University of Louisville Non-Public Personal Information Policy
Gramm-Leach-Bliley Act (GLBA)
Effective May 23, 2003
On November 12, 1999, the Gramm-Leach-Bliley Act (GLBA) was passed into law. The Federal Trade Commission requires Financial Institutions to ensure the security and confidentiality of Non-Public Personal Information (NPI) as of May 23, 2003. For purposes of administering the act, Colleges and Universities must ensure that NPI is secure, confidential, and protected from unauthorized access and threats. The following safeguarding policies and practices are administered at the University of Louisville (U of L). 1. U of L has established the Office of the Bursar as the administrative office responsible for ensuring that compliance to GLBA is followed by Students, Faculty, Administrative, and affiliated entities with the University.
2. U of L discloses information only as necessary to perform specific functions and responsibilities required to meet its Academic and Business Mission. NPI will not be provided to individuals or organizations where such information is not required to achieve its contracted objective.
3. U of L contracts with service providers who are capable of maintaining and safeguarding customer information as required by GLBA.
4. U of L utilizes appropriate safeguards to protect Personal and NPI such as but not limited to: network firewall, data encryption, user, password, and pin number protection, data back-up and redundancy to prevent the unauthorized use/theft, or compromising of customer non-public personal information.
5. Faculty, Administrators, and Staff employees with access to NPI are trained in policies and procedures to maintain strict confidentiality of customer NPI. Questions regarding appropriate disclosure of NPI will be directed to the Compliance Officer, Greg Atkins, in the Bursar's Office.
6. U of L publishes a clear and conspicuous NPI safeguard policy electronically and policy is available for public review.
7. U of L administers an information risk assessment program to evaluate the current effectiveness of NPI safeguarding controls and procedures. Examples of areas that have significant non-public personal information are: Human Resources, Information Technology, Admissions, Registrar, Bursar’s Office, Controller’s Office, Financial Aid, Metropolitan College, Public Safety, Student Services, and University Relations.
GLBA Appendix. Securing Information
Employee Management and Training Procedures
Check references prior to hiring employees who will have access to customer information.
Require employees to sign an agreement to follow U of L’s confidentiality and security standards for handling customer information.
Employees are trained to take basic steps to maintain security, confidentiality, and integrity of customer information, such as:
__locking rooms and cabinets containing paper records
__properly shred documents with sensitive information
__using password activated screen savers
__using strong passwords
__routinely require password prompted changes
__encryption of sensitive customer information when it is transmitted electronically over networks or stored online
__referring calls or other request for customer information to designated individuals who have had safeguards training, and recognizing fraudulent attempts to obtain customer information and reporting to appropriate law enforcement agencies
__limits access to customer information to employees who have a business reason for seeing it
__Consumers are cautioned against transmission of sensitive data via email. Advise customers to utilize password protection in transmitting sensitive information.
Security is maintained throughout the life cycle of customer information from data entry to data disposal as follows:
__Electronic information is stored in secure locked computer centers, protected against destruction and damage form potential physical hazards.
__Electronic customer information is maintained on a physically secure dedicated server accessible by password.
__Sensitive information is not stored on a machine with a non secure internet connection.
__Data is secured on back-up media and archived for disaster recovery.
__E-Commerce and other Credit Card data is collected utilizing servers that employ top level SSL encryption software.
__Customer information is disposed of in a secure manner; outdated information residing on hardware no longer in use is completely destroyed.
Managing System Failures
The following procedures are endorsed to prevent, detect, and respond to attacks, intrusions or other system failures.
__IT maintains a written contingency plan to address any breaches of physical, administrative or technical safeguards
__Routinely applies vendor’s software patches that resolve vulnerabilities, and maintain automatic anti-virus software updates.
__IT maintains up-to-date firewalls and provides central management of security tools for IT employees.
__Routinely backs-up all non-personal customer information.
__Notifies customers promptly if their non-public personal information is subject to loss damage or unauthorized access.