Gramm-Leach-Bliley Act (GLBA) Compliance at Howard University

What is the GLBA?

Gramm-Leach-Bliley Act, (GLBA) effective May 23, 2003, addresses the safeguarding and confidentiality of customer information held in the possession of financial institutions such as banks and investment companies and higher educational institutions with a financial connection to the Title IV Program. The Department of Education issued announcement General -23-09 Updates to the Gramm-Leach-Bliley Act Cybersecurity Requirements, which clarified how the Safeguards Rule applies to higher educational institutions. A subsequent announcement Protecting Student Information – Compliance with CUI and GLBA defines the requirement to use the National Institute of Standards and Technology (NIST) Special Publication 800-171 (NIST SP 800-171) to enhance information security programs that support all aspects of the administration of Title IV federal student aid programs.

The objectives of the GLBA standards for safeguarding information are to –

  • Ensure the security and confidentiality of student information.
  • Protect against any anticipated threats or hazards to the security or integrity of such information; and
  • Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any student (16 C.F.R. 314.3(b)).

Why does GLBA Safeguards Rule apply to Howard University?

The GLBA requirements apply to Covered Financial Information, which is Nonpublic Personal Information (NPI) about a student or other third party who has a continuing relationship with Howard, where such information is obtained in connection with the provision of a financial service or product and that is maintained by or on behalf of Howard. Examples include student loans, income tax information received from a student’s parent when offering a financial aid package, bank and credit card account numbers, and income and credit histories. 

What activities must comply with the GLBA Safeguards Rules?

The GLBA covers the entirety of the activities and practices of offices and individuals that:

  • Handle electronic or printed personnel records, financial records, transactional records, or student records.
  • Transmit confidential information (protected data) to off-site locations as part of a periodic review or submission requirement.
  • Centers and Institutes that provide services and acquire personal or financial information from participants or constituents.
  • Faculty serving as directors, coordinators, principal investigators, or program directors for programs collecting protected data.
  • Faculty, staff, and administrators with contracts to use, access, or provide protected data to or receive from a non-campus entity (e.g., government databases, science databases).

GLBA Safeguards Rule Scope of Information for Title IV Schools

Responsible Department, School or College

Nonpublic Personal Information (NPI)

Student Loans (federal and private) 

Disbursement of Financial Aid

Payment Plans

IRS Form 1098

 

University Bursar

Enrollment Management

College/School Dean Offices

Personally Identifiable Information (PII)

 

Office of Human Resources

Office of the General Counsel

403(b) loans 

Emergency faculty loans 

Emergency staff loans 

Payroll W2s

Office of Human Resources

G5 drawdown of federal funds 

Refunds and T & E payments 

Reconciliations 

Coordination of Audits 

IRS Form 1099

Office of Chief Financial Officer

Who is responsible for meeting the GLBA Safeguards Rule?

Compliance with the GLBA Safeguards Rule is a collective effort. Each role within Howard University plays a crucial part in ensuring full GLBA compliance.

Role

Responsibilities

Chief Information Officer (CIO)

Designates the qualified individual responsible for ensuring the cybersecurity program is compliant with GLBA.

Chief Information Security Officer (CISO)

Ensures the University’s cybersecurity program complies with the GLBA Safeguards Rule, protecting customer information.

Chief Audit and Compliance Officer

Conducts periodic risk assessments as defined by the GLBA Safeguards Rule.

Cabinet, Colleges and Schools Leadership

Ensure GLBA Safeguards Rule compliancy within their divisions that handle covered financial information.

Employees working with Covered Financial Information

Adhere to University policies and procedures related to cybersecurity and immediately report any violations.

In what ways does Howard University adhere to the GLBA Safeguards Rules? 

Here’s how Howard University ensures compliance:

  1. They uphold a cybersecurity program designed to meet the objectives of the GLBA Safeguards Rule.
  2. They apply encryption to covered financial information, whether it’s stored or being transferred.
  3. They guarantee that access to covered financial information is granted only to those who have a legitimate requirement.
  4. They carry out internal risk assessments to address and mitigate any detected risks (both internal and external) to covered financial information.
  5. They perform risk assessments on third-party services, such as Software as a Service (SaaS) or vendor-provided services, that handle covered financial information.
  6. They provide cybersecurity awareness training to all individuals who handle covered financial information.
  7. They maintain an incident response plan and ensure it is regularly practiced.
  8. They make sure that their information systems and services are promptly patched against known vulnerabilities to minimize the risk of compromising covered financial information.
  9. They retain only the most recent covered financial information and appropriately delete any information that is no longer needed.