651  Safeguarding Nonpublic Financial Information

Approved by President
Effective Date: June 5, 2017
Responsible Division: Business and Finance
Responsible Office:  Business and Finance
Responsible Officer:  Associate Vice President, Business and Finance

I. Purpose

This policy is a comprehensive written Information Security Program (Program) as mandated by the Gramm-Leach-Bliley Act (GLBA) Standards for Safeguarding Customer Information Rule. The Program includes the components described below, pursuant to which Middle Tennessee State University (MTSU or University) intends to:

A.  Protect the security and confidentiality of customers’ nonpublic financial information;

B.  Protect against any anticipated threats or hazards to the security, or integrity of, such information; and,

C.  Protect against unauthorized access or use of such records or information in ways that could result in substantial harm or inconvenience to customers.

The Program incorporates principles underlying other University policies, including, but not limited to, computer/electronic records confidentiality policies, Family Educational Rights & Privacy Act policies, employee/personnel records confidentiality policies, etc.

II. Definitions

A.  Customer. A consumer who has a customer relationship with the University.

B.  Consumer. An individual (or that individual’s legal representative) who obtains, or has obtained, a financial product or service from a financial institution that is used primarily for personal, family, or household purposes.

C.  Non-public Financial Information. Any record that the University obtains from a customer in the process of offering a financial product or service, or such information provided to the University by another financial institution. The term nonpublic financial information means any information:

1.  That a student or other third party provides in order to obtain a financial service from the University:

a.  about a student, or other third party, resulting from any transaction with the University involving a financial service; or

b.  otherwise obtained about a student, or other third party, in connection with providing a financial service to that person; and

2.  Any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available.

D.  Offering a financial product or service includes, but is not limited to:

1.  Offering/processing student loans;

2.  Granting emergency or long term loans to students or employees;

3.  Receiving income tax information from a student’s parent when offering a financial aid package;

4.  Offering career counseling services to individuals who seek employment at financial institutions; and

5.  Management consulting activities, on any subject, to a financial institution and on financial, economic, accounting, or audit matters to any company.

E.  Financial institution. Any institution the business of which is significantly engaged in financial activities, which may include, but is not limited to:

1.  Extending credit and servicing loans;

2.  Lending, exchanging, transferring, investing for others, or safeguarding money or securities;

3.  Insuring, guaranteeing, or indemnifying against loss, harm, damage, illness, disability, or death.

The Federal Trade Commission has classified universities of higher education as financial institutions for purposes of compliance with the Gramm-Leach-Bliley Act safeguarding rule, as such institutions process student loans.

F.  Service Providers. All third parties who, in the ordinary course of University business, are provided access to customers’ covered data and information. Service providers may include, but is not limited to, business retained to store, transport, and/or dispose of covered data; collection agencies; and technology systems support providers.

III. Guidelines

A.  Introduction. Federal law requires that financial institutions, the definition of which includes the University, comply with the Gramm-Leach-Bliley Act and, in so doing, safeguard the confidentiality of nonpublic financial information of its constituents.

B.  Scope of Program: Nonpublic Financial Information

1.  The Program shall apply to any paper or electronic record maintained by the University that contains nonpublic financial information about an individual, or a third party, who has a relationship with the University.

2.  Such nonpublic financial information shall be kept confidential and safeguarded by the University, its affiliates, and service providers pursuant to the provisions of the Program.

C.  Requirements of an Information Security Program

1.  Program Coordinator

a.  The University’s Security Information Program must include the designation of a Program Coordinator (Coordinator), who shall be responsible for implementing the Program.

b.  The Coordinator may be a single employee as designated by the Program. In the alternative, the Program may designate several employees as Coordinators such that one employee serves as the University’s primary Coordinator who works in conjunction with departmental Coordinators who are responsible for oversight of safeguarding records in their departments in accordance with the University’s Program.

c.  The Coordinator shall, at a minimum, perform the following duties:

(1)  Consult with the appropriate offices to identify units and areas of the University with access to customers’ nonpublic financial information and maintain a list of the same;

