GLB Safeguards Rule: Overview, Training and Enforcement Considerations

GLB Safeguards Rule: GLB Safeguards Rule: Overview, Training and Overview, Training and

Enforcement Enforcement ConsiderationsConsiderations

NACUA 43NACUA 43rdrd Annual Annual ConferenceConferencePeter C. CassatPeter C. CassatMargaret O’DonnellMargaret O’Donnell

Scope of GLBA Safeguards Scope of GLBA Safeguards RuleRule

The FTC’s Safeguards Rule, promulgated The FTC’s Safeguards Rule, promulgated under the GLBA, went into effect on May 23, under the GLBA, went into effect on May 23, 2003 and is aimed at ensuring the 2003 and is aimed at ensuring the safeguarding and confidentiality of customer safeguarding and confidentiality of customer information held in the possession of information held in the possession of covered financial institutions. covered financial institutions.

Unlike the FTC’s earlier GLBA Privacy Rule, Unlike the FTC’s earlier GLBA Privacy Rule, the Safeguards Rule contains no exemption the Safeguards Rule contains no exemption for institutions that are subject to FERPA. As for institutions that are subject to FERPA. As a result, educational institutions that engage a result, educational institutions that engage in financial institution activities, such as in financial institution activities, such as processing student loans, are required to processing student loans, are required to comply with the Safeguards Rule.comply with the Safeguards Rule.

General RequirementsGeneral Requirements The Safeguards Rule requires each covered The Safeguards Rule requires each covered

institution to develop, implement, and institution to develop, implement, and maintain a “comprehensive information maintain a “comprehensive information security program” that is “written in one or security program” that is “written in one or more readily accessible parts”, and that more readily accessible parts”, and that includes “administrative, technical and includes “administrative, technical and physical safeguards” designed to ensure the physical safeguards” designed to ensure the security and confidentiality of customer security and confidentiality of customer records. records.

The Safeguards Rule expressly recognizes The Safeguards Rule expressly recognizes that each institution’s information security that each institution’s information security program may vary, based on its size and program may vary, based on its size and complexity, the nature and scope of its complexity, the nature and scope of its activities, and the sensitivity of the customer activities, and the sensitivity of the customer information at issue. information at issue.

Comprehensive Written Comprehensive Written Information Security Information Security

ProgramProgram In order to “develop, implement In order to “develop, implement

and maintain” the required and maintain” the required written information security written information security program, the Safeguards Rule program, the Safeguards Rule requires each institution to carry requires each institution to carry out certain steps:out certain steps:– designate one or more employees to designate one or more employees to

coordinate the program;coordinate the program;

Information Security Program Information Security Program Steps, cont. . . .Steps, cont. . . .

Identify “reasonably foreseeable” Identify “reasonably foreseeable” internal and external risks to the internal and external risks to the security and confidentiality of security and confidentiality of customer information that could customer information that could lead to unauthorized disclosure, lead to unauthorized disclosure, use, alteration, destruction or other use, alteration, destruction or other compromise of such information compromise of such information and “assess the sufficiency” of the and “assess the sufficiency” of the institution’s safeguards in place to institution’s safeguards in place to control these risks.control these risks.

Information Security Program Information Security Program Steps, cont . . . Steps, cont . . .

Such risk assessment must include, Such risk assessment must include, at a minimum, risks in areas of at a minimum, risks in areas of operation such as:operation such as:– employee training and employee training and

management,management,– information systems, and information systems, and – detecting, preventing, and detecting, preventing, and

responding to attacks against the responding to attacks against the institution’s systems;institution’s systems;

Security Program Security Program Steps, cont. Steps, cont.

implement safeguards to manage the implement safeguards to manage the identified risks and regularly test or monitor identified risks and regularly test or monitor such safeguards; such safeguards;

oversee the institution’s service providers oversee the institution’s service providers by:by:– selecting and retaining service providers selecting and retaining service providers

that are capable of maintaining that are capable of maintaining appropriate safeguards for the customer appropriate safeguards for the customer information at issue, and information at issue, and

– requiring service providers by contract to requiring service providers by contract to implement and maintain such safeguardsimplement and maintain such safeguards; ;

Ongoing Security Ongoing Security StepsSteps The Safeguards Rule requires The Safeguards Rule requires

institutions to evaluate and adjust institutions to evaluate and adjust the their security programs in light the their security programs in light of the required risk assessment, of the required risk assessment, any material change to institutional any material change to institutional business operations or any other business operations or any other circumstances that may have a circumstances that may have a material impact on the institution’s material impact on the institution’s information security program. information security program.

