Gramm-Leach-Bliley Act, (GLBA) effective May 23, 2003, addresses the safeguarding and confidentiality of customer information held in the possession of financial institutions such as banks and investment companies. GLBA contains no exemption for colleges or universities. In 2021, The Federal Trade Commission (FTC) issued amendments that were approved by its governing agency, the Gramm-Leach-Bliley Act (GLBA); subsequently, these changes updated the compliance requirements for those higher educational institutions with a financial connection to the Title IV Program. As a result, educational entities that engage in financial activities, such as processing student loans, are required to comply. GLBA and other emerging legislation could result in standards of care for information security across all areas of data management practices (employee, student, customer, alumni, doner, etc.), both electronic and physical. Current Compliance Policies will have a direct impact from the changes listed below:
These updates to current Compliance Policies at St. John’s University are for certain highly critical and private financial and related information. This Compliance Program applies to customer financial information (covered data) that the University receives in the course of business as required by GLBA as well as other confidential financial information included within its scope.
The GLBA Compliance Program covers the entirety of the activities and practices of the following offices and individuals:
Information covered under the plan is defined by three categories:
In order to continue to protect private information and data and to comply with the provisions of the Federal Trade Commission's safeguard rules implementing applicable provisions of the GLBA, the University has adopted this Compliance Program for certain highly critical and private financial and related information. The Compliance Program forms part of the overall strategic information security program of the University. This program applies to customer financial information (covered data) the University receives during business as required by GLBA as well as other confidential financial information the University has voluntarily chosen as a matter of policy to include within its scope.
This page describes many of the activities undertaken by the University to maintain the security and privacy of the covered data according to GLBA requirements.
The program is poised to protect private information and data and to comply with the provisions of the Federal Trade Commission's safeguard rules implementing applicable provisions of the GLBA, the University has adopted this Compliance Program for certain highly critical and private financial and related information. The Compliance Program forms part of the overall strategic information security program of the University. This program applies to customer financial information (covered data) the University receives during business as required by GLBA as well as other confidential financial information the University has voluntarily chosen as a matter of policy to include within its scope.
The following table illustrates the mapping of the departments that fall under the scope of the GLBA Safeguard Rules.
· Student loans (St. John’s loans, bankloans, and federal loans)
· Private Student loans
· Personal Identifiable Information - SSN, Billing Information, Credit Card, Account Balance, Citizenship, Passport Information, Tax Return Information, Bank Account Information, Driver’s License and Date of Birth
· Disbursement of Financial Aid
· Payment Plans
· Financial Aid
· Office of Admission
· Office of the Registrar
· International Student Service Office
· The Language Connection
· The School of Law
· Personal Identifiable Information - SSN, Billing Information, Credit Card, Account Balance, Passport Information, Tax Return Information, Bank Account Information, Driver’s License and Date of Birth
· Office of the General Counsel
· 403(b) loans
· Emergency faculty loans
· Emergency staff loans
· Payroll W2s
· Human Resources (HR)
· G5 drawdown of federal funds
· Refunds and T & E payments
· Coordination of Audits
· Business Affairs
This section discusses the main roles and responsibilities required to effectively execute the GLBA Compliance program.
Chief Information Officer
· Designates or serves as the GLBA Compliance Plan Coordinator.
· Responsible for systemwide compliance with the GLBA Safeguarding Rule through appropriate communication with and coordination among applicable groups.
· Designates individuals who have the responsibility and authority for information technology resources.
Information Technology Security Office
· Establishes and disseminates enforceable rules regarding access to and acceptable use of information technology resources.
· Establishes reasonable security policies and measures to protect data and systems.
· Monitors and manages system resource usage.
· Investigates problems and alleged violations of University information technology policies and report violations to appropriate University offices such as the Office of the General Counsel and Human Resources Department for resolution or disciplinary action.
Deans, Department Heads and other Managers
· Keep employees informed about policies and programs that pertain to their work, including those that govern GLBA compliance and ensure that they successful complete the required training.
Employees with access to covered data
· Abide by University policies and procedures governing covered data as well as any additional practices or procedures established by their unit heads or directors.
· Report concerns to their supervisor
· Assist units with setting risk evaluation schedules and processes as requested.
University Auditors and Cross-department GLBA working team
· Review conformance to the GLBA Compliance Plan as part of routine internal audits.
The GLBA Compliance Program Coordinator (Coordinator) is responsible for implementing this Compliance Program. The Coordinator is appointed by the Vice President for Business Affairs.
