The Gramm-Leach-Bliley Act (GLBA)

Gramm-Leach-Bliley Act, (GLBA) effective May 23, 2003, addresses the safeguarding and confidentiality of customer information held in the possession of financial institutions such as banks and investment companies. GLBA contains no exemption for colleges or universities. In 2021, The Federal Trade Commission (FTC) issued amendments that were approved by its governing agency, the Gramm-Leach-Bliley Act (GLBA); subsequently, these changes updated the compliance requirements for those higher educational institutions with a financial connection to the Title IV Program. As a result, educational entities that engage in financial activities, such as processing student loans, are required to comply. GLBA and other emerging legislation could result in standards of care for information security across all areas of data management practices (employee, student, customer, alumni, doner, etc.), both electronic and physical. Current Compliance Policies will have a direct impact from the changes listed below:

• designate a qualified individual to oversee their information security program,
• develop a written risk assessment,
• limit and monitor who can access sensitive customer information,
• encrypt all sensitive information,
• train security personnel,
• develop an incident response plan,
• periodically assess the security practices of service providers and implement multi-factor authentication or another method with equivalent protection for any individual accessing customer information

These updates to current Compliance Policies at St. John’s University are for certain highly critical and private financial and related information. This Compliance Program applies to customer financial information (covered data) that the University receives in the course of business as required by GLBA as well as other confidential financial information included within its scope.

GLBA Compliance Program

The GLBA Compliance Program covers the entirety of the activities and practices of the following offices and individuals:

• Academic and administrative offices that handle electronic or printed personnel records, financial records, transactional records, or student records.
• Academic and administrative offices that transmit confidential information (protected data) to off-site locations as part of a periodic review or submission requirement.
• Centers and Institutes that provide services and acquire personal or financial information from participants or constituents.
• Faculty serving as directors, coordinators, principal investigators, or program directors for programs collecting protected data.
• Faculty, staff, and administrators with contracts to use, access, or provide protected data to or receive from a non-campus entity (e.g., government databases, science databases).

Categories of Information under the Plan

Information covered under the plan is defined by three categories:

• Personal Identifiable Information (PII) – Also known as protected data, PII includes first and last name, social security number, date of birth, home address, home telephone number, academic performance record, physical description, medical history, disciplinary history, gender, and ethnicity.
• Financial Information – Information that the University has obtained from faculty, staff, students, alumni, auxiliary agencies, and patrons in the process of offering financial aid or conducting a program. Examples include bank and credit card account numbers, and income and credit histories.
• Student Financial Information – Information that the University has obtained from a student in the process of offering a financial product or service, or such information provided to the University by another financial institution. Examples include student loans, income tax information received from a student’s parent when offering a financial aid package, bank and credit card account numbers, and income and credit histories.

Key Points

• The Compliance Program is a continuous process that is undertaken at periodic intervals.
• The GLBA Compliance Program Coordinator is responsible for implementing this Compliance Program.
• IT, with the collaboration of HR, develop appropriate training programs to ensure staff is aware of protocols for protecting customer information.
• The Coordinator works with the Office of the General Counsel and Procurement Office and other offices as appropriate to make certain that service provider contracts contain appropriate terms to protect the security of covered data.
• The Coordinator, working with responsible units and offices, monitors, evaluates and adjusts the Compliance Program in light of the results of the risk management process.

Purpose

In order to continue to protect private information and data and to comply with the provisions of the Federal Trade Commission's safeguard rules implementing applicable provisions of the GLBA, the University has adopted this Compliance Program for certain highly critical and private financial and related information. The Compliance Program forms part of the overall strategic information security program of the University. This program applies to customer financial information (covered data) the University receives during business as required by GLBA as well as other confidential financial information the University has voluntarily chosen as a matter of policy to include within its scope.

This page describes many of the activities undertaken by the University to maintain the security and privacy of the covered data according to GLBA requirements.

