510 likes | 652 Views
GLB Safeguards Rule: Overview, Training and Enforcement Considerations. NACUA 43 rd Annual Conference Peter C. Cassat Margaret O’Donnell. Scope of GLBA Safeguards Rule.
E N D
GLB Safeguards Rule: Overview, Training and Enforcement Considerations NACUA 43rd Annual Conference Peter C. Cassat Margaret O’Donnell
Scope of GLBA Safeguards Rule • The FTC’s Safeguards Rule, promulgated under the GLBA, went into effect on May 23, 2003 and is aimed at ensuring the safeguarding and confidentiality of customer information held in the possession of covered financial institutions. • Unlike the FTC’s earlier GLBA Privacy Rule, the Safeguards Rule contains no exemption for institutions that are subject to FERPA. As a result, educational institutions that engage in financial institution activities, such as processing student loans, are required to comply with the Safeguards Rule.
General Requirements • The Safeguards Rule requires each covered institution to develop, implement, and maintain a “comprehensive information security program” that is “written in one or more readily accessible parts”, and that includes “administrative, technical and physical safeguards” designed to ensure the security and confidentiality of customer records. • The Safeguards Rule expressly recognizes that each institution’s information security program may vary, based on its size and complexity, the nature and scope of its activities, and the sensitivity of the customer information at issue.
Comprehensive Written Information Security Program • In order to “develop, implement and maintain” the required written information security program, the Safeguards Rule requires each institution to carry out certain steps: • designate one or more employees to coordinate the program;
Information Security Program Steps, cont. . . . • Identify “reasonably foreseeable” internal and external risks to the security and confidentiality of customer information that could lead to unauthorized disclosure, use, alteration, destruction or other compromise of such information and “assess the sufficiency” of the institution’s safeguards in place to control these risks.
Information Security Program Steps, cont . . . • Such risk assessment must include, at a minimum, risks in areas of operation such as: • employee training and management, • information systems, and • detecting, preventing, and responding to attacks against the institution’s systems;
Security Program Steps, cont. • implement safeguards to manage the identified risks and regularly test or monitor such safeguards; • oversee the institution’s service providers by: • selecting and retaining service providers that are capable of maintaining appropriate safeguards for the customer information at issue, and • requiring service providers by contract to implement and maintain such safeguards;
Ongoing Security Steps • The Safeguards Rule requires institutions to evaluate and adjust the their security programs in light of the required risk assessment, any material change to institutional business operations or any other circumstances that may have a material impact on the institution’s information security program.
Practical Considerations • The most difficult challenge under the Safeguards Rule is identifying the scope of information covered. • It may be possible to take the position that the Safeguards Rule applies only to information collected or maintained in connection with the institution’s financial institution activities – i.e., student financial aid related activities. • It may be difficult, however, for institutions to segregate information that is collected in connection with financial institution related activities (such as Social Security numbers) from other information maintained with respect to its student population.
Drafting Issues • The FTC rules expressly recognize that an institution’s information security program may be maintained in one or more documents. Thus, it should be possible to incorporate existing policies and procedures relating to the safeguarding of information and to the proper use of institutional network resources, such as, existing acceptable use, information technology security and student record access policies and procedures.
Risk Management Issues • The Safeguards Rule recognizes that an institution need not make its security program publicly available. However, open records laws may provide access. • Drafts and deliberative documents relating to the creation and implementation of the program should be labeled as attorney client privileged drafts.
Approaches to GLB Compliance NACUA 43rd Annual Conference Tom Schumacher University of Minnesota June 25, 2003
Options for Organizational Mgmt.-Program Leadership • “Designate an employee or employees to coordinate” (§314.4(a)) 1. Centralized Model, single person 2. Decentralized, several “coordinators” 3. Hybrid, central coordinator, designated responsible parties in key units • Designation must be set out in written security plan (§314.3(a)) • Try to integrate with existing responsibilities
Centralized Model • Options for Responsible Office • Chief Information Officer? • Controller? • CFO? • Registrar? • Privacy Officer (if have one)? • Custodian of Student Record? • Auditor? • IT Security Officer? • Others • Delegate administrative duties as appropriate
Decentralized Model • Designate responsible coordinator in areas with “covered data” • Student Finance Director(s) • One at each campus • IT Office(s) • Collections • Human Resources • Accounting • Collegiate contacts • Athletics • Others • Consider some oversight method
Hybrid Model • Single Central Coordinator • Formally designated contacts in units with “covered data” responsible for carrying out risk assessments and monitoring where required • Communication with leadership from areas with covered data
Coordinator Program Responsibilities • Risk Assessment - § 313.4(b) • Identify/inventory access to covered data • Assess Risk • Internal Controls • “Design and implement safeguards to control the risks you identify” (§ 313.4(c)) • Match these to level of assessed risk
Internal Controls • Program Oversight • Risk Assessment • Roles and Responsibilities • Policies and Procedures • Education, Training & Awareness • Monitoring, Testing, Oversight • Corrective action/Communication • Iterative and continuing process
Example Risk Assessment-for each significant area to evaluate Employee permitted to access to database without proper authorization • Electronic • Access • Storage • Transmission • Destruction • Print materials • Access • Storage • Transmission • Destruction • Service Providers • System Integrity Misuse of information by employee with Authorized access Etc.