Compliance means following the laws, regulations, and University policies that govern our everyday activities as members of the University community. This Compliance Program is a continuous process that is evaluated and adjusted in light of the following:
This section highlights the approach taken by the University to ensure compliance with the GLBA requirements.
Keeping security risks at a low is St. John’s priority. The university’s structure for maintaining confidentiality with information security ensures that risks of any kind are at a minimum. There is the quality assurance that comprehensive processes are in place for best practices and information protection. The areas are listed below:
The Compliance Program identifies the flow of the data processed throughout the University to assist in the identification of risks to privacy and security. This activity includes determining:
This process includes system-wide risks as well as risks unique to each area with covered data and the effectiveness of management practices currently in place to ensure compliance and security enhancement. Risk assessments shall include a consideration of risks in each relevant area of operations and cover processes for handling, storing, and disposing of the paper records; processes for detecting, preventing, and responding to security failures; and employee training and management, including the appropriateness and frequency of staff and management security awareness training.
As a result of the risk assessment, recommendations are made as necessary to change management practices to improve business controls and/or to implement information safeguards. The University has developed a set of policies and procedures to guide the security and privacy of data covered by GLBA:
St John’s University is diligent in its routine testing and monitoring of its systems, and the safeguards implemented are a result of the risk assessment outcomes.
The university ensures vulnerability assessment on systems that transmit, process, or store covered data.
Access control is St. John’s University’s ability to maintain, implement, and control its policies, standards, and procedures.
To control the integrity and privacy of data that is processed, stored, and transmitted, the University uses industry acceptable and approved encryption algorithms and solutions for access control.
St. John’s University is diligent in its data collection, retention, and disposal efforts. The university’s record retention process is in accord with the GBLA. The program:
The following shall guide the training and management of employees:
St. John’s University’s documented and outlined Incident Response Plan and Procedures addresses possible threats that could arise concerning Information Technology, privacy, and cyber incidents. The university’s preparation in planning regarding these threats includes instruction for university employees s to take against potential threats. These steps are listed below:
The University may, from time to time appropriately share covered data with third parties. When third-party business is conducted, however, appropriate risk management activities are in place to minimize any corresponding potential risks. These activities include but are not limited to reputational, financial, operational, strategic, and compliance risks. The decision to engage with third parties must be consistent with the University’s business objectives, and they must be made after careful consideration of the risks involved are contracted for implementing and maintaining such safeguards.
The Coordinator, working with responsible units and offices, monitors, evaluates, and adjusts the Compliance Program in light of the results of testing and monitoring of the risks identified as well as in response to any material changes to operations or business arrangements and any other circumstances which may reasonably have an impact on the Compliance Program. This Program document will be reviewed, at a minimum, annually by the CIO and GLBA working committee.
Persons who may have questions regarding the security of any of the categories of information that is handled or maintained by or on behalf of the University may contact:
Anne Rocco Pacione
Interim Chief Information Officer
8000 Utopia Parkway
Queens, NY 11439
Email: [email protected]
The complete Gramm Leach Bliley Information Security Program is available at the CIO’s Office.
This section highlights some of the key terminologies used under the GLBA.
Customer Information - means any record containing non-public personal information as defined in 16 CFR 313.3(n), about a faculty, staff, and student of St. John’s, whether in paper, electronic, or other forms, that is handled or maintained by or on behalf of St. John’s or its service providers.
The following are examples of data elements, but not limited, that fall under customer information, whether they are stored as paper records or electronically:
Non-public personal information - means any personally identifiable financial or other personal information, not otherwise publicly available, that the University has obtained from a customer in the process of offering a financial product or service; such information provided to the University by another financial institution; such information otherwise obtained by the University in connection with providing a financial product or service; or any list, description, or other grouping of customers (and publicly available information pertaining to them) that is derived using any information listed above that is not publicly available. Examples of personally identifiable financial information include names, addresses, telephone numbers, bank and credit card account numbers, income and credit histories, tax returns, asset statements, and social security numbers, both in paper and electronic form.
Financial Information - includes student financial aid, student, faculty and staff loans.
Covered data and information - for this program, this includes non-public personal information of customers required to be protected under GLBA. In addition to this required coverage, the University chooses as a matter of policy to also define covered data and information to include any bank and credit card account numbers, income and credit information, tax returns, asset statements, and social security numbers received in the course of business by the University, whether or not such financial information is covered by GLBA. Covered data and information includes both paper and electronic records
Service provider - means any person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to St. John’s that is subject to this part.