Scope and Applicability

The program is poised to protect private information and data and to comply with the provisions of the Federal Trade Commission's safeguard rules implementing applicable provisions of the GLBA, the University has adopted this Compliance Program for certain highly critical and private financial and related information. The Compliance Program forms part of the overall strategic information security program of the University. This program applies to customer financial information (covered data) the University receives during business as required by GLBA as well as other confidential financial information the University has voluntarily chosen as a matter of policy to include within its scope.

Departments Covered Under the GLBA

The following table illustrates the mapping of the departments that fall under the scope of the GLBA Safeguard Rules.

GLBA Safeguard Rules Scope for Title IV Schools

· Student loans (St. John’s loans, bankloans, and federal loans)

· Private Student loans

· Personal Identifiable Information - SSN, Billing Information, Credit Card, Account Balance, Citizenship, Passport Information, Tax Return Information, Bank Account Information, Driver’s License and Date of Birth

· Disbursement of Financial Aid

· Office of Admission

· Office of the Registrar

· International Student Service Office

· The Language Connection

· The School of Law

· Personal Identifiable Information - SSN, Billing Information, Credit Card, Account Balance, Passport Information, Tax Return Information, Bank Account Information, Driver’s License and Date of Birth

· Office of the General Counsel

· Emergency faculty loans

· Emergency staff loans

· Human Resources (HR)

· G5 drawdown of federal funds

· Refunds and T & E payments

· Coordination of Audits

Roles and Responsibilities

This section discusses the main roles and responsibilities required to effectively execute the GLBA Compliance program.

Roles

Responsibilities

Chief Information Officer

· Designates or serves as the GLBA Compliance Plan Coordinator.

· Responsible for systemwide compliance with the GLBA Safeguarding Rule through appropriate communication with and coordination among applicable groups.

· Designates individuals who have the responsibility and authority for information technology resources.

Information Technology Security Office

· Establishes and disseminates enforceable rules regarding access to and acceptable use of information technology resources.

· Establishes reasonable security policies and measures to protect data and systems.

· Monitors and manages system resource usage.

· Investigates problems and alleged violations of University information technology policies and report violations to appropriate University offices such as the Office of the General Counsel and Human Resources Department for resolution or disciplinary action.

Deans, Department Heads and other Managers

· Keep employees informed about policies and programs that pertain to their work, including those that govern GLBA compliance and ensure that they successful complete the required training.

Employees with access to covered data

· Abide by University policies and procedures governing covered data as well as any additional practices or procedures established by their unit heads or directors.

· Report concerns to their supervisor

Campus Controller

· Assist units with setting risk evaluation schedules and processes as requested.

University Auditors and Cross-department GLBA working team

· Review conformance to the GLBA Compliance Plan as part of routine internal audits.

GLBA Compliance Program Coordinator

The GLBA Compliance Program Coordinator (Coordinator) is responsible for implementing this Compliance Program. The Coordinator is appointed by the Vice President for Business Affairs.

• Works closely with t, the University Registrar, Human Resources, the Office of the General Counsel, the Office of the Bursar, the Office of Student Financial Aid, the Internal Audit Department, and such other offices and units as they have an interface with or control over covered data.
• Consults with responsible offices to identify units and areas of the University with access to covered data. As part of this Compliance Program, the Coordinator has identified units and areas of the University with access to covered data.
• Conducts surveys, or utilizes other reasonable measures, to confirm that all areas with covered information are included within the scope of this Compliance Program. The Coordinator maintains a list of areas and units of the University with access to covered data.
• Ensures that risk assessments and monitoring are carried out for each unit or area that has covered data and that appropriate controls are in place for the identified risks.
• Works to ensure adequate training and education are developed and delivered for all employees with access to covered data.
• Verifies that existing policies, standards, and guidelines that provide for the security of covered data are reviewed and adequate.
• Makes recommendations for revisions to policy, or the development of new policy, as appropriate.
• Updates this Compliance Program, including this and related documents, from time to time.
• Ensures the written security plan is maintained and make the plan available to the University community.

