Reviewed: 1/28/2020 (J. Gouge)
Information Security Program (GLBA)
Modernization Act of 1999, also known as the "Gramm-Leach-Bliley Act"
or GLBA, includes provisions to protect consumers' personal financial
information held by financial institutions.
The University of
North Florida must comply with GLBA's safeguarding regulations, based on GLBA's
final rules on Safeguarding Customer Information which do not exempt
educational institutions and require them to adopt an information security
The Information Security Program requirements include:
- Designating an employee to
coordinate an information security program;
- Identifying reasonably foreseeable internal and external risks to the security
of customer information (including a risk assessment of computer information
- Design and implement safeguards to control identified risk;
- Oversee service providers (Contractually require service providers to implement and
- Periodically review the plan.
Note that colleges
and universities are deemed to be in compliance with the privacy provisions of
the GLBA if they are in compliance with the Family Educational Rights and
Privacy Act (FERPA). However, higher education institutions are still subject
to the provisions of the GLBA related to the administrative, technical, and
physical safeguarding of customer information.
To comply with GLBA:
- The University has designated
an official Information Security Officer, based in the Office of the Chief
- University units that are
significantly engaged in financial activities that involve the collection
or utilization of customer financial information must identify themselves
to the University's Information Security Officer. Examples of activities
that GLBA would apply to include the administration of financial aid, the
processing of credit card information, or the collection of any other form
of customer financial information. University units must document all such
collection and processing activities, describe the nature and extent of
their utilization of customer information, and appoint an employee to
oversee the unit's information safeguards practices.
- University units must assess
their current customer information practices, identify vulnerabilities,
and take appropriate measures to secure customer information.
- The University has created a Information Security Plan.
Learn more from the Federal Trade Commission website.