Standards for Safeguarding Customer Information (The Gramm-Leach-Bliley Act)
A guide for College Employees
Students, faculty, staff, and alumni are afforded certain rights to privacy of nonpublic information under the Standards for Safeguarding Customer Information (The Standards).
What are The Standards for Safeguarding Customer Information?
The Standards for Safeguarding Customer Information (FTC) 16 CFR part 314 establishes standards relating to administrative, technical, and physical data and information safeguards for nonpublic personnel information. The Standards are the codification of the Gramm-Leach-Bliley Act (GLBA) and became effective May 23, 2003.
What is the College’s Responsibility Regarding These Standards?
The college must have policy and procedures (guidelines) in place to make sure it is in compliance with The Standards for data and information protected by these standards.
What Data and Information is protected by these Standards?
The college has chosen to define protected data and information to include student personal and financial information required to be protected under The Standards and the Family Educational Rights and Privacy Act (FERPA). In addition to educational records and student personal and financial information, the college has chosen to also include the personal and financial information of faculty members, staff members, alumni, and other donors in the definition of protected data and information. When in doubt as to whether a piece of data or information is to be protected, COD employees/contractors will err on the side that it is protected data and information. Protected data and information includes both paper and electronic records. Examples of protected personal and financial information include addresses, phone numbers, bank and credit card account numbers, income and credit histories, and social security numbers.
Who at the College Can View Protected Data and Information?
College employees and contractors who have a “need to know” in order to perform their jobs to further the mission of the college are allowed to view protected data and information. These college employees and contractors are said to have a “legitimate institutional interest” for viewing protected data and information.
Recommendations for Safeguarding Data and Information Protected by The Standards
- Maintain physical security by locking rooms and/or file cabinets where protected data and information is stored. Ensuring windows are locked and using safes when practicable for especially sensitive protected data and information.
- Maintaining adequate key control and limiting access to sensitive areas to those individuals with a “need to know” in order to perform their job.
- Using and frequently changing passwords to access automated systems that process protected data and information. Also encouraging the use of “strong” passwords (e.g. at least 6 characters, and not easily guessable). Also encouraging the safeguarding of passwords (e.g. do not leave passwords written down in easy view of others in the vicinity of an employees work area).
- Using firewalls and encrypting protected data and information when appropriate and feasible. The Information Technology Services department provides for this on behalf of all college employees.
- Referring calls and mail requesting protected data and information to those individuals who have been trained in safeguarding protected data and information for these types of requests.
- Shredding and erasing customer information when no longer needed in accordance with Department policy.
- Taking reasonable efforts to limit the view of computer screens and other mediums (e.g. paper) displaying protected data and information to only those employees who have a “need to know” in order to perform their job.
- Erasing protected data and information from computer screens when it is no longer in use. And never leave your desk area with protected data and information still displayed on a computer screen or on some other medium (e.g. paper) on the desk in clear site of a casual passerby.
- Encouraging employees to report suspicious activity to supervisors and/or the COD Public Safety Police department, as appropriate.
- Encouraging password-activated screen savers and using them when an employee is away from his/her desk.
- Taking reasonable steps to ensure that all future contracts are with service providers that are capable of maintaining appropriate safeguards for the protected data and information at issue.
The college may take disciplinary measures (including job termination) against any employee who intentionally, or through gross negligence, violates any of the above guidelines.
The federal penalty for the college for noncompliance with The Standards is a fine up to $500,000 or up to 10 years in prison or both, and the federal penalty for an individual is a fine up to $250,000 or up to 5 years in prison or both.
For more information refer to the College of DuPage Information Technology Services “Information Security Plan” and/or contact Keith Conlee, Chief Security Officer for Information Technology Services, SRC 2157, (630) 942-3055.
College of DuPage
425 Fawell Blvd.
Glen Ellyn, IL 60137-6599