Practical ConsiderationsPractical Considerations

The most difficult challenge under the The most difficult challenge under the Safeguards Rule is identifying the scope of Safeguards Rule is identifying the scope of information covered. information covered.

It may be possible to take the position that the It may be possible to take the position that the Safeguards Rule applies only to information Safeguards Rule applies only to information collected or maintained in connection with the collected or maintained in connection with the institution’s financial institution activities –institution’s financial institution activities – i.e. i.e., , student financial aid related activities. student financial aid related activities.

It may be difficult, however, for institutions to It may be difficult, however, for institutions to segregate information that is collected in segregate information that is collected in connection with financial institution related connection with financial institution related activities (such as Social Security numbers) from activities (such as Social Security numbers) from other information maintained with respect to its other information maintained with respect to its student population.student population.

Drafting IssuesDrafting Issues The FTC rules expressly recognize that The FTC rules expressly recognize that

an institution’s information security an institution’s information security program may be maintained in one or program may be maintained in one or more documents. Thus, it should be more documents. Thus, it should be possible to incorporate existing policies possible to incorporate existing policies and procedures relating to the and procedures relating to the safeguarding of information and to the safeguarding of information and to the proper use of institutional network proper use of institutional network resources, such as, existing acceptable resources, such as, existing acceptable use, information technology security use, information technology security and student record access policies and and student record access policies and procedures. procedures.

Risk Management Risk Management IssuesIssues

The Safeguards Rule recognizes that an The Safeguards Rule recognizes that an institution need not make its security institution need not make its security program publicly available. However, program publicly available. However, open records laws may provide access.open records laws may provide access.

Drafts and deliberative documents Drafts and deliberative documents relating to the creation and relating to the creation and implementation of the program should implementation of the program should be labeled as attorney client privileged be labeled as attorney client privileged drafts. drafts.

Approaches to GLB Approaches to GLB ComplianceCompliance

NACUA 43NACUA 43rdrd Annual Annual ConferenceConferenceTom SchumacherTom SchumacherUniversity of MinnesotaUniversity of MinnesotaJune 25, 2003June 25, 2003

Options for Organizational Options for Organizational Mgmt.-Program LeadershipMgmt.-Program Leadership

““Designate an employee Designate an employee oror employees to employees to coordinate” (§314.4(a))coordinate” (§314.4(a))1. Centralized Model, single person1. Centralized Model, single person2. Decentralized, several “coordinators”2. Decentralized, several “coordinators”3. Hybrid, central coordinator, designated 3. Hybrid, central coordinator, designated

responsible parties in key unitsresponsible parties in key units Designation must be set out in written Designation must be set out in written

security plan (§314.3(a))security plan (§314.3(a)) Try to integrate with existing Try to integrate with existing

responsibilitiesresponsibilities

Centralized ModelCentralized Model Options for Responsible OfficeOptions for Responsible Office

– Chief Information Officer?Chief Information Officer?– Controller?Controller?– CFO?CFO?– Registrar?Registrar?– Privacy Officer (if have one)?Privacy Officer (if have one)?– Custodian of Student Record?Custodian of Student Record?– Auditor?Auditor?– IT Security Officer?IT Security Officer?– OthersOthers

Delegate administrative duties as Delegate administrative duties as appropriateappropriate

Decentralized ModelDecentralized Model Designate responsible coordinator in Designate responsible coordinator in

areas with “covered data”areas with “covered data”– Student Finance Director(s)Student Finance Director(s)