Example Risk/Internal Controls matrix approach(Area: student financial collections)
Example: Hybrid Model • Coordinator makes sure Risk Assessment and Internal controls for each covered area are in place • For significant areas, conducted by designated contacts • For isolated, conducted by Coordinator • Designated contacts annually provide report to Coordinator • Annual confirmation that risks are current • Coordinator annually reports on risk environment and controls to Compliance and leadership • Identifies problem areas
Identifying and Evaluating Exposures and Risks NACUA 43rd Annual Conference Christopher Holmes Baylor University June 25, 2003
Scope of Risk Assessment “You shall...identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks.” 16 CFR §314.4 (b).
Areas to Include • Employee training and management; • Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and • Detecting, preventing and responding to attacks, intrusions, or other systems failures.
Steps to Risk Assessment • Meet with all business owners facing the risks and discuss their experiences • Prepare a list that encompasses the risks (both internal and external) they observe • Determine whether current steps are sufficient in controlling the risks • Discuss additional reasonable steps that could be taken to increase security
Compromise of system security (e.g., hacker) Interception of data during transmission Physical loss of data due to disaster Corruption of data or systems Unauthorized access by employees Unauthorized requests for data (e.g., pretext calling) Unauthorized transfer of data by third parties List of Potential Risks
FTC Suggestions: Employee Management and Training • Check references prior to hiring employees who will have access to cdi • Employees sign confidentiality agreement • Train employees to take basic steps (passwords, pretext calling, etc.) • Regular reminders of policy and legal requirement to keep cdi confidential • Limit access to those employees with a business reason for seeing it
FTC Suggestions:Information Systems • Store records in a secure area • Provide for secure data transmission (use of SSL, password protect email accounts, etc.) • Dispose of customer information in secure manner • Inventory computers on network systems
FTC Suggestions: Managing Systems Failures • Develop a written contingency plan to address breaches • Maintain software and hardware (security patches, anti-virus software, etc.) • Backups of all cdi • Configure systems to ensure that access to cdi is granted only to appropriate users • Notify customers promptly if cdi is disclosed
Review and Assessment of Plan GLB requires continued evaluation and adjustment of the safeguards program in light of relevant circumstances. Periodically review changes in the university’s operations or business arrangements or the results of testing and monitoring of enacted safeguards.
“Service Provider” RulesUnder the Gramm-Leach-Bliley Act 2003 NACUA National Conference June 25, 2003 Gregory C. Brown Associate General Counsel Office of the General Counsel University of Minnesota
Overview of Presentation Review FTC Safeguard Rule on the oversight, selection and retention of service providers and mandatory contract provisions. Discuss ways, by contract, to protect Universities once security has been breached or customer information has been loss, misused or altered.
Who is a “Service Provider”? “Any person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to a financial institution . . . .” FTC Safeguard Rule, § 314.2(d), 67 Fed. Reg. 36,484, 36,494 (May 23, 2002) .
Duty to Oversee Service Providers Institutions must take “reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information . . . .” FTC Safeguard Rule, § 314.4(d)(1), 67 Fed. Reg. 36,484, 36,494 (May 23, 2002) .
Duty to Oversee Service Providers Each institution is expected to “take reasonable steps to assure itself that its current and potential service providers maintain sufficient procedures to detect and respond to security breaches . . . .” FTC Safeguard Rule, § C, 67 Fed. Reg. 36,484, 36,490 (May 23, 2002) (emphasis added).
Duty to Oversee Service Providers Each institution is expected to “maintain reasonable procedures to discover and respond to widely-known security failures by its current and potential service providers.” FTC Safeguard Rule, § C, 67 Fed. Reg. 36,484, 36,490 (May 23, 2002) (emphasis added).
