Title: St. Olaf College Gramm-Leach-Bliley Act Policy
Effective Date: 4-01-2011
Issuing Authority: Office of the Vice President & Chief Financial Officer
Program Coordinator: Nate Engle
Last Updated: 4-01-2011
Purpose of Policy
This Policy is intended to comply with the Financial Services Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA), enacted by United States Congress in 1999. Financial institutions, including anyone who offers financial products that are considered to be covered accounts, such as loans, are required to comply with the Gramm-Leach-Bliley Act. The Gramm-Leach-Bliley Act requires that Financial Institutions have a policy in place to protect consumer information from forseeable threats in security and data integrity.
St. Olaf College will provide safeguards to protect information and data in compliance with the Gramm-Leach-Bliley Act, related to the privacy and protection of personal information.
There are three major components of the Gramm-Leach-Bliley Act including a Financial Privacy Rule, Safeguards Rule, and Pretexting Protection.
Financial Privacy Rule
The Financial Privacy Rule requires financial institutions to provide each consumer with a privacy notice at the time the consumer relationship is established and annually thereafter. This privacy notice must explain the information collected about the consumer, where that information is shared, how that information is used, and how that information is protected. The notice must also identify the consumer’s right to opt-out of the information being shared with unaffiliated parties. It is not the practice of St. Olaf College to share information with unaffiliated parties.
The FTC has ruled in 16 C.F.R. Section 313.1(b) that any institution of higher education that complies with the Family Educational Rights and Privacy Act (FERPA) satisfies the privacy requirement of the GLBA. In instances such as deferred gift agreements, where St. Olaf College acts as a financial institution outside of the student financial records subject to FERPA, St. Olaf College privacy notices will be sent out annually.
The Safeguards Rule requires financial institutions to develop a written information security plan that describes how the Company is prepared for and protects consumers’ nonpublic personal information. The College has a Data Classification Policy that accomplishes the requirements of this rule and designates program coordinators to oversee the compliance of various types of protected personal information.
The Gramm-Leach-Bliley Act requires the financial institution take adequate measures to protect from pretexting, which occurs when someone tries to gain access to personal nonpublic information without the proper authority to do so. The College has a Fair & Accurate Credit Transaction Act Policy, also known as Red Flag Rules, which accomplishes the requirements of this rule. It includes an annual risk assessment of the security and privacy risks of the covered accounts, at which time any adjustments to security processes are made. The annual assessment also includes the review of procedures for employees who have access to covered data and information.