Compliance Program Plan

Compliance means following the laws, regulations, and University policies that govern our everyday activities as members of the University community. This Compliance Program is a continuous process that is evaluated and adjusted in light of the following:

• The results of the required testing/monitoring,
• Any material changes to St. John’s operations or business arrangements
• Any other circumstances that may have a material impact on St. John’s information security program.
• Data Mapping
• Risk Assessment and Implementation of Safeguards
• Access Control
• Encryption
• Awareness, Training, and Education
• Incident Response Plan and Procedures
• Evaluate Service Providers’ Agreements and Processes
• Continuous Program Maintenance
• Defined Policies and Standards

This section highlights the approach taken by the University to ensure compliance with the GLBA requirements.

Defined Policy and Standards

Keeping security risks at a low is St. John’s priority. The university’s structure for maintaining confidentiality with information security ensures that risks of any kind are at a minimum. There is the quality assurance that comprehensive processes are in place for best practices and information protection. The areas are listed below:

• Risk Assessment
  • Third-party Risk Management

  Data Mapping

  Click to Open

  The Compliance Program identifies the flow of the data processed throughout the University to assist in the identification of risks to privacy and security. This activity includes determining:

  • The types of data being processed by the various business units
  • The format of the data processed, and the location of the data being used and stored
  • The purpose of the data being processed

  Risk Assessment and Implementation of Safeguard

  Click to Open
  • Identifies reasonably foreseeable external and internal risks to the security, confidentiality, and integrity of covered data that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromises of such information; and
  • Assesses the sufficiency of any safeguards in place to control these risks.
  • The Coordinator works with all relevant departments to carry out comprehensive risk assessments

  Conduct Risk Assessment

  Click to Open

  This process includes system-wide risks as well as risks unique to each area with covered data and the effectiveness of management practices currently in place to ensure compliance and security enhancement. Risk assessments shall include a consideration of risks in each relevant area of operations and cover processes for handling, storing, and disposing of the paper records; processes for detecting, preventing, and responding to security failures; and employee training and management, including the appropriateness and frequency of staff and management security awareness training.

  Design and Implement Safeguards

  As a result of the risk assessment, recommendations are made as necessary to change management practices to improve business controls and/or to implement information safeguards. The University has developed a set of policies and procedures to guide the security and privacy of data covered by GLBA:

  Testing and Monitoring of the Systems

  Click to Open

  St John’s University is diligent in its routine testing and monitoring of its systems, and the safeguards implemented are a result of the risk assessment outcomes.

  Vulnerability Assessment

  Click to Open

  The university ensures vulnerability assessment on systems that transmit, process, or store covered data.

  Access Control

  Click to Open

  Access control is St. John’s University’s ability to maintain, implement, and control its policies, standards, and procedures.

  Encryption

  Click to Open

  To control the integrity and privacy of data that is processed, stored, and transmitted, the University uses industry acceptable and approved encryption algorithms and solutions for access control.

  Data Retention and Disposal

  Click to Open

  St. John’s University is diligent in its data collection, retention, and disposal efforts. The university’s record retention process is in accord with the GBLA. The program:

  • Removes the maintenance of unnecessary documents from the onset of data collection to the end of the retention process.
  • Supports the maintenance of records filing systems to better facilitate retrieval and use
  • Protects most important, up-to-date information while less valueless information is disposed of or transferred to the appropriate secured storage area.
  • Safeguards information essential to St. John’s daily business operations.

  Provide Awareness, Training and Education

  Click to Open

  The following shall guide the training and management of employees:

  • John’s University implements required training programs to ensure staff is aware of protocols for protecting customer information.
  • All training programs or materials incorporate concepts relevant to both electronic and paper-based customer information.
  • Department managers and supervisors keep employees informed about policies and programs that pertain to their work, including those that govern GLBA compliance.
  • Managers and supervisors ascertain which positions deal with customer information and assess whether these positions should be classified as “critical positions” requiring background checks, as provided for by St. John’s personnel policy.
  • Department managers and supervisors ensure employees complete the mandatory core security training and specific GLBA training as assigned.
  • All University employees that interact with the covered PII data during their daily activities are required to complete the GLBA Compliance training course describing their responsibilities while handling the personally identifiable information (PII).
    • Annual Cybersecurity training
    • Additional PII training requirements
    • Phishing exercises that have been designed and implemented by the IT department (and approval from security governance) to help employees to identify fake emails from authentic ones and not respond to questionable emails or communications
    • Informative campus-wide communications regarding phishing, spear phishing, and other types of spam email
    • Mandatory security training for specific users working with EPHI