Duty to Oversee Service Providers The FTC did not mandate any specific reviews or steps an institution must take to comply. Institutions need not undertake “unlimited evaluation(s) of their service providers’ capabilities.” FTC Safeguard Rule, § C, 67 Fed. Reg. 36,484, 36,490 (May 23, 2002). Review will depend on the “circumstances and the relationship” between the institution and the service provider.Id.
Mandatory Contract Provisions Each contract entered into after June 24, 2002, must require the service provider “to implement and maintain such safeguards.” FTC Safeguard Rule, §§314.4(d)(2) and 314.5(b), 67 Fed. Reg. 36,484, 36,494 (May 23, 2002) . A contract in place before that date need not include the mandatory provision until May 24, 2004. FTC Safeguard Rule, §314.5(b), 67 Fed. Reg. 36,484, 36,494 (May 23, 2002) .
Mandatory Contract Provisions So as to give institutions flexibility, the FTC did not mandate particular contract language.
Mandatory Contract Provisions • Sample clause: • “Throughout the term of this Agreement, Service Provider shall implement and maintain ‘appropriate safeguards,’ as that term is used in § 314.4(d) of the FTC Safeguard Rule, 16 C.F.R. § 314 (the ‘FTC Rule’), for all ‘customer information,’ as that term is defined in §314.2(b) of the FTC Rule, owned by the University and delivered to Service Provider pursuant to this Agreement.
Mandatory Contract Provisions Sample Clause cont’d: “Service Provider shall promptly notify the University, in writing, of each instance of (i) unauthorized access to or use of that customer information that could result in substantial harm or inconvenience to a customer of the University or (ii) unauthorized disclosure, misuse, alteration, destruction or other compromise of that customer information. Within 30 days of the termination or expiration of this Agreement, Service Provider shall destroy and shall cause each of its agents to destroy all records, electronic or otherwise, in its or its agent’s possession that contain such customer information and shall deliver to the University a written certification of the destruction.”
Mandatory Contract Provisions FTC Safeguard Rule is silent as to the penalty for institution entering into or maintaining a contract with a service provider that does not comply.
Additional Contract Terms Right to on-site audit of Service Provider’s security program. Right to terminate if Service Provider has allowed a material breach of its security program, if Service Provider has lost or materially altered customer information, or if the University reasonably determines that Service Provider’s program is inadequate.
Additional Contract Terms Service Provider to indemnify and defend the University for security breaches, violations of GLB caused by Service Provider’s negligence, and loss ormaterial alteration of customer information. Service Provider to reimburse the University for its direct damages (e.g., costs to reconstruct lost or altered information) resulting from the security breach, loss, or alteration of customer information.
Conclusion GLB is another step on the ever-lengthening road to the land of perfect privacy. FTC Safeguard Rule should be seen a part of an institution’s comprehensive privacy policy. Institutions need to address the protection of (meaning here access to) information already in the “hands” of both current and past service providers.
What is Required for Training under GLB Safeguards Rule • Training should be very simple. • You don't even need to mention GLB.
What Points to Include in Training • Both physical and computer records must be protected • Do not give anyone else your password or ask anyone for theirs • Encrypt sensitive customer information when transmitted over networks. Conversely, do not ask customers to send data such as credit card # or SSN over non-encrypted networks. • Refer calls or requests for customer information to employees who have had safeguard training • Beware "social engineering" (pretext calling) • Identify where at the university to report fraudulent attempts to obtain customer information or questionable data access (might be Internal Auditor for financial records, Registrar for Student Records, other to Information Security Coordinator)
Who to Train • Depends on Specifics of your Information Security Plan • Narrow v. Broad Approach • Broad = Anyone who has access to student records, either paper or online • If your plan also covers credit card information, anyone who has access to credit card information (CUA taking this approach) • Narrow = only those offices with access to student financial data, or offices who engage in covered financial transactions, e.g. extending a loan for credit, gift annuity agreements, etc. (Georgetown taking this approach)
How to Train • By video (see online video at http://counsel.cua.edu/glb/publications/) • By brochures (online by end of summer at above site) • In person in small groups for those who have managerial responsibilities in covered areas
Enforcement and 3rd Party Lawsuits • No private right of action under GLB • Plaintiff could bring case based on negligence • Not much (if any) case law on negligent release of information such as SSN or credit card