One at each campusOne at each campus– IT Office(s)IT Office(s)– CollectionsCollections– Human ResourcesHuman Resources– AccountingAccounting– Collegiate contactsCollegiate contacts– AthleticsAthletics– Others Others

Consider some oversight methodConsider some oversight method

Hybrid ModelHybrid Model Single Central CoordinatorSingle Central Coordinator Formally designated contacts in Formally designated contacts in

units with “covered data” units with “covered data” responsible for carrying out risk responsible for carrying out risk assessments and monitoring assessments and monitoring where requiredwhere required

Communication with leadership Communication with leadership from areas with covered datafrom areas with covered data

Coordinator Program Coordinator Program ResponsibilitiesResponsibilities

Risk Assessment - § 313.4(b) Risk Assessment - § 313.4(b) – Identify/inventory access to covered Identify/inventory access to covered

datadata– Assess Risk Assess Risk

Internal ControlsInternal Controls– ““Design and implement safeguards Design and implement safeguards

to control the risks you identify” (§ to control the risks you identify” (§ 313.4(c))313.4(c))

– Match these to level of assessed riskMatch these to level of assessed risk

Internal ControlsInternal Controls

Program OversightProgram Oversight Risk Assessment Risk Assessment Roles and ResponsibilitiesRoles and Responsibilities Policies and ProceduresPolicies and Procedures Education, Training & AwarenessEducation, Training & Awareness Monitoring, Testing, OversightMonitoring, Testing, Oversight Corrective action/CommunicationCorrective action/Communication

– Iterative and continuing processIterative and continuing process

Example Risk Assessment-for each Example Risk Assessment-for each significant area to evaluatesignificant area to evaluate

ElectronicElectronic– Access Access – StorageStorage– TransmissionTransmission– DestructionDestruction

Print materialsPrint materials– AccessAccess– StorageStorage– TransmissionTransmission– DestructionDestruction

Service ProvidersService Providers System IntegritySystem Integrity

Employee permitted to access to database without proper authorization

Misuse of information by employee withAuthorized access

Etc.

Example Risk/Internal Controls Example Risk/Internal Controls matrix approachmatrix approach

(Area: student financial (Area: student financial collections)collections)

Impa

ct

Pro

b. Policy/ Procedure Education Operational Controls

Oversight/Monitoring Controls

Audit Controls

Electronic access

Wrongful access to private information by employee

Regents Policy on Access to student records

Required FERPA training prior to authorizing access

Access limited by passwords to need based upon job description, manager must specify access level prior to approval; IT staff must review and approve requested access level; system records operators id with transaction; employees must sign certification about understanding of rules and permissible use annually.

Transactions reviewed periodically by Assoc Dir Student Finance to insure access appropriate used

Audit trail created for access

Risk Area

Rank before

Controls Rank After

controls (Probability)

INTERNAL CONTROLS

Risk Description

Example: Hybrid Model

Coordinator makes sure Risk Coordinator makes sure Risk Assessment and Internal controls for Assessment and Internal controls for each covered area are in placeeach covered area are in place– For significant areas, conducted by For significant areas, conducted by

designated contactsdesignated contacts– For isolated, conducted by CoordinatorFor isolated, conducted by Coordinator

Designated contacts annually provide Designated contacts annually provide report to Coordinatorreport to Coordinator– Annual confirmation that risks are currentAnnual confirmation that risks are current

Coordinator annually reports on risk Coordinator annually reports on risk environment and controls to environment and controls to Compliance and leadershipCompliance and leadership– Identifies problem areasIdentifies problem areas

Identifying and Identifying and Evaluating Evaluating Exposures and RisksExposures and Risks

NACUA 43NACUA 43rdrd Annual Annual ConferenceConferenceChristopher HolmesChristopher HolmesBaylor UniversityBaylor UniversityJune 25, 2003June 25, 2003

Scope of Risk Scope of Risk AssessmentAssessment “ “You shall...identify reasonably You shall...identify reasonably

foreseeable internal and external risks to foreseeable internal and external risks to the security, confidentiality, and integrity the security, confidentiality, and integrity of customer information that could result of customer information that could result in the unauthorized disclosure, misuse, in the unauthorized disclosure, misuse, alteration, destruction or other alteration, destruction or other compromise of such information, and compromise of such information, and assess the sufficiency of any safeguards assess the sufficiency of any safeguards in place to control these risks.” 16 CFR in place to control these risks.” 16 CFR §314.4 (b).§314.4 (b).

