Policy 310.00

Gramm-Leach-Bliley Act (GLBA) Compliance

Responsible Office: Administration and Finance

  1. PURPOSE

    The Gramm-Leach-Bliley Act ("GLBA") (Public Law 106-102) and its implementing regulations at 16 CFR Part 313 & 314 requires Financial Institutions to protect, to the extent reasonably possible, the security, privacy, and confidentiality of personally identifiable financial records and information, also known as "Covered Information." Because University of Maryland Global Campus ("University") engages in Financial Services, such as student financial aid, the Federal Trade Commission ("FTC") considers the University a Financial Institution for GLBA purposes.

  2. SCOPE

    This Policy applies to Covered Information provided by a student or other third party to the University, resulting from any service or transaction performed by the University for a student or other third party, or otherwise obtained by the University.

  3. DEFINITIONS

    Capitalized terms utilized in this Policy shall have the meaning ascribed to them below. These terms shall have the same meaning when used in the singular or plural form.

    1. Covered Information: Any nonpublic personally identifiable financial information handled or maintained by or on behalf of the University whether in paper, electronic or other form that: (i) a student or other third party provides in order to obtain a Financial Service from the University (ii) is about a student or other third party resulting from any transaction with the University involving a Financial Service; or (iii) is otherwise obtained about a student or other third party in connection with providing a Financial Service to that person. This includes but is not limited to: asset statement, bank account information, credit card information, income and credit history, social security number, tax return.

    2. Financial Institution: Any institution engaging in activities that are financial in nature or incidental to financial activities.

    3. Financial Services: Includes Financial Institution’s evaluation or brokerage of information that the institution collects in connection with a request or an application for a financial product or service (e.g. student loans and the administration of financial aid).

    4. Information Resource: Anything that is intended to generate, store, or transmit information.

    5. Information Security Program ("IS Program"): Provides a formal structure for (1) developing and maintaining University-wide security policies, (2) defines security principles that safeguard University computing resources, and (3) ensures compliance with internal and external regulations.

    6. Service Provider: Any person or entity that receives, maintains, processes, or otherwise is permitted access to University information through its direct provision of services to the University.

    7. Sub-Service Provider: Any person or entity that receives, maintains, processes, or otherwise is permitted access to University information through its provision of services to a University Service Provider.

  4. POLICY STATEMENTS

    1. The University shall designate one or more individuals to coordinate the Information Security Program ("IS Program") as it relates to GLBA.

    2. The University’s IS Program shall identify and assess internal and external risks to the security, confidentiality, and integrity of Covered Information that could result in the unauthorized disclosure, misuse, alteration, destruction or any other compromise of such information. The IS Program coordinator(s) shall provide guidance to appropriate personnel in central administration, academic departments, and other University departments in evaluating their current practices and procedures and assessing threats to Covered Information. The IS Program coordinator(s) shall work with appropriate personnel to establish procedures for identifying and assessing risks in the following areas:

      1. Employee Training and Management - evaluate the effectiveness of current security employee training and management procedures relating to the access and use of Covered Information;

      2. Information Systems - assess the risks to Covered Information associated with the University’s information systems, including network and software design as well as information processing, storage, transmission, & disposal, and;

      3. Detecting, Preventing, and Responding to Attacks and System Failures - evaluate procedures for and methods of detecting, preventing, and responding to attempted attacks, intrusions, and other system failures.

    3. The IS Program coordinator(s) will coordinate with appropriate personnel to design and implement safeguards, as needed, to minimize or mitigate the risks identified in assessments and shall develop a plan to regularly test or otherwise monitor the effectiveness of such safeguards. The IS Program coordinator(s) will ensure that monitoring of the safeguards shall be performed on an ongoing basis and adjustments to the IS Program shall be made as needed.

    4. The IS Program coordinator(s) shall work with the University’s Office of Procurement and the Office of Legal Affairs ("OLA") in developing methods and procedures for selecting and retaining Service Providers, to include Sub-Service Providers, that are capable of maintaining appropriate safeguards for Covered Information. Contract language shall require Service Providers to implement and maintain appropriate safeguards for those computing resources that collect, access, maintain, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle Covered Information.

  5. ENFORCEMENT

    1. Any employee, contractor, or other third-party performing duties on behalf of the University with knowledge of an alleged violation of this Policy shall notify the Office of Human Resources as soon as practicable.

    2. Any employee, contractor, or other third-party performing duties on behalf of the University who violates this Policy may be denied access to the University’s Information Resources and may be subject to other penalties and disciplinary action, up to and including termination of employment or contract.

   
Original Policy Approval Date 6/26/20
Substantive Revision Dates  
Technical Amendment Dates