securing the information in order to protect consumers’ privacy. This policy specifies (i) how the University will identify those areas of its operations subject to the GLBA, and (ii) the associated GLBA compliance obligations. This policy applies to all University personnel but imposes additional obligations on those of its units, departments, colleges, schools, or other parts of the University that offer financial products or services to consumers within the scope of the GLBA (each a “GLBA Component” and as further defined below).
2. DEFINITIONS
   1. “Financial Product or Service” means, for the purposes of the GLBA, offering a product or service that is financial in nature, such as engaging in lending activities, to individuals when such products or services will be used primarily for personal, family, or household purposes.
   2. “Nonpublic Personal Information” means Personally Identifiable Financial Information and any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any Personally Identifiable Financial Information that is not publicly available.
   3. “Personally Identifiable Financial Information” means any information (i) a consumer provides to the University in order to obtain a Financial Product or Service from the University; (ii) about a consumer resulting from any transaction involving a Financial Product or Service between the University and the consumer; or (iii) the University otherwise obtains about a consumer in connection with providing a Financial Product or Service to that consumer.
   4. “GLBA Component” means those parts of the University that offer financial services within the scope of the GLBA such as administering or processing student loans as well as those parts of the University providing assistance to them:
      1. Student Financial Services
      2. Admissions
      3. Institutional Research and Effectiveness
      4. Information Technologies
3. POLICY STATEMENT
   GLBA Components must use, disclose, and safeguard the Nonpublic Personal Information as specified in this policy and must notify the Chief Privacy Officer in the event the Nonpublic Personal Information has been, or is reasonably believed to have been, used or disclosed in a manner contrary to this policy.
4. POLICY STANDARdS AND PROCEDURES
   1. Requirements Applicable to the University Chief Privacy Officer
      The Chief Privacy Officer is responsible for overseeing the University’s overall compliance with the GLBA and for (i) identifying, periodically validating, and documenting the University’s GLBA Components and updating this policy as appropriate; (ii) notifying GLBA Components of their compliance obligations; (iii) obtaining assurances from GLBA Components of material compliance with the obligations as specified in this policy; and (iv) informing University leadership of noncompliance, if any. The Chief Privacy Officer will also be a resource available to the GLBA Components upon request to review their compliance efforts.
   2.  Requirements Applicable to All University Personnel
      University personnel who discover an actual or suspected use or disclosure of Nonpublic Personal Information in violation of this policy must promptly report the incident to the information security professional in their department or college or to the Security Operations Center by calling 302-831-6000 or completing the Reporting Form as set forth in the Information Security Event Reporting policy.[1] The University will not retaliate against anyone who makes a report in good faith.
   3. Requirements Applicable to GLBA Components
      1. 1. Privacy. GLBA Components will periodically review the Nonpublic Personal Information they obtain and maintain to verify that (i) the Nonpublic Personal Information is a part of education records as defined by and subject to the Federal Education Rights and Privacy Act (“FERPA”), and (ii) the GLBA Component is in compliance with the University’s FERPA policy with respect to the use and disclosure of that information.[2]
         2. Security. GLBA Components must develop, implement, and maintain a comprehensive written information security program that contains administrative, technical, and physical safeguards appropriate given the size and complexity of operations, the nature and scope of the activities, and the sensitivity of the Nonpublic Personal Information.[3] The written information security program can be a combination of various documents as long as when combined, those documents address the requirements and are readily accessible when needed or upon request. The security program shall:
            1. Designate an employee(s) responsible for coordinating the security program.
            2. Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of the Nonpublic Personal Information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information.[4]
            3. Assess the sufficiency of the safeguards in place to control the identified risks, including: [5]
               1. Employee training and management;
               2. Information systems, including network and software design, information processing, storage, transmission and disposal; and
               3. Detecting, preventing, and responding to attacks, intrusions, or other system failures.
            4. Design and implement information safeguards to address deficiencies in controlling the identified risks, if any, and regularly test or otherwise monitor the effectiveness of the safeguards’ key controls, systems, and procedures.
            5. Oversee any third-party vendors with access to the Nonpublic Personal Information and ensure they are capable of maintaining appropriate safeguards for the Nonpublic Personal Information.
   4. Compliance
      Violations of this Policy may result in disciplinary action.

[1] The Information Security Event Reporting Policy and the Report Form are available at https://sites.udel.edu/generalcounsel/policies/information-security-event-reporting/

[2] A GLBA Component that determines the Nonpublic Personal Information is not information in education records subject to FERPA will notify the Chief Privacy Officer and jointly, they will develop (i) policies and procedures implementing GLBA requirements for acceptable uses and disclosures of the Nonpublic Personal Information, and (ii) a notice to be provided to consumers describing those policies and procedures and that otherwise meets GLBA specifications.

[3] UDIT Security offers consulting services to departments (https://www1.udel.edu/security/framework/toolkit/unitguide.html) and can meet and assist with establishing this information security program.

[4] UDIT has made the Secure UD Compliance and Risk Survey available at https://www1.udel.edu/security/framework/toolkit/cars.html to assist components of the University in making these types of assessments. GLBA Components may also seek assistance from the Chief Privacy Officer and the University Data Security Advisory Committee to fulfill its GLBA obligations.

[5] UDIT has made the Secure UD Security Plan Tool available at https://www1.udel/security/framework/toolkit.spt.html to assist components of the University in developing the plan. GLBA Components may also seek assistance from the Chief Privacy Officer and the University Data Security Advisory Committee to fulfill its GLBA obligations.