Areas to IncludeAreas to Include1)1) Employee training and management;Employee training and management;2)2) Information systems, including Information systems, including

network and software design, as well network and software design, as well as information processing, storage, as information processing, storage, transmission and disposal; and transmission and disposal; and

3)3) Detecting, preventing and Detecting, preventing and responding to attacks, intrusions, or responding to attacks, intrusions, or other systems failures.other systems failures.

Steps to Risk Steps to Risk AssessmentAssessment Meet with all business owners facing the Meet with all business owners facing the

risks and discuss their experiencesrisks and discuss their experiences Prepare a list that encompasses the risks Prepare a list that encompasses the risks

(both internal and external) they observe(both internal and external) they observe Determine whether current steps are Determine whether current steps are

sufficientsufficient in controlling the risks in controlling the risks Discuss additional reasonable steps that Discuss additional reasonable steps that

could be taken to increase securitycould be taken to increase security

List of Potential RisksList of Potential Risks Compromise of Compromise of

system security system security (e.g., hacker)(e.g., hacker)

Interception of data Interception of data during transmissionduring transmission

Physical loss of Physical loss of data due to data due to disasterdisaster

Corruption of data Corruption of data or systemsor systems

Unauthorized Unauthorized access by access by employees employees

Unauthorized Unauthorized requests for data requests for data (e.g., pretext (e.g., pretext calling)calling)

Unauthorized Unauthorized transfer of data transfer of data by third partiesby third parties

FTC Suggestions: FTC Suggestions: Employee Management Employee Management and Trainingand Training Check references prior to hiring Check references prior to hiring

employees who will have access to cdiemployees who will have access to cdi Employees sign confidentiality Employees sign confidentiality

agreementagreement Train employees to take basic steps Train employees to take basic steps

(passwords, pretext calling, etc.)(passwords, pretext calling, etc.) Regular reminders of policy and legal Regular reminders of policy and legal

requirement to keep cdi confidentialrequirement to keep cdi confidential Limit access to those employees with a Limit access to those employees with a

business reason for seeing itbusiness reason for seeing it

FTC Suggestions:FTC Suggestions:Information SystemsInformation Systems Store records in a secure areaStore records in a secure area Provide for secure data Provide for secure data

transmission (use of SSL, password transmission (use of SSL, password protect email accounts, etc.)protect email accounts, etc.)

Dispose of customer information in Dispose of customer information in secure mannersecure manner

Inventory computers on network Inventory computers on network systemssystems

FTC Suggestions: FTC Suggestions: Managing Systems Managing Systems FailuresFailures Develop a written contingency plan to Develop a written contingency plan to

address breachesaddress breaches Maintain software and hardware (security Maintain software and hardware (security

patches, anti-virus software, etc.)patches, anti-virus software, etc.) Backups of all cdiBackups of all cdi Configure systems to ensure that access to Configure systems to ensure that access to

cdi is granted only to appropriate userscdi is granted only to appropriate users Notify customers promptly if cdi is disclosed Notify customers promptly if cdi is disclosed

Review and Review and Assessment of PlanAssessment of Plan GLB requires continued evaluation GLB requires continued evaluation

and adjustment of the safeguards and adjustment of the safeguards program in light of relevant program in light of relevant circumstances. Periodically review circumstances. Periodically review changes in the university’s changes in the university’s operations or business arrangements operations or business arrangements or the results of testing and or the results of testing and monitoring of enacted safeguards.monitoring of enacted safeguards.

““Service Provider” Service Provider” RulesRulesUnder the Gramm-Under the Gramm-Leach-Bliley ActLeach-Bliley Act

2003 NACUA National ConferenceJune 25, 2003

Gregory C. BrownAssociate General Counsel Office of the General CounselUniversity of Minnesota

Overview of Overview of PresentationPresentation

Review FTC Safeguard Rule on the oversight, selection and retention of service providers and mandatory contract provisions.

