The Gramm-Leach-Bliley Act (GLBA) Safeguards Rule pertains to the safeguarding of customer financial information. The rule requires financial institutions, including colleges and universities, to develop plans and establish policies to protect such information.

The GLBA broadly defines “financial institution” as any institution engaging in the financial activities enumerated under the Bank Holding Company Act of 1956, including “making, acquiring, brokering, or servicing loans” and “collection agency services.” Because higher education institutions participate in financial activities, such as making Federal Perkins Loans, FTC regulations consider them financial institutions for GLBA purposes.

Safeguards Rule

The information below describes the various components of the university's information security program that are in accord with, and support compliance with, the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule, and provides references to additional materials and to applicable policies and guidelines.

In its capacity as a financial institution, American University is required to maintain an information security program, the Office of Information Technology (OIT) develops and supports this program. This program must include the following elements:

1. Designate a “Qualified Individual” responsible for overseeing, implementing, and enforcing the information security program. The University’s “Qualified Individual” responsible for the information security program is AU’s Chief Information Security Officer (CISO). The CISO is assisted in fulfilling these responsibilities by the Director of Cyber Policy.
2. Base the information security program on a risk assessment of the security, confidentiality, and integrity of customer information, and assess the sufficiency of any safeguards in place to control these risks. AU’s information security program follows a risk-based approach, risks are assessed and addressed on a regular basis. Significant components of the program are established in AU’s Information Technology Security Policy.
3. Design and implement safeguards to control the risks identified in the risk assessment. The American University has established the University Data Classification Policy, Gramm-Leach-Bliley Policy, Data Breach Notification Policy and Information Technology Security Policy to direct all relevant offices and employees on standards and requirements for safeguarding data, including “Covered Information” in scope of GLBA. All Covered Offices that responsible for Covered Information must establish their own practices and procedures for Covered Information and document them with the CISO. If additional safeguards are needed to address identified risks, OIT will work with Covered Offices to develop or update them.
4. Regularly test or otherwise monitor the effectiveness of safeguards. For information systems, the monitoring and testing shall include continuous monitoring or periodic penetration testing and vulnerability assessments. Units are responsible for routine monitoring, testing, and assessing the effectiveness of safeguards implemented by them. The Office of Information Technology offers additional monitoring and vulnerability assessment capabilities and can arrange for penetration testing as needed.
5. Implement policies and procedures for security awareness training. People who have access to GLBA data are required to take GLBA training and information security training at least annually. The Director of Cyber Policy will coordinate with covered offices to support their compliance.
6. Oversee service providers. Contracts with third parties involving information technology and that include the processing of personal data are reviewed the Procurement and Contracts Department, Information Security team, and other relevant parties (e.g. Office of General Counsel, Risk Management, and Director, Cyber Policy). AU has established its own Data Protection Agreement in the case of a third-party vendor having a missing or deficient agreement. The review process must take place at initiation and renewal of agreements and may also occur in the case of a significant triggering event.
7. Evaluate and adjust the information security program in light of the results of testing and monitoring. The Office of Information Technology regularly reviews and adjusts the information security program following established governance practices.
8. Establish an incident response plan. American University has established the Data Breach Notification Policy that requires the implementation of safeguards for Covered Information and encourages reporting of real or suspected data breaches. Additionally, OIT’s Critical Incident Management Process (AU login required) provides an internal process for the assessment and management of critical data incidents.
9. Require your Qualified Individual to report in writing, regularly and at least annually, to your board of directors or equivalent governing body. The Vice President & Chief Information Officer will provide a written report at least annually to the Board of Trustees on behalf of the Qualified Individual. The report will include: (1) The overall status of the information security program and (2) material matters related to addressing issues such as risk assessment, risk management and control decisions, service provider arrangements, results of testing, security events or violations and management's responses and substantive changes in the information security program.

Privacy Rule

The GLBA Privacy Rule (16 CFR 313) enforces several requirements related to the handling of nonpublic personal information.

For example, financial institutions must issue an initial privacy notice to consumers as soon as they become customers of that financial institution.

Colleges and universities are deemed to be in compliance with the GLBA Privacy Rule if they are in compliance with the Family Educational Rights and Privacy Act (FERPA).

American University is subject to and complies with the requirements of the Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99, as amended).

For information on University’s compliance with FERPA, visit the following linked webpage: https://www.american.edu/provost/registrar/ferpa/

Contact us if you are uncertain if GLBA applies to you, if you have questions about GLBA safeguards, or if you have other GLBA related questions.