GLB Act Resource Page

Print Version

Compliance with the FTC Safeguarding Rule Promulgated Under the Gramm-Leach-Bliley Act

The regulations under 16 CFR Part 314, published in May 2002 (May 23 Federal Register, p. 346484), stem from the Gramm-Leach-Bliley Act (the GLB Act or the Act) mandates extensive new privacy protections for consumers. The GLB Act requires financial institutions to take steps to ensure the security and confidentiality of customer records such as names, addresses, phone numbers, bank and credit card account numbers, income and credit histories, and Social Security numbers. The compliance deadline for the safeguard rule was May 23, 2003.

The GLB Act broadly defines “financial institution” as any institution engaging in the financial activities enumerated under the Bank Holding Company Act of 1956, including “making, acquiring, brokering, or servicing loans” and “collection agency services.” Because higher education institutions participate in financial activities, such as making Federal Perkins Loans, FTC regulations consider them financial institutions for GLB Act purposes.

The GLB Act spells out several specific requirements regarding the privacy of customer financial information. Following passage of the Act, NACUBO and other higher education associations worked to have colleges and universities exempted from the jurisdiction of FTC because they did not fit the typical definition of a financial institution under the GLB Act. As a result, under regulations promulgated in May 2000, colleges and universities are deemed to be in compliance with the privacy provisions of the GLB Act if they are in compliance with the Family Educational Rights and Privacy Act (FERPA). However, higher education institutions are subject to the provisions of the Act related to the administrative, technical, and physical safeguarding of customer information.

NACUBO's Advisory Report 2003-01 can provide you with a summary and explanation of the FTC final regulations related to the safeguarding of customer information. Compliance deadline: May 23, 2003

• Model Policy #1: Sample A
• Model Policy #2: Catholic University
• Model Policy #3: University of Minnesota (Draft)
• Model Policy #4: Sample B
• Model Policy #5: Shenandoah University
• Notes from May 8 Meeting with FTC Officials
• Notes from COHEAO meeting with FTC Officials on April 23, 2003
  
  
  

Useful Links

• Catholic University of America, Office of the General Counsel
  
  
• Cornell Information Technology Policies
  
  
• Federal Trade Commission (FTC) pages on GLB:

Financial Privacy: The Gramm-Leach Bliley Act (HTML)
Financial Privacy: The Gramm-Leach Bliley Act (PDF)
Financial Institutions and Customer Data: Complying with the Safeguards Rule

• Federal Reserve Bank GLB Sample Policy see Appendix B and C
  
  
• International Association of Privacy Professionals
  
  
• Internet2 Middleware Initiative 
  
  
• Information Security Risk Evaluation at the CERT Coordination Center at Carnegie Mellon