Discuss ways, by contract, to protect Universities once security has been breached or customer information has been loss, misused or altered.

Who is a “Service Who is a “Service Provider”?Provider”?

“Any person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to a financial institution . . . .” FTC Safeguard Rule, § 314.2(d), 67 Fed. Reg. 36,484, 36,494 (May 23, 2002) .

Duty to Oversee Duty to Oversee Service ProvidersService Providers

Institutions must take “reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information . . . .” FTC Safeguard Rule, § 314.4(d)(1), 67 Fed. Reg. 36,484, 36,494 (May 23, 2002) .


Each institution is expected to “take reasonable steps to assure itself that its current and potential service providers maintain sufficient procedures to detect and respond to security breaches . . . .” FTC Safeguard Rule, § C, 67 Fed. Reg. 36,484, 36,490 (May 23, 2002) (emphasis added).


Each institution is expected to “maintain reasonable procedures to discover and respond to widely-known security failures by its current and potential service providers.” FTC Safeguard Rule, § C, 67 Fed. Reg. 36,484, 36,490 (May 23, 2002) (emphasis added).


The FTC did not mandate any specific reviews or steps an institution must take to comply.

Institutions need not undertake “unlimited evaluation(s) of their service providers’ capabilities.” FTC Safeguard Rule, § C, 67 Fed. Reg. 36,484, 36,490 (May 23, 2002).

Review will depend on the “circumstances and the relationship” between the institution and the service provider. Id.

Mandatory Contract Mandatory Contract ProvisionsProvisions

Each contract entered into after June 24, 2002, must require the service provider “to implement and maintain such safeguards.” FTC Safeguard Rule, §§314.4(d)(2) and 314.5(b), 67 Fed. Reg. 36,484, 36,494 (May 23, 2002) .

A contract in place before that date need not include the mandatory provision until May 24, 2004. FTC Safeguard Rule, §314.5(b), 67 Fed. Reg. 36,484, 36,494 (May 23, 2002) .

Mandatory Contract Mandatory Contract ProvisionsProvisionsSo as to give institutions flexibility, the FTC did not mandate particular contract language.


Sample clause:

“Throughout the term of this Agreement, Service Provider shall implement and maintain ‘appropriate safeguards,’ as that term is used in § 314.4(d) of the FTC Safeguard Rule, 16 C.F.R. § 314 (the ‘FTC Rule’), for all ‘customer information,’ as that term is defined in §314.2(b) of the FTC Rule, owned by the University and delivered to Service Provider pursuant to this Agreement.

Mandatory Contract Mandatory Contract ProvisionsProvisionsSample Clause cont’d:

“Service Provider shall promptly notify the University, in writing, of each instance of (i) unauthorized access to or use of that customer information that could result in substantial harm or inconvenience to a customer of the University or (ii) unauthorized disclosure, misuse, alteration, destruction or other compromise of that customer information. Within 30 days of the termination or expiration of this Agreement, Service Provider shall destroy and shall cause each of its agents to destroy all records, electronic or otherwise, in its or its agent’s possession that contain such customer information and shall deliver to the University a written certification of the destruction.”


FTC Safeguard Rule is silent as to the penalty for institution entering into or maintaining a contract with a service provider that does not comply.

Additional Contract Additional Contract TermsTerms

Right to on-site audit of Service Provider’s security program.

Right to terminate if Service Provider has allowed a material breach of its security program, if Service Provider has lost or materially altered customer information, or if the University reasonably determines that Service Provider’s program is inadequate.

Additional Contract Additional Contract TermsTerms

Service Provider to indemnify and defend the University for security breaches, violations of GLB caused by Service Provider’s negligence, and loss or material alteration of customer information.

Service Provider to reimburse the University for its direct damages (e.g., costs to reconstruct lost or altered information) resulting from the security breach, loss, or alteration of customer information.

