Graham-Leach-Bliley Act

The Graham-Leach-Bliley Act (GLB or Act) requires “financial institutions” to protect the privacy of their customers, including customers’ nonpublic, personal information. Because universities also deal with a variety of financial records from students and their parents, the University of South Florida has a responsibility to secure the personal records of its students. To ensure this protection, GLB mandates that all institutions establish appropriate administrative, technical and physical safeguards. In an effort to set safeguarding standards, the Act directs that all institutions implement an Information Security Program, and designate a program coordinator.

Designation of Representatives

Oversight for the USF Information Security Plan will be accomplished by an oversight group (herein “Group”) that includes:

All members of the university community will have responsibilities for safeguarding customer information, including the identification of risks. The Information Security Coordinating Group will facilitate regular communication with other USF security groups.

Scope of Duties

Scope of the Program

The Program applies to any record containing nonpublic financial information about a student or other third party who has a relationship with the Institution, whether in paper, electronic or other form, that is handled or maintained by or on behalf of the Institution or its affiliates. For these purposes, the term nonpublic financial information shall mean any information (i) a student or other third party provides in order to obtain a financial service from the Institution, (ii) about a student or other third party resulting from any transaction with the Institution involving a financial service, or (iii) otherwise obtained about a student or other third party in connection with providing a financial service to that person.

In addition to this coverage which is required by federal law, USF chooses as a matter of policy to also define covered data and information to include any credit card information received in the course of business by the university, whether or not such credit card information is covered by GLB. Covered data and information includes both paper and electronic records, as well as electronic deposit data used in the automated disbursement and payment receipt processes.