(2)  Assist the appropriate offices of the University in identifying reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customers’ nonpublic financial information and make certain that appropriate safeguards are designed, and implemented, in each office and throughout the University to safeguard the protected data;

(3)  Work in conjunction with the University’s contract officer(s) to guarantee that all contracts with third party service providers that have access to, and maintain, nonpublic financial information of the University’s customers include a provision requiring that the service provider comply with the GLBA safeguarding rule;

(4)  Work with responsible University officers to develop and deliver adequate training and education for all employees with access to customers’ nonpublic financial information; and,

(5)  Periodically evaluate and monitor the effectiveness of the current safeguards for controlling security risks by periodically verifying that the existing procedures and standards delineated in the Program are adequate.

2.  Security and Privacy Risk Assessments

a.  The Program shall identify reasonably foreseeable external and internal risks to the security, confidentiality, and integrity of nonpublic financial information that could result in the unauthorized disclosure, misuse, alteration, destruction, or otherwise compromise of such information, and assess the sufficiency of any safeguards in place to control those risks.

b.  Risk assessments should include consideration of risks in each office that has access to customers’ nonpublic financial information.

c.  The GLBA requires that the risk assessment section of the Program must, at a minimum, include consideration of the risks in the following areas:

(1)  Employee training and management.

(a)  A GLBA employee training program shall be developed by the Coordinator, in conjunction with the Office of Human Resource Services and legal counsel, if necessary, for all employees who have access to individuals’ nonpublic financial information, such as information technology/systems employees and those employees who use such data as part of their essential job duties.

(b)  The training shall occur on a regular basis, as deemed appropriate by the Coordinator, and shall include education on relevant policies and procedures and other safeguards in place, or developed, to protect nonpublic financial information.

(2)  Safeguards of information systems/technology processing, storage, transmission, and disposal (including network and software design). Programs should include safeguards so that network and software systems are reasonably designed to limit the risk of unauthorized access to nonpublic financial information.

(3)  Methods to detect, prevent, and respond to attacks, intrusions, or other system failures. 

3.  Implementation of Safeguards

a.  The Program must include information regarding the design and implementation of information safeguards to control the risks identified through the risk assessment described in Section III.C.2., Security and Privacy Risk Assessments.

b.  The Program shall also include methods to regularly test, or otherwise monitor, the effectiveness of the safeguarding procedures. The Program’s monitoring may include technology system checks, reports of access to technology systems, and audits.

4.  Oversight of Service Providers and Contracts

a.  The GLBA requires the University to take reasonable steps to select, and retain, third party service providers that are capable of complying with the GLBA by maintaining appropriate safeguards for the customer information to which they have access.

b.  The GLBA requires that the University’s current and potential service providers, that have access to customers’ nonpublic financial information, maintain sufficient procedures to detect and respond to security breaches.

c.  The Program must include a reference to the University’s duty to require, by contract, that all applicable third party service providers implement and maintain appropriate GLBA safeguards for customers’ nonpublic financial information.

5.  Evaluation and Revision of Program

a.  The GLBA mandates that the University’s Program be subject to periodic review, evaluation, and adjustment.

b.  The Program must include a plan by which it will be evaluated on a regular basis and a method to revise the Program, as necessary, for continued effectiveness.

D.  Assessment of the Information Security Program

The Coordinator, in conjunction with the appropriate administrators, shall assess the effectiveness of the Program annually. The Coordinator shall make certain that necessary revisions to the Program are made at the time of the annual review to address any changes in the University’s organization that may affect the implementation and effectiveness of the Program.

E.  Publication of the Information Security Program

1.  To promote uniform compliance with the Program by all personnel employed by MTSU, and to achieve the University’s duty to safeguard the confidentiality of customers’ nonpublic financial information, the University shall, at a minimum, display and disseminate the Program in accordance with the University’s standard distribution methods.

2.  The University’s current Program shall be made available, upon request, for review and copy at all times.

Forms: none.

Revisions: none.

References: Gramm-Leach-Bliley Act Standards for Safeguarding Customer Information Rule.