    Incident Response Plan and Procedures

    Click to Open

    St. John’s University’s documented and outlined Incident Response Plan and Procedures addresses possible threats that could arise concerning Information Technology, privacy, and cyber incidents. The university’s preparation in planning regarding these threats includes instruction for university employees s to take against potential threats. These steps are listed below:

    1. Formal and detailed documented responses/reports for investigative purposes or for resolving cyber issues
    2. Detection tools that readily identify cyber-attacks or system anomalies
    3. Official tabletop exercises to assist the team with preparing against common and known threates.
    4. Incident Response Tickets that have additional key information related to the incident such as status, impact, assessment, evidence gathered, and the next steps

    Evaluate Service Providers’ Agreements and Processes

    Click to Open

    The University may, from time to time appropriately share covered data with third parties. When third-party business is conducted, however, appropriate risk management activities are in place to minimize any corresponding potential risks. These activities include but are not limited to reputational, financial, operational, strategic, and compliance risks. The decision to engage with third parties must be consistent with the University’s business objectives, and they must be made after careful consideration of the risks involved are contracted for implementing and maintaining such safeguards.

    Program Maintenance

    Click to Open

    The Coordinator, working with responsible units and offices, monitors, evaluates, and adjusts the Compliance Program in light of the results of testing and monitoring of the risks identified as well as in response to any material changes to operations or business arrangements and any other circumstances which may reasonably have an impact on the Compliance Program. This Program document will be reviewed, at a minimum, annually by the CIO and GLBA working committee.

    Contact Information

    Persons who may have questions regarding the security of any of the categories of information that is handled or maintained by or on behalf of the University may contact:

    Anne Rocco Pacione
    Interim Chief Information Officer
    Newman Hall
    8000 Utopia Parkway
    Queens, NY 11439
    Email: [email protected]
    Telephone: 718-990-2000

    The complete Gramm Leach Bliley Information Security Program is available at the CIO’s Office.

    Definitions

    This section highlights some of the key terminologies used under the GLBA.

    Customer Information - means any record containing non-public personal information as defined in 16 CFR 313.3(n), about a faculty, staff, and student of St. John’s, whether in paper, electronic, or other forms, that is handled or maintained by or on behalf of St. John’s or its service providers.

    The following are examples of data elements, but not limited, that fall under customer information, whether they are stored as paper records or electronically:

    • Name
    • Home address
    • Home phone number
    • Date/location of birth
    • Driver’s license number
    • Name of spouse or other relatives
    • Citizenship
    • Bank and credit card number
    • Income and credit histories
    • Social Security numbers
    • Students performance evaluations or letters related to performance
    • Other information within the definition of “customer information

    Non-public personal information - means any personally identifiable financial or other personal information, not otherwise publicly available, that the University has obtained from a customer in the process of offering a financial product or service; such information provided to the University by another financial institution; such information otherwise obtained by the University in connection with providing a financial product or service; or any list, description, or other grouping of customers (and publicly available information pertaining to them) that is derived using any information listed above that is not publicly available. Examples of personally identifiable financial information include names, addresses, telephone numbers, bank and credit card account numbers, income and credit histories, tax returns, asset statements, and social security numbers, both in paper and electronic form.

    Financial Information - includes student financial aid, student, faculty and staff loans.

    Covered data and information - for this program, this includes non-public personal information of customers required to be protected under GLBA. In addition to this required coverage, the University chooses as a matter of policy to also define covered data and information to include any bank and credit card account numbers, income and credit information, tax returns, asset statements, and social security numbers received in the course of business by the University, whether or not such financial information is covered by GLBA. Covered data and information includes both paper and electronic records

    Service provider - means any person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to St. John’s that is subject to this part.