The Graham-Leach-Bliley Act (GLB or Act) requires “financial institutions” to protect the privacy of their customers, including customers’ nonpublic, personal information. Because universities also deal with a variety of financial records from students and their parents, the University of South Florida has a responsibility to secure the personal records of its students. To ensure this protection, GLB mandates that all institutions establish appropriate administrative, technical and physical safeguards. In an effort to set safeguarding standards, the Act directs that all institutions implement an Information Security Program, and designate a program coordinator.
Designation of Representatives
Oversight for the USF Information Security Plan will be accomplished by an oversight group (herein “Group”) that includes:
- Data Security Administrator, Chair
- Electronic Commerce Administrator
- University Controller
- Purchasing and Financial Services
All members of the university community will have responsibilities for safeguarding customer information, including the identification of risks. The Information Security Coordinating Group will facilitate regular communication with other USF security groups.
Scope of Duties
- The Group will develop and communicate the safeguarding process, develop necessary training, identify risks and safeguards to reduce those risks, and establish a standard procedure to assure that external service providers comply with customer safeguards. Future contracts with external service providers will include standard language indicating required compliance.
- The Group will monitor University-wide performance to assure compliance with the safeguarding of customer information.
- The Group will conduct regular testing of all aspects of the security program to identify challenges and to assess the safeguards that are in place.
- The Group will provide regular reports of compliance status to USF Senior Management, General Counsel, and Inspector General.
Scope of the Program
The Program applies to any record containing nonpublic financial information about a student or other third party who has a relationship with the Institution, whether in paper, electronic or other form, that is handled or maintained by or on behalf of the Institution or its affiliates. For these purposes, the term nonpublic financial information shall mean any information (i) a student or other third party provides in order to obtain a financial service from the Institution, (ii) about a student or other third party resulting from any transaction with the Institution involving a financial service, or (iii) otherwise obtained about a student or other third party in connection with providing a financial service to that person.
In addition to this coverage which is required by federal law, USF chooses as a matter of policy to also define covered data and information to include any credit card information received in the course of business by the university, whether or not such credit card information is covered by GLB. Covered data and information includes both paper and electronic records, as well as electronic deposit data used in the automated disbursement and payment receipt processes.