Personal Information Protection
University of Louisville Non-Public Personal Information Policy
Gramm-Leach-Bliley Act (GLBA)
Effective May 23, 2003
Gramm-Leach-Bliley Act Information Security Program
On November 12, 1999, the Gramm-Leach-Bliley Act (GLBA) was passed into law. The Federal Trade Commission requires financial institutions to ensure the security and confidentiality of non-public personal information (NPI) as of May 23, 2003. For purposes of administering the act, colleges and universities must ensure that NPI is secure, confidential, and protected from unauthorized access and threats. The following safeguarding policies and practices are administered at the University of Louisville (UofL).
- UofL has established a Security Program Committee led by the Chief Information Security Officer, responsible for ensuring that compliance to GLBA is followed by students, faculty, administrative, and entities affiliated with the University.
- UofL discloses information only as necessary to perform specific functions and responsibilities required to meet its academic and business mission. NPI will not be provided to individuals or organizations where such information is not required to achieve its contracted objective.
- UofL contracts with service providers who are capable of maintaining and safeguarding customer information as required by GLBA.
- UofL utilizes appropriate safeguards to protect Personal and NPI such as but not limited to: network firewall, data encryption, user, password, and pin number protection, data back-up and redundancy to prevent the unauthorized use/theft or compromising of customer non-public personal information.
- Faculty, administrators, and staff with access to NPI are trained in policies and procedures to maintain strict confidentiality of customer NPI. Questions regarding appropriate disclosure of NPI will be directed to the Security Program Committee.
- UofL publishes a clear and conspicuous NPI safeguard policy electronically and policy is available for public review.
- UofL administers an information risk assessment program to evaluate the current effectiveness of NPI safeguarding controls and procedures. Examples of areas that have significant non-public personal information are: Admissions, Athletics, Bursar’s Office, Business Operations, Cardinal Card Office, Controller’s Office, Financial Aid, Human Resources, Payroll, Metropolitan College and Registrar.
GLBA Appendix. Securing Information
Employee Management and Training Procedures shall include:
- Check references prior to hiring employees who will have access to customer information.
- Require employees to sign an agreement to follow UofL’s confidentiality and security standards for handling customer information.
- Employees are trained to take basic steps to maintain security, confidentiality, and integrity of customer information, such as:
- locking rooms and cabinets containing paper records
- properly shred documents with sensitive information
- using password activated screen savers
- using strong passwords
- routinely require password prompted changes
- encryption of sensitive customer information when it is transmitted electronically over networks or stored online
- referring calls or other request for customer information to designated individuals who have had safeguards training, and recognizing fraudulent attempts to obtain customer information and reporting to appropriate law enforcement agencies
- limits access to customer information to employees who have a business reason for seeing it
- consumers are cautioned against transmission of sensitive data via email
- advise customers to utilize password protection in transmitting sensitive information
Information Systems
- Electronic information is stored in secure locked computer centers, protected against destruction and damage form potential physical hazards.
- Electronic customer information is maintained on a physically secure dedicated server accessible by password.
- Sensitive information is not stored on a machine with a non-secure internet connection.
- Data is secured on back-up media and archived for disaster recovery.
- E-Commerce and other credit card data is collected utilizing servers that employ top level SSL encryption software.
- Customer information is disposed of in a secure manner; outdated information residing on hardware no longer in use is completely destroyed.
Managing System Failures
- IT maintains a written contingency plan to address any breaches of physical, administrative or technical safeguards.
- Routinely applies vendor’s software patches that resolve vulnerabilities and maintain automatic anti-virus software updates.
- IT maintains up-to-date firewalls and provides central management of security tools for IT employees.
- Routinely backs-up all non-personal customer information.
- Notifies customers promptly if their non-public personal information is subject to loss damage or unauthorized access.