ConclusionConclusionGLB is another step on the ever-lengthening road to the land of perfect privacy. FTC Safeguard Rule should be seen a part of an institution’s comprehensive privacy policy.

Institutions need to address the protection of (meaning here access to) information already in the “hands” of both current and past service providers.

What is Required for Training What is Required for Training under GLB Safeguards Ruleunder GLB Safeguards Rule

Training should be very Training should be very simple. simple.

You don't even need to You don't even need to mention GLB.mention GLB.

What Points to Include What Points to Include in Training in Training

Both physical and computer records must be protected Both physical and computer records must be protected Do not give anyone else your password or ask anyone Do not give anyone else your password or ask anyone

for theirsfor theirs Encrypt sensitive customer information when Encrypt sensitive customer information when

transmitted over networks. Conversely, do not ask transmitted over networks. Conversely, do not ask customers to send data such as credit card # or SSN customers to send data such as credit card # or SSN over non-encrypted networks. over non-encrypted networks.

Refer calls or requests for customer information to Refer calls or requests for customer information to employees who have had safeguard training employees who have had safeguard training

Beware "social engineering" (pretext calling) Beware "social engineering" (pretext calling) Identify where at the university to report fraudulent Identify where at the university to report fraudulent

attempts to obtain customer information or attempts to obtain customer information or questionable data access (might be Internal Auditor questionable data access (might be Internal Auditor for financial records, Registrar for Student Records, for financial records, Registrar for Student Records, other to Information Security Coordinator)other to Information Security Coordinator)

Who to TrainWho to Train Depends on Specifics of your Information Depends on Specifics of your Information

Security PlanSecurity Plan Narrow v. Broad ApproachNarrow v. Broad Approach Broad = Anyone who has access to student Broad = Anyone who has access to student

records, either paper or onlinerecords, either paper or online If your plan also covers credit card information, If your plan also covers credit card information,

anyone who has access to credit card anyone who has access to credit card information (CUA taking this approach)information (CUA taking this approach)

Narrow = only those offices with access to Narrow = only those offices with access to student financial data, or offices who engage in student financial data, or offices who engage in covered financial transactions, e.g. extending a covered financial transactions, e.g. extending a loan for credit, gift annuity agreements, etc. loan for credit, gift annuity agreements, etc. (Georgetown taking this approach)(Georgetown taking this approach)

How to TrainHow to Train By video (see online video at By video (see online video at

http://counsel.cua.edu/glb/publicahttp://counsel.cua.edu/glb/publications/)tions/)

By brochures (online by end of By brochures (online by end of summer at above site)summer at above site)

In person in small groups for In person in small groups for those who have managerial those who have managerial responsibilities in covered areas responsibilities in covered areas

Enforcement and 3Enforcement and 3rdrd Party LawsuitsParty Lawsuits

No private right of action under No private right of action under GLBGLB

Plaintiff could bring case based on Plaintiff could bring case based on negligencenegligence

Not much (if any) case law on Not much (if any) case law on negligent release of information negligent release of information such as SSN or credit card such as SSN or credit card

Avoiding LawsuitsAvoiding Lawsuits Likely to be a growing field with advent of Likely to be a growing field with advent of

laws like HIPAA, GLB and state laws laws like HIPAA, GLB and state laws protecting privacyprotecting privacy

See: Henderson, Steve, and Yarbrough, See: Henderson, Steve, and Yarbrough, Matthew, Matthew, Frontiers of Law: The Internet and Frontiers of Law: The Internet and Cyberspace: Suing the Insecure?: A Duty of Cyberspace: Suing the Insecure?: A Duty of Care in CyberspaceCare in Cyberspace, 32 N.M.L. Rev. 11 (2002) , 32 N.M.L. Rev. 11 (2002) for summary of theory of law in this areafor summary of theory of law in this area

Follow standard of reasonableness. Stay Follow standard of reasonableness. Stay current or ahead of curve on privacy current or ahead of curve on privacy protection, e.g. be there with the patch as protection, e.g. be there with the patch as soon as it is availablesoon as it is available..

Documents

GLB Safeguards Rule: Overview, Training and Enforcement Considerations