Approved by President
Effective Date: June 5, 2017
Responsible Division: Business and Finance
Responsible Office:  Compliance and Enterprise Risk Management
Responsible Officer:  Assistant Vice President for Compliance and Enterprise Risk Management

I. Purpose

This policy is a comprehensive written Information Security Program (Program) as mandated by the Gramm-Leach-Bliley Act (GLBA) Standards for Safeguarding Customer Information Rule. The Program includes the components described below, pursuant to which Middle Tennessee State University (MTSU or University) intends to:

A.  Protect the security and confidentiality of customers’ nonpublic financial information;

B.  Protect against any anticipated threats or hazards to the security, or integrity of, such information; and,

C.  Protect against unauthorized access or use of such records or information in ways that could result in substantial harm or inconvenience to customers.

The Program incorporates principles underlying other University policies, including, but not limited to, computer/electronic records confidentiality policies, Family Educational Rights & Privacy Act policies, employee/personnel records confidentiality policies, etc.

II. Definitions

A.  Customer. A consumer who has a customer relationship with the University.

B.  Consumer. An individual (or that individual’s legal representative) who obtains, or has obtained, a financial product or service from a financial institution that is used primarily for personal, family, or household purposes.

C.  Non-public Financial Information. Any record that the University obtains from a customer in the process of offering a financial product or service, or such information provided to the University by another financial institution. The term nonpublic financial information means any information:

1.  That a student or other third party provides in order to obtain a financial service from the University:

a.  about a student, or other third party, resulting from any transaction with the University involving a financial service; or

b.  otherwise obtained about a student, or other third party, in connection with providing a financial service to that person; and

2.  Any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available.

D.  Offering a financial product or service includes, but is not limited to:

1.  Offering/processing student loans;

2.  Granting emergency or long term loans to students or employees;

3.  Receiving income tax information from a student’s parent when offering a financial aid package;

4.  Offering career counseling services to individuals who seek employm