Skip to Main Content

Updated: 3/29/2018

Reviewed: 1/28/2020 (J. Gouge)

Information Security Program (GLBA)

The Financial Modernization Act of 1999, also known as the "Gramm-Leach-Bliley Act" or GLBA, includes provisions to protect consumers' personal financial information held by financial institutions.


The University of North Florida must comply with GLBA's safeguarding regulations, based on GLBA's final rules on Safeguarding Customer Information which do not exempt educational institutions and require them to adopt an information security program.


The Information Security Program requirements include:

  • Designating an employee to coordinate an information security program;
  • Identifying reasonably foreseeable internal and external risks to the security of customer information (including a risk assessment of computer information systems);
  • Design and implement safeguards to control identified risk;
  • Oversee service providers (Contractually require service providers to implement and maintain safeguards);
  • Periodically review the plan.

Note that colleges and universities are deemed to be in compliance with the privacy provisions of the GLBA if they are in compliance with the Family Educational Rights and Privacy Act (FERPA). However, higher education institutions are still subject to the provisions of the GLBA related to the administrative, technical, and physical safeguarding of customer information.


To comply with GLBA:

  • The University has designated an official Information Security Officer, based in the Office of the Chief Information Officer.
  • University units that are significantly engaged in financial activities that involve the collection or utilization of customer financial information must identify themselves to the University's Information Security Officer. Examples of activities that GLBA would apply to include the administration of financial aid, the processing of credit card information, or the collection of any other form of customer financial information. University units must document all such collection and processing activities, describe the nature and extent of their utilization of customer information, and appoint an employee to oversee the unit's information safeguards practices.
  • University units must assess their current customer information practices, identify vulnerabilities, and take appropriate measures to secure customer information.
  • The University has created a Information Security Plan.

Learn more from the Federal Trade Commission website.